updates for FormParsers and ReadableStream modules, add separate module for Readable Streams, BusBoy RemoteFlowSources is covering more sources now!, modularize

Author: am0o0

javascript/ql/lib/semmle/javascript/frameworks/FormParsers.qll

@@ -3,61 +3,141 @@
  */
 
 import javascript
+import semmle.javascript.frameworks.ReadableStream
 
 /**
- * A source of remote flow from the `Busboy` library.
+ * A module for modeling [busboy](https://www.npmjs.com/package/busboy) package
  */
-private class BusBoyRemoteFlow extends RemoteFlowSource {
-  BusBoyRemoteFlow() {
-    this =
-      API::moduleImport("busboy")
-          .getInstance()
-          .getMember("on")
-          .getParameter(1)
-          .getAParameter()
-          .asSource()
+module BusBoy {
+  /**
+   * A source of remote flow from the `Busboy` library.
+   */
+  private class BusBoyRemoteFlow extends RemoteFlowSource {
+    BusBoyRemoteFlow() {
+      exists(API::Node busboyOnEvent |
+        busboyOnEvent = API::moduleImport("busboy").getReturn().getMember("on")
+      |
+        // Files
+        busboyOnEvent.getParameter(0).asSink().mayHaveStringValue("file") and
+        // second param of 'file' event is a Readable stream
+        this = readableStreamDataNode(busboyOnEvent.getParameter(1).getParameter(1)).asSource()
+        or
+        // Fields
+        busboyOnEvent.getParameter(0).asSink().mayHaveStringValue(["file", "field"]) and
+        this =
+          API::moduleImport("busboy")
+              .getReturn()
+              .getMember("on")
+              .getParameter(1)
+              .getAParameter()
+              .asSource()
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Busbuy" }
   }
 
-  override string getSourceType() { result = "parsed user value from Busbuy" }
+  /**
+   * Holds if busboy file data as additional taint steps according to a Readable Stream type
+   *
+   * TODO: I don't know how it can be a global taint step!
+   */
+  predicate busBoyReadableAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::Node busboyOnEvent |
+      busboyOnEvent = API::moduleImport("busboy").getReturn().getMember("on")
+    |
+      busboyOnEvent.getParameter(0).asSink().mayHaveStringValue("file") and
+      customStreamPipeAdditionalTaintStep(busboyOnEvent.getParameter(1).getParameter(1), pred, succ)
+    )
+  }
 }
 
 /**
- * A source of remote flow from the `Formidable` library parsing a HTTP request.
+ * A module for modeling [formidable](https://www.npmjs.com/package/formidable) package
  */
-private class FormidableRemoteFlow extends RemoteFlowSource {
-  FormidableRemoteFlow() {
-    exists(API::Node formidable |
-      formidable = API::moduleImport("formidable").getReturn()
-      or
-      formidable = API::moduleImport("formidable").getMember("formidable").getReturn()
-      or
-      formidable =
-        API::moduleImport("formidable").getMember(["IncomingForm", "Formidable"]).getInstance()
-    |
-      this =
-        formidable.getMember("parse").getACall().getABoundCallbackParameter(1, any(int i | i > 0))
-    )
+module Formidable {
+  /**
+   * A source of remote flow from the `Formidable` library parsing a HTTP request.
+   */
+  private class FormidableRemoteFlow extends RemoteFlowSource {
+    FormidableRemoteFlow() {
+      exists(API::Node formidable |
+        formidable = API::moduleImport("formidable").getReturn()
+        or
+        formidable = API::moduleImport("formidable").getMember("formidable").getReturn()
+        or
+        formidable =
+          API::moduleImport("formidable").getMember(["IncomingForm", "Formidable"]).getInstance()
+      |
+        this =
+          formidable.getMember("parse").getACall().getABoundCallbackParameter(1, any(int i | i > 0))
+        or
+        // if callback is not provide a promise will be returned,
+        // return values contains [fields,files] members
+        exists(API::Node parseMethod |
+          parseMethod = formidable.getMember("parse") and parseMethod.getNumParameter() = 1
+        |
+          this = parseMethod.getReturn().asSource()
+        )
+        or
+        // event handler
+        this = formidable.getMember("on").getParameter(1).getAParameter().asSource()
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Formidable" }
   }
+}
 
-  override string getSourceType() { result = "parsed user value from Formidable" }
+API::Node test() {
+  result =
+    API::moduleImport("multiparty").getMember("Form").getInstance().getMember("on").getASuccessor*()
 }
 
 /**
- * A source of remote flow from the `Multiparty` library.
+ * A module for modeling [multiparty](https://www.npmjs.com/package/multiparty) package
  */
-private class MultipartyRemoteFlow extends RemoteFlowSource {
-  MultipartyRemoteFlow() {
-    exists(API::Node form | form = API::moduleImport("multiparty").getMember("Form").getInstance() |
-      exists(API::CallNode parse | parse = form.getMember("parse").getACall() |
-        this = parse.getParameter(1).getAParameter().asSource()
+module Multiparty {
+  /**
+   * A source of remote flow from the `Multiparty` library.
+   */
+  private class MultipartyRemoteFlow extends RemoteFlowSource {
+    MultipartyRemoteFlow() {
+      exists(API::Node form |
+        form = API::moduleImport("multiparty").getMember("Form").getInstance()
+      |
+        exists(API::CallNode parse | parse = form.getMember("parse").getACall() |
+          this = parse.getParameter(1).getParameter([1, 2]).asSource()
+        )
+        or
+        exists(API::Node on | on = form.getMember("on") |
+          (
+            on.getParameter(0).asSink().mayHaveStringValue(["file", "field"]) and
+            this = on.getParameter(1).getParameter([0, 1]).asSource()
+            or
+            on.getParameter(0).asSink().mayHaveStringValue("part") and
+            this = readableStreamDataNode(on.getParameter(1).getParameter(0)).asSink()
+          )
+        )
       )
-      or
-      exists(API::CallNode on | on = form.getMember("on").getACall() |
-        on.getArgument(0).mayHaveStringValue(["part", "file", "field"]) and
-        this = on.getParameter(1).getAParameter().asSource()
-      )
-    )
+    }
+
+    override string getSourceType() { result = "parsed user value from Multiparty" }
   }
 
-  override string getSourceType() { result = "parsed user value from Multiparty" }
+  /**
+   * Holds if multiparty part data as additional taint steps according to a Readable Stream type
+   *
+   * TODO: I don't know how it can be a global taint step!
+   */
+  predicate multipartyReadableAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::Node multipartyOnEvent |
+      multipartyOnEvent =
+        API::moduleImport("multiparty").getMember("Form").getInstance().getMember("on")
+    |
+      multipartyOnEvent.getParameter(0).asSink().mayHaveStringValue("part") and
+      customStreamPipeAdditionalTaintStep(multipartyOnEvent.getParameter(1).getParameter(0), pred,
+        succ)
+    )
+  }
 }

javascript/ql/lib/semmle/javascript/frameworks/ReadableStream.qll

@@ -0,0 +1,134 @@
+import javascript
+
+/**
+ * Holds if there is a step between `fs.createReadStream` and `stream.Readable.from` first parameters to all other piped parameters
+ */
+predicate readablePipeAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(API::Node receiver |
+    receiver =
+      [
+        API::moduleImport("fs").getMember("createReadStream"),
+        API::moduleImport("stream").getMember("Readable").getMember("from")
+      ]
+  |
+    customStreamPipeAdditionalTaintStep(receiver, pred, succ)
+    or
+    pred = receiver.getParameter(0).asSink() and
+    succ = receiver.getReturn().asSource()
+  )
+}
+
+/**
+ * additional taint steps for piped stream from `createReadStream` method of `fs/promises.open`
+ */
+predicate promisesFileHandlePipeAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(API::Node receiver | receiver = nodeJsPromisesFileSystem().getMember("open") |
+    customStreamPipeAdditionalTaintStep(receiver, pred, succ)
+    or
+    pred = receiver.getParameter(0).asSink() and
+    succ = receiver.getReturn().asSource()
+  )
+}
+
+/**
+ * Gets nodejs `fs` Promises API
+ */
+API::Node nodeJsPromisesFileSystem() {
+  result = [API::moduleImport("fs").getMember("promises"), API::moduleImport("fs/promises")]
+}
+
+/**
+ * Holds if
+ * or `receiver.pipe(pred).pipe(sth).pipe(succ)`
+ *
+ * or `receiver.pipe(sth).pipe(pred).pipe(succ)`
+ *
+ * or `receiver.pipe(succ)` and receiver is pred
+ *
+ * Receiver can be any method node that support stream pipe method, it can't be a parameter node
+ *
+ * Pass receiver method as receiver, not a return value of the receiver method
+ */
+predicate customStreamPipeAdditionalTaintStep(
+  API::Node receiver, DataFlow::Node pred, DataFlow::Node succ
+) {
+  // following connect the first pipe parameter to the last pipe parameter
+  exists(API::Node firstPipe | firstPipe = receiver.getMember("pipe") |
+    pred = firstPipe.getParameter(0).asSink() and
+    succ = firstPipe.getASuccessor*().getMember("pipe").getParameter(0).asSink()
+  )
+  or
+  // following connect a pipe parameter to the next pipe parameter
+  exists(API::Node cn | cn = receiver.getASuccessor+() |
+    pred = cn.getParameter(0).asSink() and
+    succ = cn.getReturn().getMember("pipe").getParameter(0).asSink()
+  )
+  or
+  // it is a function that its return value is a Readable stream object
+  pred = receiver.getReturn().asSource() and
+  succ = receiver.getReturn().getMember("pipe").getParameter(0).asSink()
+  or
+  // it is a Readable stream object
+  pred = receiver.asSource() and
+  succ = receiver.getMember("pipe").getParameter(0).asSink()
+}
+
+/**
+ * Holds if
+ *
+ * ```js
+ * await pipeline(
+ *        pred,
+ *        succ_or_pred,
+ *        succ
+ *    )
+ * ```
+ */
+predicate streamPipelineAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // this step connect the a pipeline parameter to the next pipeline parameter
+  exists(API::CallNode cn, int i |
+    // we assume that there are maximum 10 pipes mostly or maybe less
+    i in [0 .. 10] and
+    cn = nodeJsStream().getMember("pipeline").getACall()
+  |
+    pred = cn.getParameter(i).asSink() and
+    succ = cn.getParameter(i + 1).asSink()
+  )
+  or
+  // this step connect the first pipeline parameter to the next parameters
+  exists(API::CallNode cn, int i |
+    // we assume that there are maximum 10 pipes mostly or maybe less
+    i in [1 .. 10] and
+    cn = nodeJsStream().getMember("pipeline").getACall()
+  |
+    pred = cn.getParameter(0).asSink() and
+    succ = cn.getParameter(i).asSink()
+  )
+}
+
+/**
+ * Gets `stream` Promises API
+ */
+API::Node nodeJsStream() {
+  result = [API::moduleImport("stream/promises"), API::moduleImport("stream").getMember("promises")]
+}
+
+/**
+ * Gets a Readable Stream method(not a return value of the method)
+ * and returns all nodes responsible for a data read access
+ */
+API::Node readableStreamDataNode(API::Node stream) {
+  result = stream.getMember("read").getReturn()
+  or
+  // 'data' event
+  exists(API::CallNode onEvent | onEvent = stream.getMember("on").getACall() |
+    result = onEvent.getParameter(1).getParameter(0) and
+    onEvent.getParameter(0).asSink().mayHaveStringValue("data")
+  )
+  or
+  // 'Readable' event
+  exists(API::CallNode onEvent | onEvent = stream.getMember("on").getACall() |
+    result = onEvent.getParameter(1).getReceiver().getMember("read").getReturn() and
+    onEvent.getParameter(0).asSink().mayHaveStringValue("readable")
+  )
+}