Skip to content

JS: add js/http-dependency query#7633

Merged
erik-krogh merged 4 commits intogithub:mainfrom
erik-krogh:CWE-300
Jan 28, 2022
Merged

JS: add js/http-dependency query#7633
erik-krogh merged 4 commits intogithub:mainfrom
erik-krogh:CWE-300

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jan 18, 2022
edited
Loading

@erik-krogh erik-krogh added WIP This is a work-in-progress, do not merge yet! Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels Jan 18, 2022
@erik-krogh erik-krogh removed WIP This is a work-in-progress, do not merge yet! Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels Jan 19, 2022
@erik-krogh erik-krogh marked this pull request as ready for review January 19, 2022 12:57
@erik-krogh erik-krogh requested a review from a team as a code owner January 19, 2022 12:57
esbena
esbena requested changes Jan 19, 2022
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this query requires better documentation, especially the qhelp. (the experimental-promotion of the java query may have been a bit too fast)

@erik-krogh
Copy link
Contributor Author

erik-krogh commented Jan 25, 2022

I've addressed your comments.
Do you think this is ready for a docs review?

esbena
esbena reviewed Jan 26, 2022
View reviewed changes
javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.qhelp Outdated

<example>
<p>
The below example shows a <code>package.json</code> file that downloads a dependency using unencrypted HTTP.
Copy link
Contributor

@esbena esbena Jan 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The below example shows a <code>package.json</code> file that downloads a dependency using unencrypted HTTP.
The below example shows a <code>package.json</code> file that downloads a dependency using the insecure HTTP protocol.

I think it is preferable to talk about the vaguer secure/insecure instead of encrypted. Technically, you just need the packets from the server to be signed, it is fine if they are transmitted in cleartext.

... which leads me to consider if we should have a line about verifying the md5sum of insecurely downloaded artifacts as an alternative to the secure download.
I do not think we need it here though, that can be added for a overly aggressive query that checks if any md5sum verification is done on any downloaded resources.

Copy link
Contributor Author

@erik-krogh erik-krogh Jan 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which leads me to consider if we should have a line about verifying the md5sum of insecurely downloaded artifacts as an alternative to the secure download.

Can you do that for dependencies downloaded through a package.json file?
Wouldn't that require downloading the dependency (without running install script), verifying a checksum, and then run the install script.
I think such a setup is sufficiently rare that we don't need to mention it.

It's common on <script/> tags, but that's another matter.

Copy link
Contributor

@esbena esbena Jan 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's common on <script/> tags, but that's another matter.

Great idea: https://github.com/github/codeql-javascript-team/issues/374

@esbena esbena added the ready-for-doc-review This PR requires and is ready for review from the GitHub docs team. label Jan 26, 2022
@esbena
Copy link
Contributor

esbena commented Jan 26, 2022

Thanks. I have pinged the docs team, my suggested changes should not be blocking them.

@erik-krogh @esbena
update qhelp with suggestions
abd8761 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
esbena
esbena previously approved these changes Jan 26, 2022
View reviewed changes
@mchammer01 mchammer01 self-requested a review January 28, 2022 09:01
mchammer01
mchammer01 previously approved these changes Jan 28, 2022
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@erik-krogh - LGTM ✨
Spotted an inconsistency with the query ID, and made a few minor comments.

@erik-krogh @mchammer01
apply suggestions from doc review
b5198bd 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
@erik-krogh erik-krogh dismissed stale reviews from mchammer01 and esbena via b5198bd January 28, 2022 09:46
mchammer01
mchammer01 approved these changes Jan 28, 2022
View reviewed changes
Copy link
Contributor

@mchammer01 mchammer01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for addressing my comments!

@erik-krogh erik-krogh merged commit 7aa59ca into github:main Jan 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esbena esbena esbena approved these changes

@mchammer01 mchammer01 mchammer01 approved these changes

Assignees

No one assigned

Labels

documentation JS ready-for-doc-review This PR requires and is ready for review from the GitHub docs team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erik-krogh @esbena @mchammer01