Skip to content

CodeQL miss to detect a vulnerability because of irrelvant code? #17957

New issue
New issue
Open
#17958
Open
CodeQL miss to detect a vulnerability because of irrelvant code?#17957
#17958
Labels
questionFurther information is requested
@Anemone95

Description

@Anemone95
Anemone95
opened on Nov 11, 2024

The problem is when I scan these files of code:
./main.js:

(() => {})(), // this line makes the codeql neglect the vulnerability?
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

./source.js:

module.exports.s = function() {
  let e = window.location.href.split("#")[1];
  return decodeURIComponent(e);
};

CodeQL doesn't report any vulnerability but if I comment the first line of main.js, like:

// (() => {})(),
(() => {
  let fe = require('./source.js').s;
  let e = fe();
  window.location.href = e;
})();

It detected one, which is:

"Client-side URL redirect","Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.","error","Untrusted URL redirection depends on a [[""user-provided value""|""relative:///source.js:2:11:2:30""]].
Untrusted URL redirection depends on a [[""user-provided value""|""relative:///source.js:2:11:2:25""]].","/main.js","5","26","5","26"

Is there an issue? Since the part of code (() => {})() which seems irrelevant to the vulnerability to me affects the query result.

The version of the codeql that I use:

CodeQL command-line toolchain release 2.18.3.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in: ...
   Analysis results depend critically on separately distributed query and
   extractor modules. To list modules that are visible to the toolchain,
   use 'codeql resolve qlpacks' and 'codeql resolve languages'.

And here is the command I use:

codeql database create --language=javascript codeql-database --source-root="./sourcecode"
codeql database analyze ./codeql-database/ $CODE_QL/codeql-repo/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql --format=csv --output="result.csv" --threads=10
cat result.csv | grep redirect

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions