Merge pull request github#9288 from asgerf/js/resource-exhaustion-no-buffer.from

JS: Remove Buffer.from sink from js/resource-exhaustion

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll

@@ -78,14 +78,8 @@ module ResourceExhaustion {
       exists(DataFlow::SourceNode clazz, DataFlow::InvokeNode invk, int index |
         clazz = DataFlow::globalVarRef("Buffer") and this = invk.getArgument(index)
       |
-        exists(string name |
-          invk = clazz.getAMemberCall(name) and
-          (
-            name = "from" and index = 2 // the length argument
-            or
-            name = ["alloc", "allocUnsafe", "allocUnsafeSlow"] and index = 0 // the buffer size
-          )
-        )
+        invk = clazz.getAMemberCall(["alloc", "allocUnsafe", "allocUnsafeSlow"]) and
+        index = 0 // the buffer size
         or
         invk = clazz.getAnInvocation() and
         (

javascript/ql/src/change-notes/2022-05-24-resource-exhaustion-no-buffer.from.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The `js/resource-exhaustion` query no longer treats the 3-argument version of `Buffer.from` as a sink,
+  since it does not allocate a new buffer.

javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/ResourceExhaustion.expected

@@ -17,12 +17,6 @@ nodes
 | resource-exhaustion.js:6:7:6:21 | n |
 | resource-exhaustion.js:6:11:6:21 | parseInt(s) |
 | resource-exhaustion.js:6:20:6:20 | s |
-| resource-exhaustion.js:11:21:11:21 | s |
-| resource-exhaustion.js:11:21:11:21 | s |
-| resource-exhaustion.js:12:21:12:21 | n |
-| resource-exhaustion.js:12:21:12:21 | n |
-| resource-exhaustion.js:13:21:13:21 | n |
-| resource-exhaustion.js:13:21:13:21 | n |
 | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:15:22:15:22 | n |
@@ -71,8 +65,6 @@ edges
 | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | documentaion-examples/ResourceExhaustion_timeout.js:5:23:5:46 | url.par ... , true) |
 | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | documentaion-examples/ResourceExhaustion_timeout.js:5:23:5:46 | url.par ... , true) |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:6:20:6:20 | s |
-| resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:11:21:11:21 | s |
-| resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:11:21:11:21 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:35:12:35:12 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:35:12:35:12 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:82:17:82:17 | s |
@@ -84,10 +76,6 @@ edges
 | resource-exhaustion.js:5:11:5:42 | url.par ... query.s | resource-exhaustion.js:5:7:5:42 | s |
 | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:5:11:5:34 | url.par ... , true) |
 | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:5:11:5:34 | url.par ... , true) |
-| resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:12:21:12:21 | n |
-| resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:12:21:12:21 | n |
-| resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:13:21:13:21 | n |
-| resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:13:21:13:21 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:15:22:15:22 | n |
@@ -124,9 +112,6 @@ edges
 | resource-exhaustion.js:6:20:6:20 | s | resource-exhaustion.js:6:11:6:21 | parseInt(s) |
 #select
 | documentaion-examples/ResourceExhaustion_timeout.js:7:16:7:20 | delay | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | documentaion-examples/ResourceExhaustion_timeout.js:7:16:7:20 | delay | This creates a timer with a user-controlled duration from $@. | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | here |
-| resource-exhaustion.js:11:21:11:21 | s | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:11:21:11:21 | s | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
-| resource-exhaustion.js:12:21:12:21 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:12:21:12:21 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
-| resource-exhaustion.js:13:21:13:21 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:13:21:13:21 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:14:16:14:16 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:14:16:14:16 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:15:22:15:22 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:15:22:15:22 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:16:26:16:26 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:16:26:16:26 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |

javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js

@@ -8,9 +8,9 @@ var server = http.createServer(function(req, res) {
   Buffer.from(s); // OK
   Buffer.from(n); // OK
   Buffer.from(x, n); // OK
-  Buffer.from(x, y, s); // NOT OK
-  Buffer.from(x, y, n); // NOT OK
-  Buffer.from(x, y, n); // NOT OK
+  Buffer.from(x, y, s); // OK - does not allocate memory
+  Buffer.from(x, y, n); // OK - does not allocate memory
+  Buffer.from(x, y, n); // OK - does not allocate memory
   Buffer.alloc(n); // NOT OK
   Buffer.allocUnsafe(n); // NOT OK
   Buffer.allocUnsafeSlow(n); // NOT OK