modified query and added tests

Naman-ntc · Naman-ntc · commit aea7054938b6 · 2022-02-02T19:39:08.000+05:30
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll
@@ -58,5 +58,12 @@ class Configuration extends TaintTracking::Configuration {
       // avoid overlapping results with unsafe dynamic method access query
       not PropertyInjection::hasUnsafeMethods(read.getBase().getALocalSource())
     )
+    or
+    exists(DataFlow::SourceNode base, DataFlow::CallNode get | get = base.getAMethodCall("get") |
+      src = get.getArgument(0) and
+      dst = get
+    ) and
+    srclabel.isTaint() and
+    dstlabel instanceof MaybeNonFunction
   }
 }
diff --git a/javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js b/javascript/ql/src/Security/CWE-754/examples/UnvalidatedDynamicMethodCallGood.js
@@ -11,7 +11,9 @@ actions.put("pause", function pause(data) {
 
 app.get('/perform/:action/:payload', function(req, res) {
   if (actions.has(req.params.action)) {
-    let action = actions.get(req.params.action);
+    if (typeof actions.get(req.params.action) === 'function'){
+      let action = actions.get(req.params.action);
+    }
     // GOOD: `action` is either the `play` or the `pause` function from above
     res.end(action(req.params.payload));
   } else {
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall2.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall2.js
@@ -0,0 +1,15 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+  // ...
+});
+actions.put("pause", function pause(data) {
+  // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+  let action = actions.get(req.params.action);
+  res.end(action.get(req.params.payload)); // NOT OK 
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall3.js
@@ -0,0 +1,17 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+  // ...
+});
+actions.put("pause", function pause(data) {
+  // ...
+});
+
+app.get('/perform/:action/:payload', function(req, res) {
+  if (actions.has(req.params.action)){
+    let action = actions.get(req.params.action);
+    res.end(action.get(req.params.payload)); // NOT OK, but not flagged [INCONSISTENCY]
+  }
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood.js
@@ -2,17 +2,20 @@ var express = require('express');
 var app = express();
 
 var actions = new Map();
-actions.put("play", function (data) {
+actions.put("play", function play(data) {
   // ...
 });
-actions.put("pause", function(data) {
+actions.put("pause", function pause(data) {
   // ...
 });
 
-app.get('/perform/:action/:payload', function(req, res) {
+app.get('/perform/:action/:payload', function (req, res) {
   if (actions.has(req.params.action)) {
-    let action = actions.get(req.params.action);
-    res.end(action(req.params.payload));
+    if (typeof actions.get(req.params.action) === 'function') {
+      let action = actions.get(req.params.action);
+      // GOOD: `action` is either the `play` or the `pause` function from above
+      res.end(action(req.params.payload));
+    }
   } else {
     res.end("Unsupported action.");
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js
@@ -0,0 +1,20 @@
+var express = require('express');
+var app = express();
+
+var actions = new Map();
+actions.put("play", function play(data) {
+    // ...
+});
+actions.put("pause", function pause(data) {
+    // ...
+});
+
+app.get('/perform/:action/:payload', function (req, res) {
+    if (typeof actions.get(req.params.action) === 'function') {
+        let action = actions.get(req.params.action);
+        // GOOD: `action` is either the `play` or the `pause` function from above
+        res.end(action(req.params.payload));
+    } else {
+        res.end("Unsupported action.");
+    }
+});

Original file line number	Diff line number	Diff line change
`@@ -58,5 +58,12 @@ class Configuration extends TaintTracking::Configuration {`
`58`	`58`	`// avoid overlapping results with unsafe dynamic method access query`
`59`	`59`	`not PropertyInjection::hasUnsafeMethods(read.getBase().getALocalSource())`
`60`	`60`	`)`
	`61`	`+ or`
	`62`	`+ exists(DataFlow::SourceNode base, DataFlow::CallNode get \| get = base.getAMethodCall("get") \|`
	`63`	`+ src = get.getArgument(0) and`
	`64`	`+ dst = get`
	`65`	`+ ) and`
	`66`	`+ srclabel.isTaint() and`
	`67`	`+ dstlabel instanceof MaybeNonFunction`
`61`	`68`	`}`
`62`	`69`	`}`