search

pixee / codemodder-python

Python implementation of the Codemodder framework
GNU Affero General Public License v3.0
32 stars 10 forks source link

Codemod: SSRF Semgrep #676

Open clavedeluna opened 4 days ago

clavedeluna commented 4 days ago 
    tests/samples/flask_request.py
   ❯❯❱ python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests
          Data from request object is passed to a new server-side request. This could lead to a
          server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are
          validated against an allowlist, do not forward the response to the user, and ensure
          proper authentication and transport-layer security in the proxied request. See
          https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about
          SSRF vulnerabilities.
          Details: https://sg.run/YvY4

            9┆ url = request.args["url"]
           10┆ requests.get(url)

This rule most closely aligns with our existing url_sandbox codemod, so we should add a semgrep codemod that uses that transformer.

clavedeluna commented 4 days ago

@drdavella same here, same line triggers multiple rules

    tests/samples/flask_request.py
   ❯❯❱ python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests
          Data from request object is passed to a new server-side request. This could lead to a
          server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are
          validated against an allowlist, do not forward the response to the user, and ensure
          proper authentication and transport-layer security in the proxied request. See
          https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about
          SSRF vulnerabilities.
          Details: https://sg.run/YvY4

            9┆ url = request.args["url"]
           10┆ requests.get(url)

   ❯❯❱ python.flask.security.injection.ssrf-requests.ssrf-requests
          Data from request object is passed to a new server-side request. This could lead to a
          server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are
          validated against an allowlist, do not forward the response to the user, and ensure
          proper authentication and transport-layer security in the proxied request.
          Details: https://sg.run/J9LW

           10┆ requests.get(url)
drdavella commented 4 days ago

@clavedeluna my initial feeling is that we should have a single codemod that handles both of these rules. Since we process the findings in series, one of them will be fixed before the other. By the time the second finding is processed, the code will already be fixed so there's no further changes. However, we should mark both findings as fixed, if possible.