Skip to content

Instantly share code, notes, and snippets.

Created October 12, 2020 11:47
What would you like to do?
import javascript
import DataFlow::PathGraph
// TODO: need to add constraint of "@nguniversal/express-engine"
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Angular SSRF" }
// string not start with https?:// or //
override predicate isSource(DataFlow::Node source) {
// detect DI of HttpClient
// this.http.get() and ...
override predicate isSink(DataFlow::Node sink) {
// TODO: add pattern for http.request
exists(DataFlow::PropRead httpDI, FieldDeclaration httpField, DataFlow::MethodCallNode methodCall |
sink = methodCall.getArgument(0) and
methodCall.getMethodName().regexpMatch("get|post|put|delete") and
methodCall = httpDI.getAMethodCall() and
httpDI.getPropertyName() = httpField.getName() and
httpField.getTypeAnnotation().toString() = "HttpClient"
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, "Angular SSRF"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment