search

github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.35k stars 242 forks source link

Python: CORS Bypass #833

Open porcupineyhairs opened 1 week ago

porcupineyhairs commented 1 week ago

Query PR

https://github.com/github/codeql/pull/16814

Language

Python

CVE(s) ID list

https://github.com/advisories/GHSA-824x-jcxf-hpfg CVE-2022-3457

CWE

CWE-346

Report

This PR adds a query to detect a Cross Origin Resource Sharing(CORS) policy bypass due to an incorrect check.

This PR attempts to detect the vulnerability pattern found in CVE-2022-3457

if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
    origin = request.headers.get('Origin', None)
    if origin and not origin.startswith(request.base):
        raise cherrypy.HTTPError(403, 'Unexpected Origin header')

In this case, a value obtained from a header is compared using startswith call. This comparision is easily bypassed resulting in a CORS bypass. Given that similar bugs have been found in other languages as well, I think this PR would be a great addition to the exisitng python query pack.

The databases for CVE-2022-3457 can be downloaded from

https://filetransfer.io/data-package/i4Mfepls#link
https://file.io/V67T4SSgmExF

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

ghsecuritylab commented 3 days ago

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

ghsecuritylab commented 3 days ago

Your submission is now in status Query review.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed