[Go]: fasthttp model for XSS, SSRF, open redirect

github / securitylab

Resources related to GitHub Security Lab

https://securitylab.github.com

MIT License

1.35k stars 242 forks source link

[Go]: fasthttp model for XSS, SSRF, open redirect #786

Closed am0o0 closed 5 months ago

am0o0 commented 10 months ago

Query PR

https://github.com/github/codeql/pull/14123

Language

GoLang

CVE(s) ID list

https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj usage of ctx.Request.URI().FullURI() and ctx.Request.Header.Peek()

CWE

No response

Report

I added SSRF sinks , user controlled remote sources, XSS sinks, open redirect sinks and some additional steps and sanitizers from fasthttp package.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

[X] Yes
[ ] No

Blog post link

No response

jorgectf commented 9 months ago

👋 @amammad

Thank you for your contribution. Unfortunately, we can't accept the submission as is taking into account the CodeQL code quality (lack of comments, not using the reference to this and so making the code difficult to read), and the low research done around the framework (wrong assumptions such as DoRedirects for Http::Redirect, which instead executes the request following redirects).

An improvement of the submission may have a lot of potential, let us know if you would like to work on it to keep the submission open, otherwise I will close it as rejected.

am0o0 commented 9 months ago

@jorgectf Thanks for informing me about the mistakes that I made, I'll fix the problems of this query that you've mentioned, Please let me know about any suggestion that makes the review process faster and I'll do my best to solve that.

am0o0 commented 9 months ago

@jorgectf could you please elaborate this part ... not using the reference to this and so making the code difficult to read) a little bit more? thanks :)

am0o0 commented 9 months ago

@jorgectf I've fixed the issues and also I added some more sinks/additional steps, I provided the example of XSS sanitizers Also, I wrote the output of sanitizer against special characters besides the code for easier review. for most of the additional steps and dangerous sinks, I tried to explain why and how some of them are dangerous or can be used. And Really I can't believe how I missed DoRedirects and misplaced that as an open redirect sink :(

jorgectf commented 9 months ago

@amammad very nice improvements! Thank you!

ghsecuritylab commented 9 months ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 5 months ago

Your submission is now in status Final decision.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

xcorail commented 5 months ago

Created Hackerone report 2335428 for bounty 546296 : [786] [Go]: fasthttp model for XSS, SSRF, open redirect

ghsecuritylab commented 5 months ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed