Skip to content

Add client-response Threat Model and update JS ClientsRequests #19656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for ClientRequest being part of the `client-response` threat model versus part of `response` threat model.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Added support for ClientRequest being part of the `client-response` threat model versus part of `response` threat model.
* Responses from outgoing HTTP requests will now be included as taint sources when the `local` threat model is used.

I'd try to use a change note that's easier to understand for external users.

Original file line number Diff line number Diff line change
Expand Up @@ -947,7 +947,7 @@ module ClientRequest {
private class ClientRequestThreatModel extends ThreatModelSource::Range {
ClientRequestThreatModel() { this = any(ClientRequest r).getAResponseDataNode() }

override string getThreatModel() { result = "response" }
override string getThreatModel() { result = "client-response" }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
override string getThreatModel() { result = "client-response" }
override string getThreatModel() { result = ["response", "browser-response"] }

To be forward compatible with the planned solution. I'll open a PR to make this a bit more accurate.


override string getSourceType() { result = "HTTP response data" }
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Add support for `client-response` threat model.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need change notes for qlpacks

2 changes: 2 additions & 0 deletions shared/threat-models/ext/threat-model-grouping.model.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ extensions:
- ["stdin", "local"]
- ["file", "local"]
- ["windows-registry", "local"]
# Client-side threat models for request responses.
- ["client-response", "local"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- ["client-response", "local"]
- ["browser-response", "local"]


# Android threat models
- ["android-external-storage-dir", "android"]
Expand Down
Loading