<!DOCTYPE qhelp PUBLIC

"-//Semmle//qhelp//EN"

"qhelp.dtd">

<qhelp>

<overview>

<p>

Including functionality from an external source via an http link may

allow an attacker to inject malicious code via a MITM (man-in-the-middle) attack.

</p>

</overview>

<recommendation>

<p>

When including external pages or behaviour, use <em>https</em> links (instead of http)

to be certain that you are getting a response from the intended server, not

someone else.

</p>

<p>

Using http links is unsafe because the request sent may be intercepted by an attacker,

and malicious data may be sent back in reply.

</p>

</recommendation>

<references>

<li>

MDN — Subresource Integrity: <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">

</li>

</references>

</qhelp>

import javascript

import semmle.javascript.HTML

bindingset[host]

predicate isAllowedHost(string host) { host.toLowerCase().regexpMatch("localhost(:[0-9]+)?/.*") }

bindingset[path]

predicate isUntrustedSourcePath(string path) {

path.substring(0, 2) = "//"

or

exists(string hostPath | hostPath = path.regexpCapture("http://(.*)", 1) |

not isAllowedHost(hostPath)

)

abstract class IncludesUntrustedContent extends HTML::Element {

IncludesUntrustedContent() { this = this }

/** Gets an explanation why this source is untrusted. */

abstract string getProblem();

class ScriptElementWithUntrustedContent extends IncludesUntrustedContent, HTML::ScriptElement {

ScriptElementWithUntrustedContent() {

isUntrustedSourcePath(this.getSourcePath()) and

not exists(string digest | not digest = "" | this.getIntegrityDigest() = digest)

}

override string getProblem() {

result = "script elements should use an https link and/or use the integrity attribute"

}

class IframeElementWithUntrustedContent extends HTML::IframeElement, IncludesUntrustedContent {

IframeElementWithUntrustedContent() { isUntrustedSourcePath(this.getSourcePath()) }

override string getProblem() { result = "iframe elements should use an https link" }

from IncludesUntrustedContent s, string problem

where problem = s.getProblem()

select s, "HTML-element imports untrusted content (" + problem + ")"

| test.html:6:9:6:56 | <script>...</> | HTML-element imports untrusted content (script elements should use an https link and/or use the integrity attribute) |

| test.html:9:9:9:58 | <iframe>...</> | HTML-element imports untrusted content (iframe elements should use an https link) |

| test.html:11:9:11:53 | <iframe>...</> | HTML-element imports untrusted content (iframe elements should use an https link) |

Security/CWE-830/FunctionalityFromUntrustedSource.ql

<head>

</head>

<body>

<script src="http://test.local/foo.js"></script>> <!-- NOT OK -->

<script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>> <!-- OK (integrity digest present) -->

<script src="https://test.local/bar.js"></script>> <!-- OK (https) -->

<iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->

<iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->

<iframe src="//test.local/foo.html"></iframe> <!-- NOT OK (protocol-relative url) -->

</body>