CodeQL documentation

Insecure URL whitelist

ID: js/angular/insecure-url-whitelist
Kind: problem
Severity: warning
Precision: very-high
Tags:
   - security
   - frameworks/angularjs
   - external/cwe/cwe-183
   - external/cwe/cwe-625
Query suites:
   - javascript-code-scanning.qls
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

AngularJS uses filters to ensure that the URLs used for sourcing AngularJS templates and other script-running URLs are safe. One such filter is a whitelist of URL patterns to allow.

A URL pattern that is too permissive can cause security vulnerabilities.

Recommendation

Make the whitelist URL patterns as restrictive as possible.

Example

The following example shows an AngularJS application with whitelist URL patterns that all are too permissive.

angular.module('myApp', [])
    .config(function($sceDelegateProvider) {
        $sceDelegateProvider.resourceUrlWhitelist([
            "*://example.org/*", // BAD
            "https://**.example.com/*", // BAD
            "https://example.**", // BAD
            "https://example.*" // BAD
        ]);
    });

This is problematic, since the four patterns match the following malicious URLs, respectively:

  • javascript://example.org/a%0A%0Dalert(1) (%0A%0D is a linebreak)
  • https://evil.com/?ignore=://example.com/a
  • https://example.evil.com
  • https://example.evilTld

References