Merge pull request github#7633 from erik-krogh/CWE-300

JS: add js/http-dependency query

Author: erik-krogh

javascript/ql/lib/change-notes/2022-01-08-insecure-dependency-resolution.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The `js/insecure-dependency` query has been added. It detects depedencies that are downloaded using an unencrypted connection.

javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using an insecure protocol like HTTP or FTP to download build dependencies makes the build process vulnerable to a 
+man-in-the-middle (MITM) attack.
+</p>
+<p>
+This can allow attackers to inject malicious code into the downloaded dependencies, and thereby 
+infect the build artifacts and execute arbitrary code on the machine building the artifacts.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Always use a secure protocol, such as HTTPS or SFTP, when downloading artifacts from an URL.</p>
+
+</recommendation>
+
+<example>
+<p>
+The below example shows a <code>package.json</code> file that downloads a dependency using the insecure HTTP protocol.
+</p>
+<sample src="examples/bad-package.json" />
+<p>
+The fix is to change the protocol to HTTPS.
+</p>
+<sample src="examples/good-package.json" />
+
+</example>
+
+<references>
+<li>
+  Jonathan Leitschuh: 
+  <a href="https://infosecwriteups.com/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb">
+    Want to take over the Java ecosystem? All you need is a MITM!
+  </a>
+</li>
+<li>
+  Max Veytsman: 
+  <a href="https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/">
+    How to take over the computer of any Java (or Closure or Scala) Developer.
+  </a>
+</li>
+<li>
+  Wikipedia: <a href="https://en.wikipedia.org/wiki/Supply_chain_attack">Supply chain attack.</a>
+</li>
+<li>
+  Wikipedia: <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man-in-the-middle attack.</a>
+</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Dependency download using unencrypted communication channel
+ * @description Using unencrypted protocols to fetch dependencies can leave an application
+ *              open to man-in-the-middle attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.1
+ * @precision high
+ * @id js/insecure-dependency
+ * @tags security
+ *       external/cwe/cwe-300
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-494
+ *       external/cwe/cwe-829
+ */
+
+import javascript
+
+from PackageJSON pack, JSONString val
+where
+  [pack.getDependencies(), pack.getDevDependencies()].getPropValue(_) = val and
+  val.getValue().regexpMatch("(http|ftp)://.*")
+select val, "Dependency downloaded using unencrypted communication channel."

javascript/ql/src/Security/CWE-300/examples/bad-package.json

@@ -0,0 +1,7 @@
+{
+  "name": "example-project",
+  "dependencies": {
+    "unencrypted": "http://example.org/foo/tarball/release/0.0.1",
+    "lodash": "^4.0.0"
+  }
+}

javascript/ql/src/Security/CWE-300/examples/good-package.json

@@ -0,0 +1,7 @@
+{
+  "name": "example-project",
+  "dependencies": {
+    "unencrypted": "https://example.org/foo/tarball/release/0.0.1",
+    "lodash": "^4.0.0"
+  }
+}

javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.expected

@@ -0,0 +1,4 @@
+| package.json:6:17:6:40 | "http:/ ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:7:17:7:39 | "ftp:// ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:12:17:12:40 | "http:/ ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:13:17:13:39 | "ftp:// ... rg/foo" | Dependency downloaded using unencrypted communication channel. |

javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.qlref

@@ -0,0 +1 @@
+Security/CWE-300/InsecureDependencyResolution.ql

javascript/ql/test/query-tests/Security/CWE-300/foo.js

@@ -0,0 +1 @@
+console.log("foo");

javascript/ql/test/query-tests/Security/CWE-300/package.json

@@ -0,0 +1,15 @@
+{
+    "name": "insecure-dep-downloader",
+    "dependencies": {
+        "foo": "*",
+        "good1": "https://example.org/foo",
+        "bad1": "http://example.org/foo",
+        "bad2": "ftp://example.org/foo"
+    },
+    "devDependencies": {
+        "bar": "*",
+        "good2": "https://example.org/foo",
+        "bad3": "http://example.org/foo",
+        "bad4": "ftp://example.org/foo"
+    }
+}