JS: Add environment threat-model source

RasmusWL · RasmusWL · commit 412e841d6929 · 2024-10-25T15:03:43.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -1244,4 +1244,13 @@ module NodeJSLib {
       result = moduleImport().getAPropertyRead(member)
     }
   }
+
+  /** A read of `process.env`, considered as a threat-model source. */
+  private class ProcessEnvThreatSource extends ThreatModelSource::Range {
+    ProcessEnvThreatSource() { this = NodeJSLib::process().getAPropertyRead("env") }
+
+    override string getThreatModel() { result = "environment" }
+
+    override string getSourceType() { result = "process.env" }
+  }
 }
diff --git a/javascript/ql/test/library-tests/threat-models/sources/TestSources.expected b/javascript/ql/test/library-tests/threat-models/sources/TestSources.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
diff --git a/javascript/ql/test/library-tests/threat-models/sources/TestSources.ql b/javascript/ql/test/library-tests/threat-models/sources/TestSources.ql
@@ -0,0 +1,38 @@
+import javascript
+import testUtilities.InlineExpectationsTest
+
+class TestSourcesConfiguration extends TaintTracking::Configuration {
+  TestSourcesConfiguration() { this = "TestSources" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ThreatModelSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CallExpr call |
+      call.getAnArgument() = sink.asExpr() and
+      call.getCalleeName() = "SINK"
+    )
+  }
+}
+
+private module InlineTestSources implements TestSig {
+  string getARelevantTag() { result in ["hasFlow", "threat-source"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node sink |
+      any(TestSourcesConfiguration c).hasFlow(_, sink) and
+      value = "" and
+      location = sink.getLocation() and
+      tag = "hasFlow" and
+      element = sink.toString()
+    )
+    or
+    exists(ThreatModelSource source |
+      value = source.getThreatModel() and
+      location = source.getLocation() and
+      tag = "threat-source" and
+      element = source.toString()
+    )
+  }
+}
+
+import MakeTest<InlineTestSources>
diff --git a/javascript/ql/test/library-tests/threat-models/sources/sources.js b/javascript/ql/test/library-tests/threat-models/sources/sources.js
@@ -0,0 +1,4 @@
+import 'dummy';
+
+var x = process.env['foo']; // $ threat-source=environment
+SINK(x); // $ hasFlow

Original file line number	Diff line number	Diff line change
`@@ -1244,4 +1244,13 @@ module NodeJSLib {`
`1244`	`1244`	`result = moduleImport().getAPropertyRead(member)`
`1245`	`1245`	`}`
`1246`	`1246`	`}`
	`1247`	`+`
	`1248`	+ /** A read of `process.env`, considered as a threat-model source. */
	`1249`	`+ private class ProcessEnvThreatSource extends ThreatModelSource::Range {`
	`1250`	`+ ProcessEnvThreatSource() { this = NodeJSLib::process().getAPropertyRead("env") }`
	`1251`	`+`
	`1252`	`+ override string getThreatModel() { result = "environment" }`
	`1253`	`+`
	`1254`	`+ override string getSourceType() { result = "process.env" }`
	`1255`	`+ }`
`1247`	`1256`	`}`