Merge pull request github#7828 from Naman-ntc/main

JS: Adding model for `.get` function of `Map` in Unvalidated Dynamic Method Call

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll

@@ -58,5 +58,12 @@ class Configuration extends TaintTracking::Configuration {
       // avoid overlapping results with unsafe dynamic method access query
       not PropertyInjection::hasUnsafeMethods(read.getBase().getALocalSource())
     )
+    or
+    exists(DataFlow::SourceNode base, DataFlow::CallNode get | get = base.getAMethodCall("get") |
+      src = get.getArgument(0) and
+      dst = get
+    ) and
+    srclabel.isTaint() and
+    dstlabel instanceof MaybeNonFunction
   }
 }

javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js

@@ -11,7 +11,9 @@ actions.put("pause", function pause(data) {
 
 app.get('/perform/:action/:payload', function(req, res) {
   if (actions.has(req.params.action)) {
-    let action = actions.get(req.params.action);
+    if (typeof actions.get(req.params.action) === 'function'){
+      let action = actions.get(req.params.action);
+    }
     // GOOD: `action` is either the `play` or the `pause` function from above
     res.end(action(req.params.payload));
   } else {

javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected

@@ -10,6 +10,12 @@ nodes
 | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] |
 | UnsafeDynamicMethodAccess.js:15:9:15:15 | message |
 | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name |
+| UnvalidatedDynamicMethodCall2.js:13:9:13:47 | action |
+| UnvalidatedDynamicMethodCall2.js:13:18:13:47 | actions ... action) |
+| UnvalidatedDynamicMethodCall2.js:13:30:13:46 | req.params.action |
+| UnvalidatedDynamicMethodCall2.js:13:30:13:46 | req.params.action |
+| UnvalidatedDynamicMethodCall2.js:14:13:14:18 | action |
+| UnvalidatedDynamicMethodCall2.js:14:13:14:18 | action |
 | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action |
 | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action |
 | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] |
@@ -19,6 +25,12 @@ nodes
 | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action |
 | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action |
 | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action |
+| UnvalidatedDynamicMethodCallGood4.js:14:13:14:51 | action |
+| UnvalidatedDynamicMethodCallGood4.js:14:22:14:51 | actions ... action) |
+| UnvalidatedDynamicMethodCallGood4.js:14:34:14:50 | req.params.action |
+| UnvalidatedDynamicMethodCallGood4.js:14:34:14:50 | req.params.action |
+| UnvalidatedDynamicMethodCallGood4.js:15:17:15:22 | action |
+| UnvalidatedDynamicMethodCallGood4.js:15:17:15:22 | action |
 | tst.js:6:39:6:40 | ev |
 | tst.js:6:39:6:40 | ev |
 | tst.js:7:9:7:39 | name |
@@ -91,6 +103,11 @@ edges
 | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] |
 | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] |
 | UnsafeDynamicMethodAccess.js:15:9:15:20 | message.name | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] |
+| UnvalidatedDynamicMethodCall2.js:13:9:13:47 | action | UnvalidatedDynamicMethodCall2.js:14:13:14:18 | action |
+| UnvalidatedDynamicMethodCall2.js:13:9:13:47 | action | UnvalidatedDynamicMethodCall2.js:14:13:14:18 | action |
+| UnvalidatedDynamicMethodCall2.js:13:18:13:47 | actions ... action) | UnvalidatedDynamicMethodCall2.js:13:9:13:47 | action |
+| UnvalidatedDynamicMethodCall2.js:13:30:13:46 | req.params.action | UnvalidatedDynamicMethodCall2.js:13:18:13:47 | actions ... action) |
+| UnvalidatedDynamicMethodCall2.js:13:30:13:46 | req.params.action | UnvalidatedDynamicMethodCall2.js:13:18:13:47 | actions ... action) |
 | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action |
 | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action |
 | UnvalidatedDynamicMethodCall.js:14:7:14:41 | action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action |
@@ -101,6 +118,11 @@ edges
 | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] |
 | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] |
 | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:14:16:14:41 | actions ... action] |
+| UnvalidatedDynamicMethodCallGood4.js:14:13:14:51 | action | UnvalidatedDynamicMethodCallGood4.js:15:17:15:22 | action |
+| UnvalidatedDynamicMethodCallGood4.js:14:13:14:51 | action | UnvalidatedDynamicMethodCallGood4.js:15:17:15:22 | action |
+| UnvalidatedDynamicMethodCallGood4.js:14:22:14:51 | actions ... action) | UnvalidatedDynamicMethodCallGood4.js:14:13:14:51 | action |
+| UnvalidatedDynamicMethodCallGood4.js:14:34:14:50 | req.params.action | UnvalidatedDynamicMethodCallGood4.js:14:22:14:51 | actions ... action) |
+| UnvalidatedDynamicMethodCallGood4.js:14:34:14:50 | req.params.action | UnvalidatedDynamicMethodCallGood4.js:14:22:14:51 | actions ... action) |
 | tst.js:6:39:6:40 | ev | tst.js:7:27:7:28 | ev |
 | tst.js:6:39:6:40 | ev | tst.js:7:27:7:28 | ev |
 | tst.js:6:39:6:40 | ev | tst.js:9:9:9:10 | ev |
@@ -164,7 +186,9 @@ edges
 | tst.js:49:19:49:22 | name | tst.js:49:14:49:23 | obj2[name] |
 #select
 | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | UnsafeDynamicMethodAccess.js:15:5:15:21 | obj[message.name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnsafeDynamicMethodAccess.js:5:37:5:38 | ev | user-controlled |
+| UnvalidatedDynamicMethodCall2.js:14:13:14:18 | action | UnvalidatedDynamicMethodCall2.js:13:30:13:46 | req.params.action | UnvalidatedDynamicMethodCall2.js:14:13:14:18 | action | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnvalidatedDynamicMethodCall2.js:13:30:13:46 | req.params.action | user-controlled |
 | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | UnvalidatedDynamicMethodCall.js:15:11:15:16 | action | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnvalidatedDynamicMethodCall.js:14:24:14:40 | req.params.action | user-controlled |
+| UnvalidatedDynamicMethodCallGood4.js:15:17:15:22 | action | UnvalidatedDynamicMethodCallGood4.js:14:34:14:50 | req.params.action | UnvalidatedDynamicMethodCallGood4.js:15:17:15:22 | action | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | UnvalidatedDynamicMethodCallGood4.js:14:34:14:50 | req.params.action | user-controlled |
 | tst.js:9:5:9:16 | obj[ev.data] | tst.js:6:39:6:40 | ev | tst.js:9:5:9:16 | obj[ev.data] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
 | tst.js:11:5:11:13 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:11:5:11:13 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
 | tst.js:18:5:18:6 | fn | tst.js:6:39:6:40 | ev | tst.js:18:5:18:6 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |

javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall2.js

@@ -0,0 +1,15 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+    // ...
+});
+actions.put("pause", function pause(data) {
+    // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+    let action = actions.get(req.params.action);
+    res.end(action(req.params.payload)); // NOT OK 
+});

javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js

@@ -0,0 +1,17 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+    // ...
+});
+actions.put("pause", function pause(data) {
+    // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+    if (actions.has(req.params.action)) {
+        let action = actions.get(req.params.action);
+        res.end(action(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
+    }
+});

javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood.js

@@ -2,17 +2,20 @@ var express = require('express');
 var app = express();
 
 var actions = new Map();
-actions.put("play", function (data) {
+actions.put("play", function play(data) {
   // ...
 });
-actions.put("pause", function(data) {
+actions.put("pause", function pause(data) {
   // ...
 });
 
-app.get('/perform/:action/:payload', function(req, res) {
+app.get('/perform/:action/:payload', function (req, res) {
   if (actions.has(req.params.action)) {
-    let action = actions.get(req.params.action);
-    res.end(action(req.params.payload));
+    if (typeof actions.get(req.params.action) === 'function') {
+      let action = actions.get(req.params.action);
+      // GOOD: `action` is either the `play` or the `pause` function from above
+      res.end(action(req.params.payload));
+    }
   } else {
     res.end("Unsupported action.");
   }

javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js

@@ -0,0 +1,19 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+    // ...
+});
+actions.put("pause", function pause(data) {
+    // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+    let action = actions.get(req.params.action);
+    if (typeof action === 'function') {
+        res.end(action(req.params.payload)); // GOOD: `action` is either the `play` or the `pause` function from above
+    } else {
+        res.end("Unsupported action.");
+    }
+});

javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood4.js

@@ -0,0 +1,19 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+    // ...
+});
+actions.put("pause", function pause(data) {
+    // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+    if (typeof actions.get(req.params.action) === 'function') {
+        let action = actions.get(req.params.action);
+        res.end(action(req.params.payload));  // OK but flagged [INCONSISTENCY]. `action` is either the `play` or the `pause` function from above
+    } else {
+        res.end("Unsupported action.");
+    }
+});