Merge pull request #14302 from amammad/amammad-js-SQLI

JS: extend DatabaseAccess by `TypeORM` and `sqlite` and `better-sqlite3` packages

Author: erik-krogh

javascript/ql/lib/change-notes/2023-11-23-sqllite.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for the `sqlite` and `better-sqlite3` npm packages.

javascript/ql/lib/semmle/javascript/frameworks/SQL.qll

@@ -104,7 +104,7 @@ private module Postgres {
   API::Node clientOrPool() { result = API::Node::ofType("pg", ["Client", "PoolClient", "Pool"]) }
 
   /** A call to the Postgres `query` method. */
-  private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
+  private class QueryCall extends DatabaseAccess, API::CallNode {
     QueryCall() { this = clientOrPool().getMember(["execute", "query"]).getACall() }
 
     override DataFlow::Node getAResult() {
@@ -117,15 +117,25 @@ private module Postgres {
       PromiseFlow::loadStep(this.getALocalUse(), result, Promises::valueProp())
     }
 
-    override DataFlow::Node getAQueryArgument() { result = this.getArgument(0) }
+    override DataFlow::Node getAQueryArgument() {
+      result = this.getArgument(0) or result = this.getParameter(0).getMember("text").asSink()
+    }
   }
 
+  /**
+   * Gets the Postgres Query class.
+   * This class can be used to create reusable query objects (see https://node-postgres.com/apis/client).
+   */
+  API::Node query() { result = API::moduleImport("pg").getMember("Query") }
+
   /** An expression that is passed to the `query` method and hence interpreted as SQL. */
   class QueryString extends SQL::SqlString {
     QueryString() {
       this = any(QueryCall qc).getAQueryArgument()
       or
       this = API::moduleImport("pg-cursor").getParameter(0).asSink()
+      or
+      this = query().getParameter(0).asSink()
     }
   }
 
@@ -243,7 +253,7 @@ private module Postgres {
 /**
  * Provides classes modeling the `sqlite3` package.
  */
-private module Sqlite {
+private module Sqlite3 {
   /** Gets an expression that constructs or returns a Sqlite database instance. */
   API::Node database() { result = API::Node::ofType("sqlite3", "Database") }
 
@@ -267,6 +277,62 @@ private module Sqlite {
   }
 }
 
+/**
+ * Provides classes modeling the `sqlite` package.
+ */
+private module Sqlite {
+  /** Gets an expression that constructs or returns a Sqlite database instance. */
+  API::Node database() {
+    result = API::moduleImport("sqlite").getMember("open").getReturn().getPromised()
+  }
+
+  /** A call to a Sqlite query method. */
+  private class QueryCall extends DatabaseAccess, API::CallNode {
+    QueryCall() {
+      this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall()
+    }
+
+    override DataFlow::Node getAResult() { result = this }
+
+    override DataFlow::Node getAQueryArgument() { result = this.getArgument(0) }
+  }
+
+  /** An expression that is passed to the `query` method and hence interpreted as SQL. */
+  class QueryString extends SQL::SqlString {
+    QueryString() { this = any(QueryCall qc).getAQueryArgument() }
+  }
+}
+
+/**
+ * Provides classes modeling the `better-sqlite3` package.
+ */
+private module BetterSqlite3 {
+  /**
+   * Gets a `better-sqlite3` database instance.
+   */
+  API::Node database() {
+    result =
+      [
+        API::moduleImport("better-sqlite3").getInstance(),
+        API::moduleImport("better-sqlite3").getReturn()
+      ]
+    or
+    result = database().getMember("exec").getReturn()
+  }
+
+  /** A call to a better-sqlite3 query method. */
+  private class QueryCall extends DatabaseAccess, API::CallNode {
+    QueryCall() { this = database().getMember(["exec", "prepare"]).getACall() }
+
+    override DataFlow::Node getAQueryArgument() { result = this.getArgument(0) }
+  }
+
+  /** An expression that is passed to the `query` method and hence interpreted as SQL. */
+  class QueryString extends SQL::SqlString {
+    QueryString() { this = any(QueryCall qc).getAQueryArgument() }
+  }
+}
+
 /**
  * Provides classes modeling the `mssql` package.
  */

javascript/ql/src/experimental/semmle/javascript/SQL.qll

@@ -0,0 +1,157 @@
+/**
+ * Provides classes for working with SQL connectors.
+ */
+
+import javascript
+
+module ExperimentalSql {
+  /**
+   * Provides SQL injection Sinks for the [TypeORM](https://www.npmjs.com/package/typeorm) package
+   */
+  private module TypeOrm {
+    /**
+     * Gets a `DataSource` instance
+     *
+     * `DataSource` is a pre-defined connection configuration to a specific database.
+     */
+    API::Node dataSource() {
+      result = API::moduleImport("typeorm").getMember("DataSource").getInstance()
+    }
+
+    /**
+     * Gets a `QueryRunner` instance
+     */
+    API::Node queryRunner() { result = dataSource().getMember("createQueryRunner").getReturn() }
+
+    /**
+     * Gets a `*QueryBuilder` instance
+     */
+    API::Node queryBuilderInstance() {
+      // a `*QueryBuilder` instance of a Data Mapper based Entity
+      result =
+        [
+          // Using DataSource
+          dataSource(),
+          // Using repository
+          dataSource().getMember("getRepository").getReturn(),
+          // Using entity manager
+          dataSource().getMember("manager"), queryRunner().getMember("manager")
+        ].getMember("createQueryBuilder").getReturn()
+      or
+      // A `*QueryBuilder` instance of an Active record based Entity
+      result =
+        API::moduleImport("typeorm")
+            .getMember("Entity")
+            .getReturn()
+            .getADecoratedClass()
+            .getMember("createQueryBuilder")
+            .getReturn()
+      or
+      // A WhereExpressionBuilder can be used in complex WHERE expression
+      result =
+        API::moduleImport("typeorm")
+            .getMember(["Brackets", "NotBrackets"])
+            .getParameter(0)
+            .getParameter(0)
+      or
+      // In case of custom query builders
+      result =
+        API::moduleImport("typeorm")
+            .getMember([
+                "SelectQueryBuilder", "InsertQueryBuilder", "RelationQueryBuilder",
+                "UpdateQueryBuilder", "WhereExpressionBuilder"
+              ])
+            .getInstance()
+    }
+
+    /**
+     *  Gets function names which create any type of `QueryBuilder` like `WhereExpressionBuilder` or `InsertQueryBuilder`
+     */
+    string queryBuilderMethods() {
+      result =
+        [
+          "select", "addSelect", "where", "andWhere", "orWhere", "having", "orHaving", "andHaving",
+          "orderBy", "addOrderBy", "distinctOn", "groupBy", "addCommonTableExpression",
+          "leftJoinAndSelect", "innerJoinAndSelect", "leftJoin", "innerJoin", "leftJoinAndMapOne",
+          "innerJoinAndMapOne", "leftJoinAndMapMany", "innerJoinAndMapMany", "orUpdate", "orIgnore",
+          "values", "set"
+        ]
+    }
+
+    /**
+     * Gets function names that the return values of these functions can be the results of a database query run
+     */
+    string queryBuilderResult() {
+      result = ["getOne", "getOneOrFail", "getMany", "getRawOne", "getRawMany", "stream"]
+    }
+
+    /**
+     * Gets a QueryBuilder instance that has a query builder function
+     */
+    API::Node getASuccessorOfBuilderInstance(string queryBuilderMethod) {
+      result.getMember(queryBuilderMethod) = queryBuilderInstance().getASuccessor*()
+    }
+
+    /**
+     *  A call to some successor functions of TypeORM `createQueryBuilder` function which are dangerous
+     */
+    private class QueryBuilderCall extends DatabaseAccess, DataFlow::Node {
+      API::Node queryBuilder;
+
+      QueryBuilderCall() {
+        queryBuilder = getASuccessorOfBuilderInstance(queryBuilderMethods()) and
+        this = queryBuilder.asSource()
+      }
+
+      override DataFlow::Node getAResult() {
+        result = queryBuilder.getMember(queryBuilderResult()).getReturn().asSource()
+      }
+
+      override DataFlow::Node getAQueryArgument() {
+        exists(string memberName | memberName = queryBuilderMethods() |
+          memberName = ["leftJoinAndSelect", "innerJoinAndSelect", "leftJoin", "innerJoin"] and
+          result = queryBuilder.getMember(memberName).getParameter(2).asSink()
+          or
+          memberName =
+            ["leftJoinAndMapOne", "innerJoinAndMapOne", "leftJoinAndMapMany", "innerJoinAndMapMany"] and
+          result = queryBuilder.getMember(memberName).getParameter(3).asSink()
+          or
+          memberName =
+            [
+              "select", "addSelect", "where", "andWhere", "orWhere", "having", "orHaving",
+              "andHaving", "orderBy", "addOrderBy", "distinctOn", "groupBy",
+              "addCommonTableExpression"
+            ] and
+          result = queryBuilder.getMember(memberName).getParameter(0).asSink()
+          or
+          memberName = ["orIgnore", "orUpdate"] and
+          result = queryBuilder.getMember(memberName).getParameter([0, 1]).asSink()
+          or
+          // following functions if use a function as their input fields,called function parameters which are vulnerable
+          memberName = ["values", "set"] and
+          result =
+            queryBuilder.getMember(memberName).getParameter(0).getAMember().getReturn().asSink()
+        )
+      }
+    }
+
+    /**
+     *  A call to the TypeORM `query` function of a `QueryRunner`
+     */
+    private class QueryRunner extends DatabaseAccess, API::CallNode {
+      QueryRunner() { queryRunner().getMember("query").getACall() = this }
+
+      override DataFlow::Node getAResult() { result = this }
+
+      override DataFlow::Node getAQueryArgument() { result = this.getArgument(0) }
+    }
+
+    /** An expression that is passed to the `query` function and hence interpreted as SQL. */
+    class QueryString extends SQL::SqlString {
+      QueryString() {
+        this = any(QueryRunner qr).getAQueryArgument() or
+        this = any(QueryBuilderCall qb).getAQueryArgument()
+      }
+    }
+  }
+}