codeql/go/ql/src/experimental/CWE-918/IdnaIpLiteralSmuggle.ql at 92e52e2d4794613ef81c4279a92b46d825b9bbf1 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/**
 * @name IDNA digit-fold IP-literal smuggling via UTS-46 NFKC mapping
 * @description An untrusted hostname flows through `golang.org/x/net/idna`
 *              mapping (which folds 100 non-ASCII Unicode digit codepoints to
 *              ASCII via UTS-46 NFKC) and reaches a security-relevant
 *              hostname sink without a post-IDNA IP-literal recheck. A
 *              caller that calls `net.ParseIP` only BEFORE `idna.ToASCII`
 *              will accept a smuggled IPv4 literal such as `"0.¹.0.0"`
 *              (which maps to `"0.1.0.0"`). Scope is IPv4 only because
 *              IPv6 colons are rejected by IDNA rune-validation before
 *              UTS-46 mapping runs.
 * @id go/idna-ip-literal-smuggle
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 8.1
 * @precision high
 * @tags security
 *       experimental
 *       external/cwe/cwe-918
 *       external/cwe/cwe-020
 * @requires codeql/go-all >= 0.6.0
 */

import go
import IdnaIpLiteralSmuggle
import Flow::PathGraph

from
  Flow::PathNode source,
  Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink.getNode(), source, sink,
  "Untrusted hostname from $@ flows through `idna.ToASCII` (which performs UTS-46 NFKC digit folding) and reaches this hostname sink without a post-IDNA `net.ParseIP` recheck (after a trailing-dot trim).",
  source.getNode(), "this user-controlled value"