codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Add `client-response` Threat Model and update JS ClientsRequests

Open GeekMasher opened this issue 7 months ago • 3 comments

I've added the client-response threat model to the Threat Modelling shared library. This is a new local threat model that includes the sources of client libraries (mainly focuses at JavaScript / Typescript).

This is needed to discover XSS or other types of security issues when the source of untrusted data in the response content of REST, GraphQL, Soap, etc. clients.

GeekMasher avatar Jun 03 '25 15:06 GeekMasher

Could you say a few words about why the existing response threat model is not doing what you want? Is it because you want local to enable the threat sources from response?

asgerf avatar Jun 04 '25 07:06 asgerf

Correct, right now you can't enable response using either remote or local models because JavaScript has disabled response models by default.

GeekMasher avatar Jun 04 '25 11:06 GeekMasher

Default Setup cannot use response. This will allow it to.

I would argue for allowing response in remote, since we should favour increasing true positives, over some possible false positives.

I haven't seen the data on the testing, but I understand a decision last year was made to favour work on dealing with false negatives over false positives - this decision to make response harder to use seems to run counter to that, I don't understand the reasoning.

Allowing an explicit response threat model in Default Setup is an alternative to this PR.

aegilops avatar Jun 05 '25 13:06 aegilops