Add Web Cache Deception Query and Example Code Snippet

Author: Yunus AYDIN

go/ql/src/Security/CWE-525/WebCacheDeception.go

@@ -0,0 +1,91 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+var sessionMap = make(map[string]string)
+
+var (
+	templateCache = make(map[string]*template.Template)
+	mutex         = &sync.Mutex{}
+)
+
+type Lists struct {
+	Uid       string
+	UserName  string
+	UserLists []string
+	ReadFile  func(filename string) string
+}
+
+func parseTemplateFile(templateName string, tmplFile string) (*template.Template, error) {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	// Check if the template is already cached
+	if cachedTemplate, ok := templateCache[templateName]; ok {
+		fmt.Println("cached")
+		return cachedTemplate, nil
+	}
+
+	// Parse and store the template in the cache
+	parsedTemplate, _ := template.ParseFiles(tmplFile)
+	fmt.Println("not cached")
+
+	templateCache[templateName] = parsedTemplate
+	return parsedTemplate, nil
+}
+
+func ShowAdminPageCache(w http.ResponseWriter, r *http.Request) {
+
+	if r.Method == "GET" {
+		fmt.Println("cache called")
+		sessionMap[r.RequestURI] = "admin"
+
+		// Check if a session value exists
+		if _, ok := sessionMap[r.RequestURI]; ok {
+			cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + "admin" + "\");'"
+
+			// mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in ("test");--';echo");'
+			fmt.Println(cmd)
+
+			res, err := exec.Command("sh", "-c", cmd).Output()
+			if err != nil {
+				fmt.Println("err : ", err)
+			}
+
+			splitedRes := strings.Split(string(res), "\n")
+
+			p := Lists{Uid: "1", UserName: "admin", UserLists: splitedRes}
+
+			parsedTemplate, _ := parseTemplateFile("page", "./views/admin/userlists.gtpl")
+			w.Header().Set("Cache-Control", "no-store, no-cache")
+			err = parsedTemplate.Execute(w, p)
+		}
+	} else {
+		http.NotFound(w, nil)
+	}
+
+}
+
+func main() {
+	var portNum = flag.String("p", "80", "Specify application server listening port")
+	flag.Parse()
+	fmt.Println("Vulnapp server listening : " + *portNum)
+
+	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))
+	http.HandleFunc("/adminusers", ShowAdminPageCache)
+
+	http.HandleFunc("/adminusers/", ShowAdminPageCache)
+	err := http.ListenAndServe(":"+*portNum, nil)
+	if err != nil {
+		log.Fatal("ListenAndServe: ", err)
+	}
+}

go/ql/src/Security/CWE-525/WebCacheDeception.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Web Cache Deception
+ * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id go/web-cache-deception
+ * @tags security
+ *       external/cwe/cwe-525
+ */
+
+ import go
+
+ from DataFlow::CallNode httpHandleFuncCall, DataFlow::CallNode call, DataFlow::Node predecessor, Expr predecessorExpr, CallExpr headerGetCall, Method get
+ where
+   httpHandleFuncCall.getTarget().hasQualifiedName("net/http", "HandleFunc") and
+   httpHandleFuncCall.getNumArgument() > 1 and
+   httpHandleFuncCall.getArgument(0).getType().toString() = "string" and
+   httpHandleFuncCall.getArgument(0).toString().matches("%/\"") and
+   // Trace the second argument's data flow to its predecessor
+   predecessor = httpHandleFuncCall.getArgument(1).getAPredecessor() and
+   // Find the corresponding expression for the predecessor
+   get.hasQualifiedName("net/http", "Header", "Set") and
+   call = get.getACall() and
+   call.getArgument(0).toString().matches("\"Cache-Control\"")
+ select httpHandleFuncCall.getArgument(0), call.getArgument(0)
+ 

go/ql/src/Security/CWE-525/wcd/baseline-info.json

@@ -0,0 +1 @@
+{"languages":{"go":{"displayName":"Go","files":["WebCacheDeception.go"],"linesOfCode":67,"name":"go"}}}

go/ql/src/Security/CWE-525/wcd/codeql-database.yml

@@ -0,0 +1,10 @@
+---
+sourceLocationPrefix: /Users/yunus.aydin/Research/codeql-fork/go/ql/src/Security/CVE-525
+baselineLinesOfCode: 67
+unicodeNewlines: false
+columnKind: utf8
+primaryLanguage: go
+creationMetadata:
+  cliVersion: 2.15.1
+  creationTime: 2023-11-13T20:28:51.105630Z
+finalised: true