Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9b4ae9e

Browse files
author
Max Schaefer
committed
JavaScript: Refactor HostHeaderPoisoningInEmailGeneration query.
1 parent c51cd50 commit 9b4ae9e

2 files changed

Lines changed: 33 additions & 18 deletions

File tree

javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql

Lines changed: 7 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,18 @@
11
/**
22
* @name Host header poisoning in email generation
3-
* @description Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens.
3+
* @description Using the HTTP Host header to construct a link in an email can facilitate phishing
4+
* attacks and leak password reset tokens.
45
* @kind problem
56
* @problem.severity error
67
* @precision high
78
* @id js/host-header-forgery-in-email-generation
89
* @tags security
910
* external/cwe/cwe-640
1011
*/
11-
import javascript
12-
13-
class TaintedHostHeader extends TaintTracking::Configuration {
14-
TaintedHostHeader() { this = "TaintedHostHeader" }
1512

16-
override predicate isSource(DataFlow::Node node) {
17-
exists (HTTP::RequestHeaderAccess input | node = input |
18-
input.getKind() = "header" and
19-
input.getAHeaderName() = "host")
20-
}
21-
22-
override predicate isSink(DataFlow::Node node) {
23-
exists (EmailSender email | node = email.getABody())
24-
}
25-
}
13+
import javascript
14+
import semmle.javascript.security.dataflow.HostHeaderPoisoningInEmailGeneration::HostHeaderPoisoningInEmailGeneration
2615

27-
from TaintedHostHeader taint, DataFlow::Node src, DataFlow::Node sink
28-
where taint.hasFlow(src, sink)
29-
select sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", src, "here"
16+
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
17+
where cfg.hasFlow(source, sink)
18+
select sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"

javascript/ql/src/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGeneration.qll

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
/**
2+
* Provides a taint tracking configuration for reasoning about host header
3+
* poisoning in email generation.
4+
*/
5+
6+
import javascript
7+
8+
module HostHeaderPoisoningInEmailGeneration {
9+
/**
10+
* A taint tracking configuration for host header poisoning in email generation.
11+
*/
12+
class Configuration extends TaintTracking::Configuration {
13+
Configuration() { this = "TaintedHostHeader" }
14+
15+
override predicate isSource(DataFlow::Node node) {
16+
exists (HTTP::RequestHeaderAccess input | node = input |
17+
input.getKind() = "header" and
18+
input.getAHeaderName() = "host"
19+
)
20+
}
21+
22+
override predicate isSink(DataFlow::Node node) {
23+
exists (EmailSender email | node = email.getABody())
24+
}
25+
}
26+
}

0 commit comments

Comments
 (0)