add js/http-dependency query

Author: erik-krogh

javascript/ql/lib/change-notes/2022-01-08-insecure-dependency-resolution.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The `js/http-dependency` query has been added. It detects depedencies that are downloaded using an unencrypted connection.

javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using an insecure protocol like HTTP or FTP to download your dependencies leaves your npm build vulnerable to a
+<a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man in the Middle (MITM)</a>.
+This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts
+that are being produced. This can be used by attackers to perform a
+<a href="https://en.wikipedia.org/wiki/Supply_chain_attack">Supply chain attack</a>
+against your project's users.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Always use HTTPS or SFTP to download artifacts from artifact servers.</p>
+
+</recommendation>
+
+<references>
+<li>
+  Research:
+  <a href="https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&amp;sk=3c99970c55a899ad9ef41f126efcde0e">
+    Want to take over the Java ecosystem? All you need is a MITM!
+  </a>
+</li>
+<li>
+  Research:
+  <a href="https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/">
+    How to take over the computer of any Java (or Closure or Scala) Developer.
+  </a>
+</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-300/InsecureDependencyResolution.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Dependency download using unencrypted communication channel
+ * @description Using unencrypted HTTP URLs to fetch dependencies can leave an application
+ *              open to man in the middle attacks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.1
+ * @precision high
+ * @id js/http-dependency
+ * @tags security
+ *       external/cwe/cwe-300
+ *       external/cwe/cwe-319
+ *       external/cwe/cwe-494
+ *       external/cwe/cwe-829
+ */
+
+import javascript
+
+from PackageJSON pack, JSONString val
+where
+  [pack.getDependencies(), pack.getDevDependencies()].getPropValue(_) = val and
+  val.getValue().regexpMatch("(http|ftp)://.*")
+select val, "Dependency downloaded using unencrypted communication channel."

javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.expected

@@ -0,0 +1,4 @@
+| package.json:6:17:6:40 | "http:/ ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:7:17:7:39 | "ftp:// ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:12:17:12:40 | "http:/ ... rg/foo" | Dependency downloaded using unencrypted communication channel. |
+| package.json:13:17:13:39 | "ftp:// ... rg/foo" | Dependency downloaded using unencrypted communication channel. |

javascript/ql/test/query-tests/Security/CWE-300/InsecureDependencyResolution.qlref

@@ -0,0 +1 @@
+Security/CWE-300/InsecureDependencyResolution.ql

javascript/ql/test/query-tests/Security/CWE-300/foo.js

@@ -0,0 +1 @@
+console.log("foo");

javascript/ql/test/query-tests/Security/CWE-300/package.json

@@ -0,0 +1,15 @@
+{
+    "name": "insecure-dep-downloader",
+    "dependencies": {
+        "foo": "*",
+        "good1": "https://example.org/foo",
+        "bad1": "http://example.org/foo",
+        "bad2": "ftp://example.org/foo"
+    },
+    "devDependencies": {
+        "bar": "*",
+        "good2": "https://example.org/foo",
+        "bad3": "http://example.org/foo",
+        "bad4": "ftp://example.org/foo"
+    }
+}