Skip to content

Commit

Permalink
New ruleset: chromium-insecure-gurl.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
thypon committed Jul 17, 2023
1 parent 61961af commit 1b30fef
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 0 deletions.
26 changes: 26 additions & 0 deletions assets/semgrep_rules/c/chromium-insecure-gurl.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
rules:
- id: chromium-insecure-gurl
metadata:
author: Andrea Brancaleoni <abc@pompel.me>
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/c/chromium-insecure-gurl.yaml
assignees: |
thypon
fmarier
pattern-either:
- pattern: GURL $VAR = ...;
- pattern: KURL $VAR = ...;
- pattern: $VAR.DeprecatedGetOriginAsURL();
- pattern: SecurityOrigin::Create((KURL $VAR));
- pattern: SecurityOrigin::Create((GURL $VAR));
message: >
Use origin (rather than URL) for security decisions.
URLs are often not sufficient for security decisions, since the origin may not be present in the URL (e.g., about:blank), may be tricky to parse (e.g., blob: or filesystem: URLs), or may be opaque despite a normal-looking URL (e.g., the security context may be sandboxed). Use origins whenever possible.
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/origin-vs-url.md
languages:
- cpp
- c
severity: WARNING
23 changes: 23 additions & 0 deletions t3sts/semgrep_rules/insecure-gurl.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
int main() {
// chromium-insecure-gurl
GURL url = ...;
// chromium-insecure-gurl
GURL origin = url.DeprecatedGetOriginAsURL();
// BUG: `origin` will be incorrect if `url` is an "about:blank" URL
// BUG: `origin` will be incorrect if `url` came from a sandboxed frame.
// BUG: `origin` will be incorrect when `url` (rather than
// `base_url_for_data_url`) is used when working with loadDataWithBaseUrl
// (see also https://crbug.com/1201514).
// BUG: `origin` will be empty if `url` is a blob: URL like
// "blob:http://origin/guid-goes-here".
// NOTE: `GURL origin` is also an anti-pattern; see the "Use correct type to
// represent origins" section below.

// Blink-specific example:
// chromium-insecure-gurl
KURL url = ...;
// chromium-insecure-gurl
scoped_refptr<SecurityOrigin> origin = SecurityOrigin::Create(url);
// BUG: `origin` will be incorrect if `url` is an "about:blank" URL
// BUG: `origin` will be incorrect if `url` came from a sandboxed frame.
}

0 comments on commit 1b30fef

Please sign in to comment.