Skip to content

JS: add model for chrome-remote-interface as a ClientRequest #2828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 14, 2020
Merged

JS: add model for chrome-remote-interface as a ClientRequest #2828

merged 3 commits into from
Feb 14, 2020

Conversation

@erik-krogh
Copy link
Contributor

chrome-remote-interface is a somewhat often used library for remote controlling browsers.

In CVE-2017-18355 the library was used to request a user controlled URL, and the contents of the URL was returned to the user. This allowed an arbitrary file read (by starting the URL with file://).

To support the CVE we only need to add a sink.

There are two options for which query the sink belongs to: js/path-injection or js/request-forgery.

I've chosen to model the sink as a ClientRequest, as the sink sends a network request to an arbitrary URL, and the query is therefore js/request-forgery.

Here are some example projects that use the sink: https://lgtm.com/query/5288831567363067439/

@erik-krogh erik-krogh added JS Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels Feb 13, 2020
@erik-krogh erik-krogh requested a review from a team as a code owner February 13, 2020 09:58
esbena
esbena requested changes Feb 13, 2020
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost LGTM.

We need a test case for this model, and I would prefer to have the ad hoc promise flow steps exposed in a more accessible way, but I can be satisfied with a team-issue that promises to do that later.

@erik-krogh
Copy link
Contributor Author

Evaluation is another instance of a huge speedup measured by the wall clock, but DPM telling us that nothing really happened.

@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Feb 14, 2020
@semmle-qlci semmle-qlci merged commit da566a4 into github:master Feb 14, 2020
@snyk-bot snyk-bot mentioned this pull request Jun 23, 2021
Open
@snyk-bot snyk-bot mentioned this pull request Jan 13, 2022
Open
@aliscco aliscco mentioned this pull request Sep 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esbena esbena esbena approved these changes

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erik-krogh @esbena @semmle-qlci