-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[querydb] Add scan rule for Twig Template Injection detection #5148
[querydb] Add scan rule for Twig Template Injection detection #5148
Conversation
Add scan rule in querydb to detect potential Twig Template Injection (PHP) vulnerabilities - Introduced a new rule to identify potential Twig template injection issues. - Tested with compiled source code (using public CTF sample code) and confirmed successful detection.
Thanks again @piggyctf! Can you share some test code? :) |
Add code samples for twig template injection.
querydb/src/main/scala/io/joern/scanners/php/TwigTemplateInjection.scala
Outdated
Show resolved
Hide resolved
cpg.call.name(Operators.assignment).argument.code("(?i).*request.*").l | ||
|
||
def sink = | ||
cpg.call.name("createTemplate").l.filter(call => call.methodFullName.toLowerCase.contains("twig")).argument |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the filter()
here can be more idiomatically expressed as .methodFullName("(?i).*twig.*")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi maltek, thanks for your comments. I've updated in 7471b8a as you recommended, however, there is one test failed at io.joern.rubysrc2cpg.io.RubySrc2CpgHTTPServerTests
after the change. My code has nothing to do with rubysrc2cpg
module, this error happened once before when I added a another rule for detecting a Java vulnerability, and then it suddenly disappeared without any further changes.. Could you please take a look at it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- you've also deleted the
.argument
at the end. Could you add that back please? Even if it seems to work, it's not really correct: in a dataflow query a call stands for the return value of that call. And for a template we're not interested in the output of template expansion, but only in the input that's used as a template. So we want to use the argument of the call as the sink, not its return value. (Sorry if I wasn't clear about what to change.) - Github shows that all checks have passed, so the test seems to work in our CI environment. I can't say much about why it'd fail on your machine.
As suggested, removed ".l" and rewrote the sink be more idiomatically.
Added back argument for sink
The sink should be fixed in dc4cf9f. Thanks for pointing that out. Please let me know if any concerns :) |
Thanks again @piggyctf. I'm sorry it took over a month of back-and-forth to get this merged. I hope this experience wasn't too discouraging. |
Add scan rule in querydb to detect potential Twig Template Injection (PHP) vulnerabilities