polish qhelp for CWE-830 and add test file

Stephan Brandauer · Stephan Brandauer · commit 9aec4437e270 · 2022-02-22T11:41:53.000+01:00
diff --git a/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp b/javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp
@@ -5,7 +5,7 @@
 	<overview>
 		<p>
 
-			Including functionality from an external source via an http link may
+			Including functionality from an external source via an http URL may
 			allow an attacker to inject malicious code via a MITM (man-in-the-middle) attack.
 
 		</p>
@@ -15,16 +15,33 @@
 	<recommendation>
 		<p>
 
-			When including external pages or behaviour, use <em>https</em> links (instead of http)
-			to be certain that you are getting a response from the intended server, not
-			someone else.
+			When including external pages or behaviour, use <em>https</em> URLs to make sure you're
+			getting the intended data, or users will be vulnerable to MITM attacks.
 
 		</p>
 
 		<p>
 
-			Using http links is unsafe because the request sent may be intercepted by an attacker,
-			and malicious data may be sent back in reply.
+			When including external behaviour in iframe or script elements, using http URLs is
+			unsafe because the request sent may be intercepted by an attacker, and malicious data
+			may be sent back in reply.
+
+		</p>
+
+
+		<p>
+
+			Even when https is used, an attacker might still compromise the server the page is
+			receving data from.
+
+			When including scripts from a CDN (content-delivery network), it is therefore recommended
+			to set the integrity-attribute on the script tag to the hash of the script you're expecting
+			to receive.
+
+			This makes it impossible for an attacker to inject any code into the page, because the
+			integrity check would fail &mdash; even when the CDN is compromised.
+
+			See the reference on Subresource Integrity for more information.
 
 		</p>
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-830/StaticCreationOfUntrustedSourceUse.html b/javascript/ql/test/query-tests/Security/CWE-830/StaticCreationOfUntrustedSourceUse.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    </head>
+    <body>
+        <script src="http://test.local/foo.js"></script>> <!-- NOT OK -->
+        <script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>>  <!-- OK (integrity digest present) -->
+        <script src="https://test.local/bar.js"></script>> <!-- OK (https) -->
+        <iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
+        <iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
+        <iframe src="//test.local/foo.html"></iframe> <!-- OK (protocol-relative url is allowed as a http url of 
+            the page is vulnerable in the first place) -->
+        <iframe src="http://::1/foo.html"></iframe> <!-- OK (localhost) -->
+        <iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK (localhost) -->
+        <iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK (localhost) -->
+
+        <!-- Some CDNs recommend using the integrity attribute — for those, we demand it even with https links -->
+        <!-- OK (digest present) -->
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" integrity="sha512-7oYXeK0OxTFxndh0erL8FsjGvrl2VMDor6fVqzlLGfwOQQqTbYsGPv4ZZ15QHfSk80doyaM0ZJdvkyDcVO7KFA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+        <!-- NOT OK (digest missing) -->
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    </body>
+</html>
