Moved new query to 'experimental'

Moved lists of domains to data extensions, including adding those to the overall qlpack.yml

Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io

Author: aegilops

javascript/ql/lib/qlpack.yml

@@ -16,4 +16,5 @@ dependencies:
 dataExtensions:
   - semmle/javascript/frameworks/**/model.yml
   - semmle/javascript/frameworks/**/*.model.yml
+  - semmle/javascript/security/domains/**/*.model.yml
 warnOnImplicitThis: true

javascript/ql/lib/semmle/javascript/security/FunctionalityFromUntrustedSource.qll

@@ -37,22 +37,10 @@ module StaticCreation {
   predicate isCdnUrlWithCheckingRequired(string url) {
     // Some CDN URLs are required to have an integrity attribute. We only add CDNs to that list
     // that recommend integrity-checking.
-    url.regexpMatch("(?i)^https?://" +
-        [
-          "code\\.jquery\\.com", //
-          "cdnjs\\.cloudflare\\.com", //
-          "cdnjs\\.com", //
-        ] + "/.*\\.js$")
-  }
-
-  /** Holds if `url` refers to a compromised CDN, that should not be trusted. */
-  bindingset[url]
-  predicate isCompromisedCdn(string url) {
-    url.regexpMatch("(?i)^https?://" +
-        [
-          "cdn\\.polyfill\\.io", // See https://sansec.io/research/polyfill-supply-chain-attack for details
-          "polyfill\\.io",       // "
-        ] + "/.*$")
+    exists(string hostname, string requiredCheckingHostname |
+      hostname = url.regexpCapture("(?i)^(?:https?:)?//([^/]+)/.*\\.js$", 1)
+      and isCdnDomainWithCheckingRequired(requiredCheckingHostname) and hostname = requiredCheckingHostname
+    )
   }
 
   /** A script element that refers to untrusted content. */
@@ -67,24 +55,15 @@ module StaticCreation {
     override string getProblem() { result = "Script loaded using unencrypted connection." }
   }
 
-  /** A script element that refers to compromised content. */
-  class CdnFromCompromisedSource extends AddsUntrustedUrl, HTML::ScriptElement {
-    CdnFromCompromisedSource() {
-      isCompromisedCdn(this.getSourcePath())
-    }
-
-    override string getUrl() { result = this.getSourcePath() }
-
-    override string getProblem() {
-      result = "Script loaded from compromised content delivery network."
-    }
-  }
-
   /** A script element that refers to untrusted content. */
   class CdnScriptElementWithUntrustedContent extends AddsUntrustedUrl, HTML::ScriptElement {
     CdnScriptElementWithUntrustedContent() {
       not exists(string digest | not digest = "" | this.getIntegrityDigest() = digest) and
-      isCdnUrlWithCheckingRequired(this.getSourcePath())
+      (
+        isCdnUrlWithCheckingRequired(this.getSourcePath())
+        or
+        isUrlWithUntrustedDomain(super.getSourcePath())
+      )
     }
 
     override string getUrl() { result = this.getSourcePath() }
@@ -104,6 +83,29 @@ module StaticCreation {
   }
 }
 
+/** Holds if `url` refers to an URL that uses an untrusted domain. */
+bindingset[url]
+predicate isUrlWithUntrustedDomain(string url) {
+  exists(string hostname |
+    hostname = url.regexpCapture("(?i)^(?:https?:)?//([^/]+)/.*", 1)
+    and isUntrustedHostname(hostname)
+  )
+}
+
+/** Holds if `hostname` refers to a domain or subdomain that is untrusted. */
+bindingset[hostname]
+predicate isUntrustedHostname(string hostname) {
+  exists(string domain |
+    (hostname = domain or hostname.matches("%." + domain)) and 
+    isUntrustedDomain(domain)
+  )
+}
+
+// The following predicates are extended in data extensions under javascript/ql/lib/semmle/javascript/security/domains/
+// and can be extended with custom model packs as necessary.
+extensible predicate isCdnDomainWithCheckingRequired(string hostname);
+extensible predicate isUntrustedDomain(string domain);
+
 /** Looks for dyanmic creation of an element and source. */
 module DynamicCreation {
   /** Holds if `call` creates a tag of kind `name`. */

javascript/ql/lib/semmle/javascript/security/domains/IntegrityCheckingRequired/integrity_checking_required.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/javascript-all
+      extensible: isCdnDomainWithCheckingRequired
+    data:
+      - ["code.jquery.com"]
+      - ["cdnjs.cloudflare.com"]
+      - ["cdnjs.com"]

javascript/ql/lib/semmle/javascript/security/domains/compromised/compromised_domains.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo: 
+      pack: codeql/javascript-all
+      extensible: isUntrustedDomain
+    data:
+      - ["polyfill.io"]

javascript/ql/lib/semmle/javascript/security/domains/untrusted/untrusted_domains.model.yml

@@ -0,0 +1,14 @@
+extensions:
+  - addsTo: 
+      pack: codeql/javascript-all
+      extensible: isUntrustedDomain
+    data:
+      # new location of the polyfill.io CDN, which was used to serve malware. See: https://www.cside.dev/blog/the-polyfill-attack-explained
+      - ["polyfill.com"]
+      - ["polyfillcache.com"]
+
+      # domains operated by the same owner as polyfill.io, which was used to serve malware. See: https://www.cside.dev/blog/the-polyfill-attack-explained
+      - ["bootcdn.net"]
+      - ["bootcss.com"]
+      - ["staticfile.net"]
+      - ["staticfile.org"]

javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql

@@ -15,4 +15,7 @@ import javascript
 import semmle.javascript.security.FunctionalityFromUntrustedSource
 
 from AddsUntrustedUrl s
+// do not alert on explicitly untrusted domains
+// another query can alert on these, js/functionality-from-untrusted-domain
+where not isUrlWithUntrustedDomain(s.getUrl())
 select s, s.getProblem()

javascript/ql/src/Security/CWE-830/PolyfillIOCompromisedScript.qhelp

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Added a new query, `js/functionality-from-untrusted-domain`, which detects uses in HTML and JavaScript scripts from untrusted domains, including the compromised `polyfill.io` content delivery network, and can be extended to detect other compromised scripts using data extensions.
+* Modified existing query, `js/functionality-from-untrusted-source`, to allow adding this new query, but reusing the same logic.
+* Created a shared library, `semmle.javascript.security.FunctionalityFromUntrustedSource`, to separate the logic from that existing query and allow having a separate "untrusted domain" query.