Analysis for CodeQL query Inclusion of functionality from an untrusted source

[roslynwythe]

Prerequisite

1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our Getting Started page.
2. Before you claim or start working on an issue, please make sure you have read our How to Contribute to Hack for LA Guide.

Overview

We need to analyze the query Inclusion of functionality from an untrusted source which appears in the CodeQL code scan results, and we need to make recommendations about the disposition of each specific alert found with that query. Analysis and Recommendations will be recorded in the spreadsheet: HfLA website: CodeQL scan alerts (issue #5060)¹

Action Items

• Open the spreadsheet HfLA website: CodeQL scan alerts - issue Create Issues for Analysis of CodeQL alerts #5060¹
• From the code scanning results page² browse to an alert with query type Inclusion of functionality from an untrusted source. Copy the query, severity level, description, and recommendation text from the webpage into a new row in the CodeQL query types sheet.
• Observe the query tags listed on the left column of the webpage. If the tag security is listed, check the "Security Alert?" column of the spreadsheet.
• Add your analysis and recommendation
  • In the "recommended action" column, select from the following: dismiss as test, dismiss as false positive, dismiss as won't fix, change code, or varies by instance
• Populate a row in the Alert Instances sheet for each alert instance in the code scanning results page²; Complete the query, alert # and file:line columns
  • If the recommendation is fix code, populate these columns:
    • Line of current code
    • Recommended line of code
    • web page - URL of the affected web page, for testing purposes
    • test procedure- describe the process which can be used after the code fix has been made, to check that the change has not broken anything.
• After all instances have been recorded in the sheet, add the ready for dev lead label to this issue and move it to the Questions/In Review column

For merge team/dev lead

• To review this issue:
  • Locate the row in the CodeQL query types sheet. All columns should be populated.
  • Locate the rows in theAlert Instances. There should be a row for each instance of the alert in the code scanning results page². For each row:
    • If the recommendation is change code, all columns must be completed with the exception of Link to Issue
    • If the recommendation is to dismiss, none of the remaining columns are required (as indicated on the sheet)
• Remove the ready for dev lead label and close the issue
• Check off the Issue in Create Issues for Analysis of CodeQL alerts #5060

Resources/Instructions

• GitHub CodeQL documentation
• This issue is tracked in the spreadsheet HfLA website: CodeQL scan alerts (issue #5060) and Create Issues for Analysis of CodeQL alerts #5060

Footnotes

1. spreadsheet: HfLA website: CodeQL scan alerts - issue #5060 ↩ ↩²

2. Code scanning results page ↩ ↩² ↩³

[github-actions]

Hi @freaky4wrld, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[freaky4wrld]

ETA - 12/11/23 EOD
Availability - In evenings from 5 PM-11 PM

[freaky4wrld]

I'm just not sure with the test procedure and the web page column in the Alert Instances sheet so left blank, can you please suggest what should I mention there.

[freaky4wrld]

@roslynwythe the issue is complete and need to reviewed.... if anything has to be changed please tag me here

[roslynwythe]

Hi @freaky4wrld Thank you for the analysis and recommendations. Based on your recommendations, we will create two new issues for the code changes to the files, and in each case we need to ask the developer to do some sort of testing to make sure nothing was broken. I will use the information you provide in web page and test procedure to guide the dev in testing.

Let me ask you, if you were responsible for making the recommeded code changes, how would you test them? If that babel script failed to load, how would we know?

[freaky4wrld]

@roslynwythe well there could be various methods:

• the most simple would be using the console and look for any issues with the script or its integrity
• another one could be using the `network tab and look for the external scripts failure
• maybe using a fallback mechanism with <noscript> tag indicating a failure in the script loading
• Or the best would be deliberately tampering the babel script or introduce an error in the script URL to simulate a tampered or failed script and observing its behaviour.

[roslynwythe]

Thank you @freaky4wrld for your analysis and recommendations regarding this security alert. This issue will be closed as completed. A follow-up issue will be created for the code change and testing. If you have an interest in writing that issue, please let me know via DM on Slack.