Merge pull request #14 from GitHubSecurityLab/javascript_packs

Add Javascript packs

Author: Alvaro Muñoz

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'cpp', 'csharp', 'go', 'java', 'python', 'ruby' ]
+        language: [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/publish.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3

codeql-workspace.yml

@@ -3,6 +3,7 @@ provide:
 - csharp/**/qlpack.yml
 - go/**/qlpack.yml
 - java/**/qlpack.yml
+- javascript/**/qlpack.yml
 - python/**/qlpack.yml
 - ruby/**/qlpack.yml
 

javascript/lib/ResearchMode.qll

@@ -0,0 +1,7 @@
+//import semmle.javascript.heuristics.all
+import semmle.javascript.heuristics.AdditionalFrameworks
+import semmle.javascript.heuristics.AdditionalPromises
+import semmle.javascript.heuristics.AdditionalRouteHandlers
+import semmle.javascript.heuristics.AdditionalSources
+//import semmle.javascript.heuristics.AdditionalSinks
+import semmle.javascript.heuristics.AdditionalTaintSteps

javascript/lib/applications/.gitkeep

@@ -0,0 +1,16 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/javascript-all:
+    version: 0.7.4
+  codeql/mad:
+    version: 0.1.4
+  codeql/regex:
+    version: 0.1.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+  codeql/yaml:
+    version: 0.1.4
+compiled: false

javascript/lib/codeql-pack.lock.yml

@@ -0,0 +1,7 @@
+import semmle.javascript.dataflow.DataFlow
+
+class CommandLineArgument extends DataFlow::Node {
+    CommandLineArgument() {
+        this = DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyReference()
+    }
+}

javascript/lib/frameworks/.gitkeep

@@ -0,0 +1,113 @@
+import semmle.javascript.dataflow.TaintTracking
+
+import github.CommandLine
+
+class RandomTaintsSourceConfiguration extends TaintTracking::Configuration {
+    RandomTaintsSourceConfiguration() { this = "RandomTaintsSourceConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) {
+        isSecureRandom(source)
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+        not isSecureRandom(sink)
+    }
+}
+
+class InsecureIVConfiguration extends TaintTracking::Configuration {
+    InsecureIVConfiguration() { this = "InsecureIVConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) {
+        exists(Literal literal|literal.flow() = source)
+        or
+        source instanceof DataFlow::ArrayLiteralNode
+        or
+        source instanceof RemoteFlowSource
+        or
+        source instanceof FileSystemReadAccess
+        or
+        source instanceof DatabaseAccess
+        or
+        source instanceof CommandLineArgument
+        or
+        // an external function that is not a known source of randomness
+        (
+            source instanceof ExternalCallWithOutput
+            and not source instanceof CreateIVArgument
+            and not source instanceof SecureRandomSource
+        )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+        sink instanceof CreateIVArgument
+    }
+}
+
+class ExternalCallWithOutput extends DataFlow::Node {
+    CallExpr call;
+
+    ExternalCallWithOutput() {
+        not exists(MethodCallExpr method_call, ThisExpr this_expr| method_call = call and method_call.getReceiver() = this_expr )
+        and
+        this = call.flow()
+    }
+}
+
+class SecureRandomSource extends DataFlow::Node {
+    SecureRandomSource() {
+        isSecureRandom(this)
+    }
+}
+
+predicate isSecureRandom(DataFlow::Node node) {
+    exists(string name|
+        name in ["randomBytes", "getRandomValues"] and
+        DataFlow::moduleMember("crypto", name).getACall() = node
+    )
+    or
+    exists(string name|
+        name in ["randomFill", "randomFillSync"] and
+        DataFlow::moduleMember("crypto", name).getACall().getArgument(0) = node
+    )
+    or
+    exists(string name|
+        name in ["randomKey", "randomString"] and
+        DataFlow::moduleMember("crypto-extra", name).getACall() = node
+    )
+    or
+    exists(string name|
+        name in ["cryptoRandomString", "cryptoRandomStringAsync"] and
+        DataFlow::moduleMember("crypto-random-string", name).getACall() = node
+    )
+    or
+    exists(string name|
+        name in ["secureRandom", "randomArray", "randomUint8Array", "randomBuffer"] and
+        DataFlow::moduleMember("secure-random", name).getACall() = node
+    )
+}
+
+class CreateIVArgument extends DataFlow::Node {
+    CreateIVArgument() {
+        isCreateIV(this)
+    }
+}
+
+predicate isCreateIV(DataFlow::Node node) {
+    exists(string name|
+        name = "createCipheriv" and
+        DataFlow::moduleMember("crypto", name).getACall().getArgument(2) = node
+    )
+}
+
+predicate knownCryptTest(DataFlow::Node sink) {
+    sink.getFile().getRelativePath().matches(
+        [
+            "%/des.js/test/%",
+            "test/common/tls.js",
+            "test/%/test-crypto-%.js",
+            "%/browserify-aes/populateFixtures.js",
+            "%/evp_bytestokey%/test.js",
+            "%/sshpk/lib/formats/ssh-private.js"
+        ]
+    )
+}

javascript/lib/github/CommandLine.qll

@@ -0,0 +1,5 @@
+library: true 
+name: githubsecuritylab/codeql-javascript-libs
+version: 0.0.1
+dependencies:
+  codeql/javascript-all: '*'