Merge branch 'master' into remove-initialize-this-from-value-numbering

MathiasVP · MathiasVP · commit 1a33a3b7e1a7 · 2020-06-05T15:03:54.000+02:00
diff --git a/change-notes/1.25/analysis-javascript.md b/change-notes/1.25/analysis-javascript.md
@@ -43,6 +43,7 @@
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | Fewer results | This query now recognizes additional safe patterns of doing URL redirects. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
 | Expression has no effect (`js/useless-expression`) | Fewer results | This query no longer flags an expression when that expression is the only content of the containing file. |
+| Hard-coded credentials (`js/hardcoded-credentials`) | More results | This query now recognizes hard-coded credentials sent via HTTP authorization headers. |
 | Incomplete URL scheme check (`js/incomplete-url-scheme-check`) | More results | This query now recognizes additional url scheme checks. |
 | Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
 | Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes additional utility functions as vulnerable to prototype polution. |
diff --git a/config/sync-files.py b/config/sync-files.py
@@ -59,29 +59,41 @@ def file_checksum(filename):
         return hashlib.sha1(file_handle.read()).hexdigest()
 
 def check_group(group_name, files, master_file_picker, emit_error):
-    checksums = {file_checksum(f) for f in files}
+    extant_files = [f for f in files if path.isfile(f)]
+    if len(extant_files) == 0:
+        emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
+        emit_error(__file__, 0,
+                "Create one of the following files, and then run this script with "
+                "the --latest switch to sync it to the other file locations.")
+        for filename in files:
+            emit_error(__file__, 0, "    " + filename)
+        return
+
+    checksums = {file_checksum(f) for f in extant_files}
 
-    if len(checksums) == 1:
+    if len(checksums) == 1 and len(extant_files) == len(files):
+        # All files are present and identical.
         return
 
-    master_file = master_file_picker(files)
+    master_file = master_file_picker(extant_files)
     if master_file is None:
         emit_error(__file__, 0,
                 "Files from group '"+ group_name +"' not in sync.")
         emit_error(__file__, 0,
                 "Run this script with a file-name argument among the "
                 "following to overwrite the remaining files with the contents "
-                "of that file or run with the --latest switch to update each "
+                "of that file, or run with the --latest switch to update each "
                 "group of files from the most recently modified file in the group.")
-        for filename in files:
+        for filename in extant_files:
             emit_error(__file__, 0, "    " + filename)
     else:
         print("  Syncing others from", master_file)
         for filename in files:
             if filename == master_file:
                 continue
             print("    " + filename)
-            os.replace(filename, filename + '~')
+            if path.isfile(filename):
+                os.replace(filename, filename + '~')
             shutil.copy(master_file, filename)
         print("  Backups written with '~' appended to file names")
 
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll
@@ -56,6 +56,8 @@ class ValueNumber extends TValueNumber {
     or
     this instanceof TInitializeParameterValueNumber and result = "InitializeParameter"
     or
+    this instanceof TConstantValueNumber and result = "Constant"
+    or
     this instanceof TStringConstantValueNumber and result = "StringConstant"
     or
     this instanceof TFieldAddressValueNumber and result = "FieldAddress"
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll
@@ -56,6 +56,8 @@ class ValueNumber extends TValueNumber {
     or
     this instanceof TInitializeParameterValueNumber and result = "InitializeParameter"
     or
+    this instanceof TConstantValueNumber and result = "Constant"
+    or
     this instanceof TStringConstantValueNumber and result = "StringConstant"
     or
     this instanceof TFieldAddressValueNumber and result = "FieldAddress"
diff --git a/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll b/cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll
@@ -56,6 +56,8 @@ class ValueNumber extends TValueNumber {
     or
     this instanceof TInitializeParameterValueNumber and result = "InitializeParameter"
     or
+    this instanceof TConstantValueNumber and result = "Constant"
+    or
     this instanceof TStringConstantValueNumber and result = "StringConstant"
     or
     this instanceof TFieldAddressValueNumber and result = "FieldAddress"
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/raw/gvn/ValueNumbering.qll
@@ -56,6 +56,8 @@ class ValueNumber extends TValueNumber {
     or
     this instanceof TInitializeParameterValueNumber and result = "InitializeParameter"
     or
+    this instanceof TConstantValueNumber and result = "Constant"
+    or
     this instanceof TStringConstantValueNumber and result = "StringConstant"
     or
     this instanceof TFieldAddressValueNumber and result = "FieldAddress"
diff --git a/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll b/csharp/ql/src/semmle/code/csharp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll
@@ -56,6 +56,8 @@ class ValueNumber extends TValueNumber {
     or
     this instanceof TInitializeParameterValueNumber and result = "InitializeParameter"
     or
+    this instanceof TConstantValueNumber and result = "Constant"
+    or
     this instanceof TStringConstantValueNumber and result = "StringConstant"
     or
     this instanceof TFieldAddressValueNumber and result = "FieldAddress"
diff --git a/java/ql/test/library-tests/typeflow/A.java b/java/ql/test/library-tests/typeflow/A.java
@@ -85,4 +85,11 @@ public void put(String k, String v) {
       empty.put(k, v);
     }
   }
+
+  public void m8(Object[] xs, int i) {
+    if (xs[i] instanceof Integer) {
+      Object n = xs[i];
+      Object r = n;
+    }
+  }
 }
diff --git a/java/ql/test/library-tests/typeflow/typeflow.expected b/java/ql/test/library-tests/typeflow/typeflow.expected
@@ -12,3 +12,4 @@
 | A.java:61:11:61:11 | x | Integer | false |
 | A.java:67:22:67:22 | x | Integer | false |
 | A.java:70:23:70:24 | x2 | Integer | false |
+| A.java:92:18:92:18 | n | Integer | false |
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -827,6 +827,26 @@ module TaintTracking {
     override predicate appliesTo(Configuration cfg) { any() }
   }
 
+  /** A check of the form `type x === "undefined"`, which sanitized `x` in its "then" branch. */
+  class TypeOfUndefinedSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+    Expr x;
+    override EqualityTest astNode;
+
+    TypeOfUndefinedSanitizer() {
+      exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
+        str.getValue() = "undefined" and
+        typeof.getOperand() = x
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = astNode.getPolarity() and
+      e = x
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
+
   /** DEPRECATED. This class has been renamed to `MembershipTestSanitizer`. */
   deprecated class StringInclusionSanitizer = MembershipTestSanitizer;
 
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -260,25 +260,38 @@ module ClientRequest {
     }
   }
 
+  /** An expression that is used as a credential in a request. */
+  private class AuthorizationHeader extends CredentialsExpr {
+    AuthorizationHeader() {
+      exists(DataFlow::PropWrite write | write.getPropertyName().regexpMatch("(?i)authorization") |
+        this = write.getRhs().asExpr()
+      )
+      or
+      exists(DataFlow::MethodCallNode call | call.getMethodName() = ["append", "set"] |
+        call.getNumArgument() = 2 and
+        call.getArgument(0).getStringValue().regexpMatch("(?i)authorization") and
+        this = call.getArgument(1).asExpr()
+      )
+    }
+
+    override string getCredentialsKind() { result = "authorization header" }
+  }
+
   /**
    * A model of a URL request made using an implementation of the `fetch` API.
    */
   class FetchUrlRequest extends ClientRequest::Range {
     DataFlow::Node url;
 
     FetchUrlRequest() {
-      exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
-        (
-          moduleName = "node-fetch" or
-          moduleName = "cross-fetch" or
-          moduleName = "isomorphic-fetch"
-        ) and
-        callee = DataFlow::moduleImport(moduleName) and
+      exists(DataFlow::SourceNode fetch |
+        fetch = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])
+        or
+        fetch = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
+      |
+        this = fetch.getACall() and
         url = getArgument(0)
       )
-      or
-      this = DataFlow::globalVarRef("fetch").getACall() and
-      url = getArgument(0)
     }
 
     override DataFlow::Node getUrl() { result = url }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll b/javascript/ql/src/semmle/javascript/security/dataflow/HardcodedCredentials.qll
@@ -20,5 +20,18 @@ module HardcodedCredentials {
     override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
     override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
+      exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
+      or
+      trg.(StringOps::ConcatenationRoot).getALeaf() = src and
+      not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
+      or
+      exists(DataFlow::MethodCallNode bufferFrom |
+        bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
+        trg = bufferFrom and
+        src = bufferFrom.getArgument(0)
+      )
+    }
   }
 }
diff --git a/javascript/ql/test/library-tests/HTML/HTMLElementAndHTMLAttribute/HTMLElement_getChild.expected b/javascript/ql/test/library-tests/HTML/HTMLElementAndHTMLAttribute/HTMLElement_getChild.expected
@@ -1,6 +1,6 @@
-| tst.html:2:1:13:7 | <html>...</> | 0 | tst.html:3:5:9:11 | <head>...</> |
-| tst.html:2:1:13:7 | <html>...</> | 1 | tst.html:10:5:12:11 | <body>...</> |
-| tst.html:3:5:9:11 | <head>...</> | 0 | tst.html:4:9:4:32 | <title>...</> |
-| tst.html:3:5:9:11 | <head>...</> | 1 | tst.html:5:9:5:43 | <script>...</> |
-| tst.html:3:5:9:11 | <head>...</> | 2 | tst.html:6:9:8:17 | <script>...</> |
-| tst.html:10:5:12:11 | <body>...</> | 0 | tst.html:11:9:11:64 | <a>...</> |
+| tst.html:2:1:13:7 | <html>...</> | 1 | tst.html:3:5:9:11 | <head>...</> |
+| tst.html:2:1:13:7 | <html>...</> | 3 | tst.html:10:5:12:11 | <body>...</> |
+| tst.html:3:5:9:11 | <head>...</> | 1 | tst.html:4:9:4:32 | <title>...</> |
+| tst.html:3:5:9:11 | <head>...</> | 3 | tst.html:5:9:5:43 | <script>...</> |
+| tst.html:3:5:9:11 | <head>...</> | 5 | tst.html:6:9:8:17 | <script>...</> |
+| tst.html:10:5:12:11 | <body>...</> | 1 | tst.html:11:9:11:64 | <a>...</> |
diff --git a/javascript/ql/test/library-tests/HTML/HTMLElementAndHTMLAttribute/options b/javascript/ql/test/library-tests/HTML/HTMLElementAndHTMLAttribute/options
@@ -0,0 +1 @@
+semmle-extractor-options: --experimental
diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.expected b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/SyntaxError.expected
@@ -1,4 +1,4 @@
 | arrows.js:1:5:1:5 | Error: Argument name clash | Error: Argument name clash |
-| destructingPrivate.js:2:12:2:12 | Error: Unexpected token | Error: Unexpected token |
+| destructingPrivate.js:4:6:4:6 | Error: Unexpected token | Error: Unexpected token |
 | privateMethod.js:2:3:2:3 | Error: Only fields, not methods, can be declared private. | Error: Only fields, not methods, can be declared private. |
 | tst.js:2:12:2:12 | Error: Unterminated string constant | Error: Unterminated string constant |
diff --git a/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/options b/javascript/ql/test/query-tests/LanguageFeatures/SyntaxError/options
@@ -1 +1 @@
-semmle-extractor-options: --tolerate-parse-errors
+semmle-extractor-options: --tolerate-parse-errors --experimental
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -173,6 +173,12 @@ nodes
 | lib/lib.js:307:39:307:42 | name |
 | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:314:40:314:43 | name |
+| lib/lib.js:314:40:314:43 | name |
+| lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:320:23:320:26 | name |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -381,6 +387,14 @@ edges
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -433,3 +447,5 @@ edges
 | lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
 | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
 | lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
+| lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:315:10:315:25 | "rm -rf " + name | String concatenation | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |
+| lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:320:11:320:26 | "rm -rf " + name | String concatenation | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -309,4 +309,14 @@ module.exports.sanitizer2 = function (name) {
 
   var sanitized = sanitizeShellString(name);
   cp.exec("rm -rf " + sanitized); // OK
+}
+
+module.exports.typeofcheck = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+	
+	if (typeof name === "undefined") {
+		cp.exec("rm -rf " + name); // OK
+	} else {
+		cp.exec("rm -rf " + name); // NOT OK
+	}
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js

Original file line number	Diff line number	Diff line change
`@@ -85,4 +85,11 @@ public void put(String k, String v) {`
`85`	`85`	`empty.put(k, v);`
`86`	`86`	`}`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+ public void m8(Object[] xs, int i) {`
	`90`	`+ if (xs[i] instanceof Integer) {`
	`91`	`+ Object n = xs[i];`
	`92`	`+ Object r = n;`
	`93`	`+ }`
	`94`	`+ }`
`88`	`95`	`}`