C#: Add experimental SSRF IPv6-transition incomplete-guard query (CWE-918/CWE-1389)#148
Open
tonghuaroot wants to merge 1 commit into
Open
Conversation
Adds githubsecuritylab/cs/ssrf-ipv6-transition-incomplete-guard, which flags SSRF host-validation guards that reject private/loopback IPv4 ranges but never unwrap IPv6-transition forms (IPv4-mapped ::ffff:, NAT64 64:ff9b::, 6to4 2002::). Such guards can be bypassed by wrapping an internal IPv4 address in a transition literal, so the validator classifies the host as public while the OS still routes to the internal endpoint (CWE-918 / CWE-1389). Includes qhelp, good/bad examples, and a unit test.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new experimental C# query,
githubsecuritylab/cs/ssrf-ipv6-transition-incomplete-guard, that flags SSRF host-validation guards which reject private / loopback / cloud-metadata IPv4 ranges but never unwrap IPv6-transition representations.When a guard inspects only the dotted-quad IPv4 form, an attacker can wrap an internal IPv4 address in a transition literal so the validator classifies the host as public while the OS still routes the connection to the embedded internal endpoint. The affected forms are:
::ffff:169.254.169.25464:ff9b::a9fe:a9fe2002::A URL such as
http://[::ffff:169.254.169.254]/passes a dotted-quad denylist unchanged while still reaching the internal address. CallingIPAddress.MapToIPv4()/ testingIPAddress.IsIPv4MappedToIPv6only canonicalizes the::ffff:0:0/96prefix, so NAT64 / 6to4 / IPv4-compatible forms remain live (CWE-918 / CWE-1389).Origin
This was originally proposed in github/codeql#21964. @michaelnebel suggested moving it to the Community Packs rather than landing it as an experimental query in github/codeql, so this PR ports it here.
Contents
csharp/src/security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql— the query (@kind problem,import csharponly, autoformatted)csharp/src/security/CWE-918/SsrfIpv6TransitionIncompleteGuard.qhelp— query helpcsharp/src/security/CWE-918/examples/SsrfIpv6TransitionIncompleteGuard{Bad,Good}.cs— qhelp examplescsharp/test/security/CWE-918/SsrfIpv6TransitionIncompleteGuard/— unit test (.cs/.qlref/.expected/options)Adapted to Community Packs conventions:
@idnamespacegithubsecuritylab/cs/..., query undercsharp/src/security/CWE-918/, test undercsharp/test/security/CWE-918/with a${testdir}/.../codeql/...stuboptionspath matching the existing tests. The github/codeql-specific change-note and integration-test (not_included_in_qls.expected) files were dropped.Verification
Verified locally with CodeQL CLI 2.25.6:
codeql query compile csharp/src/security/CWE-918/SsrfIpv6TransitionIncompleteGuard.ql— compiles clean, no warnings.codeql query format— idempotent (autoformatted).codeql test run csharp/test/security/CWE-918/SsrfIpv6TransitionIncompleteGuard— passes (2 expected true positives flagged, 4 transition-aware / out-of-scope callables correctly suppressed).