-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathDifferentKindsComparisonBypass.ql
More file actions
27 lines (25 loc) · 1 KB
/
DifferentKindsComparisonBypass.ql
File metadata and controls
27 lines (25 loc) · 1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/**
* @name Comparison of user-controlled data of different kinds
* @description Comparing different kinds of HTTP request data may be a symptom of an insufficient security check.
* @kind problem
* @problem.severity error
* @security-severity 7.8
* @precision low
* @id js/different-kinds-comparison-bypass
* @tags security
* external/cwe/cwe-807
* external/cwe/cwe-290
*/
import javascript
import semmle.javascript.security.dataflow.DifferentKindsComparisonBypassQuery
from DifferentKindsComparison cmp, DataFlow::Node lSource, DataFlow::Node rSource
where
lSource = cmp.getLSource() and
rSource = cmp.getRSource() and
// Standard names for the double submit cookie pattern (CSRF protection)
not exists(DataFlow::PropRead s | s = lSource or s = rSource |
s.getPropertyName().regexpMatch("(?i).*(csrf|state|token).*")
)
select cmp,
"This comparison of $@ and $@ is a potential security risk since it is controlled by the user.",
lSource, lSource.toString(), rSource, rSource.toString()