wg-vulnerability-disclosures icon indicating copy to clipboard operation
wg-vulnerability-disclosures copied to clipboard

Published 20 hours ago verified publisher icon ossf

How do we define impacted methods?

Open bwillis opened this issue 5 years ago • 1 comments
trafficstars

We want to have impacted method structured so that we can automatically consume it. Defining this across languages would be challenging so perhaps looking at inspiration from other schemas would be beneficial.

bwillis avatar Aug 06 '20 15:08 bwillis

One source of inspiration could be source maps.

How does it work?

Typically in my experience most used to find make a mapping between code in a development environment and obfuscated code in a production environment so that developers can trace production issues back to the original code.

{
  "version" : 3,
  "file": "out.js",
  "sourceRoot": "",
  "sources": ["foo.js", "bar.js"],
  "sourcesContent": [null, null],
  "names": ["src", "maps", "are", "fun"],
  "mappings": "A,AAAB;;ABCDE;"
}

The mappings is really the key part here that lists where things are in the code, it's base 64 VLQ encoded, but I found this expansion a nice explainer:

"mappings": {
  "0": [
   ^
   └── the line number of the output file

    "231 => source.js 5:64 foo"
      ^        ^       ^    ^
      │        │       │    └── the symbol name from the source file
      │        │       │
      │        │       └── the line:column position in the source file
      │        │
      │        └── the name of the source file
      │
      └── the column number of the output file

  ]
}

How would we use it?

At a high level, the schema would include the same structure as source maps specification, but the mappings would only exist for the vulnerable methods, variables or whatever we want to point to in the associated source.

{
  "title": "XSS in hackerone.com",
  "description": "The contact form input does not sanitize the text before reflecting it on the page causing an XSS."
  "impacted_methods:" {
    {
      "version" : 3,
      "file": "contactForm.js",
      "sourceRoot": "https://hackerone.com/assets/",
      "sources": ["contactForm.js"],
      "names": ["contactFormBody", "showContactFormBody"],
      "mappings": "A,AAAB;;ABCDE;"
      #### Expanding the mappings for readbility
       "0": [
         "231 => contact.js 5:64 contactFormBody"
         "459 => contact.js 5:64 showContactFormBody"
       ]
      #### </expansion>
    }
}

Pros

  • This works across languages
  • It's flexible, allows not just method names, but variables

Cons

  • Not the typical use case, so some awkward fields like "file" == "sources", when file is usually the obfuscated version

Open questions

  • How would a user fill this out? Would we need some sort of tooling to help?

bwillis avatar Aug 06 '20 16:08 bwillis