Merge pull request #323 from microsoft/domain-squatting-powershell

Domain squatting powershell

Author: MathiasVP

powershell/ql/src/queries/security/cwe-829/DomainSquattingStatic.qhelp

@@ -0,0 +1,22 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+
+<qhelp>
+
+  <overview>
+    <p> Do not use domains like <code>*.outlook.us</code> and <code>*.office.us</code>, as these are domains that are not owned by Microsoft. Also avoid using deprecated domains like <code>goo.gl</code>. 
+    These domains are subject to domain squatting, which can introduce a security risk to services that trust them. </p>
+
+    <p>In addition to the above, <code>ajax.microsoft.com</code> and <code>ajax.aspnetcdn.com</code> host old JavaScript or old CSS in a non-production CDN. This CDN has no SLA, and could disappear at any time. We recommend that you move your assets local or serve them from a fully supported production CDN, such as the <a href="https://eng.ms/docs/experiences-devices/global-experiences-platform/es365/idc-fundamentals-1js/1js-monorepo/1js-repo-docs/team-documentation/midgard/engineering-system/cdn">M365 Shared CDN (1CDN)</a>.</p>
+  </overview>
+
+  <recommendation>
+    <p>Please remove any references to any obsolete domains</p>
+  </recommendation>
+
+  <references>
+  <li>Google: <a href="https://developers.googleblog.com/en/google-url-shortener-links-will-no-longer-be-available/">Google URL Shortener links will no longer be available</a>.</li>
+  <li>AJAX CDN: <a href="https://learn.microsoft.com/en-us/aspnet/ajax/cdn/overview">AJAX CDN Overview</a></li>
+  </references>
+</qhelp>

powershell/ql/src/queries/security/cwe-829/DomainSquattingStatic.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Use of deprecated domain
+ * @description Referencing deprecated domains that are not owned by Microsoft can lead to security risks
+ * @kind problem
+ * @id powershell/domain-squatting-static
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+import powershell
+
+string obsoleteDomain(){
+    result = [
+        "%.outlook.us%",
+        "%.office.us%", 
+        "%goo.gl%",
+        "%ajax.aspnetcdn.com%",
+        "%ajax.microsoft.com%"
+    ]
+}
+
+from StringLiteral s, string domain 
+where 
+domain = obsoleteDomain() and
+s.getValue().matches(domain)
+select s, "use of obsolete domain " + domain

powershell/ql/test/query-tests/security/cwe-829/DomainSquattingStatic/DomainSquattingStatic.expected

@@ -0,0 +1,5 @@
+| test.ps1:2:15:2:46 | https://mail.outlook.us/api/v1 | use of obsolete domain %.outlook.us% |
+| test.ps1:5:14:5:45 | https://portal.office.us/admin | use of obsolete domain %.office.us% |
+| test.ps1:8:13:8:35 | https://goo.gl/abc123 | use of obsolete domain %goo.gl% |
+| test.ps1:11:11:11:70 | https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.5.1.min.js | use of obsolete domain %ajax.aspnetcdn.com% |
+| test.ps1:14:14:14:68 | http://ajax.microsoft.com/ajax/4.0/1/MicrosoftAjax.js | use of obsolete domain %ajax.microsoft.com% |

powershell/ql/test/query-tests/security/cwe-829/DomainSquattingStatic/DomainSquattingStatic.qlref

@@ -0,0 +1 @@
+queries/security/cwe-829/DomainSquattingStatic.ql

powershell/ql/test/query-tests/security/cwe-829/DomainSquattingStatic/test.ps1

@@ -0,0 +1,18 @@
+# BAD: Uses outlook.us domain
+$outlookUrl = "https://mail.outlook.us/api/v1"
+
+# BAD: Uses office.us domain
+$officeUrl = "https://portal.office.us/admin"
+
+# BAD: Uses deprecated goo.gl shortener
+$shortUrl = "https://goo.gl/abc123"
+
+# BAD: Uses deprecated ajax.aspnetcdn.com
+$cdnUrl = "https://ajax.aspnetcdn.com/ajax/jQuery/jquery-3.5.1.min.js"
+
+# BAD: Uses deprecated ajax.microsoft.com
+$msAjaxUrl = "http://ajax.microsoft.com/ajax/4.0/1/MicrosoftAjax.js"
+
+# GOOD: Uses valid Microsoft domains
+$validUrl1 = "https://outlook.office365.com/api/v1"
+$validUrl2 = "https://portal.azure.com"