Add network-request-validation opengrep rule for Chromium#866
Add network-request-validation opengrep rule for Chromium#866
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| auto url_request = URLRequest::Create(external_url, request_delegate_); | ||
|
|
||
| // SHOULD NOT TRIGGER: URL rewriting without validation (pattern doesn't match assignment) | ||
| GURL original_url = GetUserProvidedUrl(); |
There was a problem hiding this comment.
reported by reviewdog 🐶
[opengrep] Use origin (rather than URL) for security decisions.
URLs are often not sufficient for security decisions, since the origin may not be present in the URL (e.g., about:blank), may be tricky to parse (e.g., blob: or filesystem: URLs), or may be opaque despite a normal-looking URL (e.g., the security context may be sandboxed). Use origins whenever possible.
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/origin-vs-url.md
Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/chromium-insecure-gurl.yaml
Cc @thypon @fmarier
| // SHOULD TRIGGER: SimpleURLLoader with user/external data | ||
| auto user_request = CreateUserRequest(); | ||
| // ruleid: chromium-network-request-validation | ||
| auto user_loader = SimpleURLLoader::Create(user_request, traffic_annotation_); |
There was a problem hiding this comment.
reported by reviewdog 🐶
[opengrep] Network requests require security review and proper traffic annotation.
All network requests should use net::DefineNetworkTrafficAnnotation to
document purpose and data handling. Ensure proper origin validation,
URL sanitization, and that requests cannot be abused for SSRF attacks.
Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/network-request-validation.yaml
Cc @thypon @fmarier @cdesouza-chromium
|
|
||
| auto external_request = CreateExternalRequest(); | ||
| // ruleid: chromium-network-request-validation | ||
| auto external_loader = SimpleURLLoader::Create(external_request, traffic_annotation_); |
There was a problem hiding this comment.
reported by reviewdog 🐶
[opengrep] Network requests require security review and proper traffic annotation.
All network requests should use net::DefineNetworkTrafficAnnotation to
document purpose and data handling. Ensure proper origin validation,
URL sanitization, and that requests cannot be abused for SSRF attacks.
Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/network-request-validation.yaml
Cc @thypon @fmarier @cdesouza-chromium
|
|
||
| auto untrusted_request = CreateUntrustedRequest(); | ||
| // ruleid: chromium-network-request-validation | ||
| auto untrusted_loader = SimpleURLLoader::Create(untrusted_request, traffic_annotation_); |
There was a problem hiding this comment.
reported by reviewdog 🐶
[opengrep] Network requests require security review and proper traffic annotation.
All network requests should use net::DefineNetworkTrafficAnnotation to
document purpose and data handling. Ensure proper origin validation,
URL sanitization, and that requests cannot be abused for SSRF attacks.
Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/network-request-validation.yaml
Cc @thypon @fmarier @cdesouza-chromium
thypon
force-pushed
the
chromium/network-request-validation
branch
from
32e58e6 to
4eb79cb
Compare
Validate network requests containing user data to prevent SSRF and ensure proper traffic annotation.
thypon
force-pushed
the
chromium/network-request-validation
branch
from
4eb79cb to
74b27a4
Compare
| - pattern-either: | ||
| - patterns: | ||
| - pattern-either: | ||
| - pattern: SimpleURLLoader::Create($REQUEST, $ANNOTATION) |
There was a problem hiding this comment.
we should exclude test files for these patterns *test*.cc
4 participants
Supersedes: #855