Skip to content

JS: Add URL constructor taint tracking for request forgery#19634

Merged
Napalys merged 4 commits intogithub:mainfrom
Napalys:js/url_obj_propagation
Jun 2, 2025
Merged

JS: Add URL constructor taint tracking for request forgery#19634
Napalys merged 4 commits intogithub:mainfrom
Napalys:js/url_obj_propagation

Conversation

@Napalys
Copy link
Copy Markdown
Contributor

@Napalys Napalys commented May 30, 2025

This PR enhances the request forgery (SSRF) detection by adding support for tracking taint flow through the URL constructor.

@Napalys Napalys marked this pull request as ready for review June 2, 2025 06:06
Copilot AI review requested due to automatic review settings June 2, 2025 06:06
@Napalys Napalys requested a review from a team as a code owner June 2, 2025 06:06
Copilot AI reviewed Jun 2, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances SSRF detection by tracking taint flow through the URL constructor in both tests and analysis logic.

  • Added new test cases in serverSide.js to cover taint propagation via new URL(...)
  • Updated expected results in RequestForgery.expected for the new flows
  • Extended the taint analysis in RequestForgeryCustomizations.qll to recognize the URL constructor
  • Documented the change in change-notes

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
javascript/ql/test/query-tests/Security/CWE-918/serverSide.js Added a new server using new URL(input) and HTTP calls for SSRF
javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected Updated expected taint flow edges for URL constructor cases
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll Introduced an exists clause for taint flow through URL
javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md Added a note about the minor analysis update
Comments suppressed due to low confidence (1)

javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll:87

  • There is an extra '|' before the succ clause in the exists expression. QL expects a single '|' followed by combined predicates; replace the second '|' with 'and' or separate conditions with commas.
|

@github github deleted a comment from Copilot AI Jun 2, 2025
asgerf
asgerf previously approved these changes Jun 2, 2025
View reviewed changes
Comment thread javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md Outdated
@Napalys @asgerf
Update javascript/ql/lib/change-notes/2025-05-30-url-package-taint-st…
c981c4f 
…ep.md

Co-authored-by: Asger F <asgerf@github.com>
@Napalys Napalys requested a review from asgerf June 2, 2025 11:34
@Napalys Napalys merged commit aed9e9c into github:main Jun 2, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@asgerf asgerf asgerf approved these changes

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Napalys @asgerf