search

github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.4k stars 247 forks source link

EmscriptenRunScriptTaint query #764

Closed spaceraccoon closed 1 week ago

spaceraccoon commented 1 year ago

Query PR

https://github.com/github/codeql/pull/13493

Language

C/C++

CVE(s) ID list

CWE

CVE-094: Improper Control of Generation of Code ('Code Injection')

Report

  1. C++ code compiled to WebAssembly using Emscripten can use several Emscripten run script functions from emscripten.h. These are dangerous because they allow the WebAssembly to execute JavaScript code directly:
void emscripten_run_script(const char *script)

Interface to the underlying JavaScript engine. This function will eval() the given script.
  1. If the exported WebAssembly function passes user-controlled input to such functions, the attacker could potentially execute arbitrary code in the underlying JavaScript engine. This is dangerous not only for WebAssembly used in the client-side (XSS), but server-side as it can lead to remote code execution.
  2. This query looks for function parameters that are passed to these dangerous functions, because WebAssembly exported functions are written as function declarations.
  3. Yes, for example by ensuring sink.asExpr().isConstant().

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

ghsecuritylab commented 1 year ago

Your submission is now in status Test run.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 1 year ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Kwstubbs commented 3 months ago

Hello @spaceraccoon, the CodeQL bug bounty program is closing soon. If you are still interested in receiving the bounty, please update your CodeQL PR with the necessary steps to get it merged. If there is no activity regarding this bounty in the next month, we will go ahead and close this submission. Thank you.

Kwstubbs commented 1 week ago

Closing due to inactivity and the closure of our bounty program.