recognize inclusion based sanitizers for js/prototype-polluting-assignment

erik-krogh · erik-krogh · commit e94b0f5913a9 · 2021-10-27T20:35:37.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -84,7 +84,8 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof InstanceofCheck or
     guard instanceof IsArrayCheck or
     guard instanceof TypeofCheck or
-    guard instanceof EqualityCheck
+    guard instanceof EqualityCheck or
+    guard instanceof IncludesCheck
   }
 }
 
@@ -204,3 +205,15 @@ private class EqualityCheck extends TaintTracking::SanitizerGuardNode, DataFlow:
     outcome = astNode.getPolarity().booleanNot()
   }
 }
+
+/**
+ * Sanitizer guard of the form `x.includes("__proto__")`.
+ */
+private class IncludesCheck extends TaintTracking::LabeledSanitizerGuardNode, InclusionTest {
+  IncludesCheck() { this.getContainedNode().mayHaveStringValue("__proto__") }
+
+  override predicate sanitizes(boolean outcome, Expr e) {
+    e = getContainerNode().asExpr() and
+    outcome = getPolarity().booleanNot()
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -67,6 +67,9 @@ nodes
 | tst.js:82:5:82:22 | object["" + taint] |
 | tst.js:82:12:82:21 | "" + taint |
 | tst.js:82:17:82:21 | taint |
+| tst.js:87:9:87:21 | object[taint] |
+| tst.js:87:9:87:21 | object[taint] |
+| tst.js:87:16:87:20 | taint |
 edges
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
@@ -126,6 +129,7 @@ edges
 | tst.js:33:23:33:25 | obj | tst.js:48:9:48:11 | obj |
 | tst.js:77:9:77:38 | taint | tst.js:80:12:80:16 | taint |
 | tst.js:77:9:77:38 | taint | tst.js:82:17:82:21 | taint |
+| tst.js:77:9:77:38 | taint | tst.js:87:16:87:20 | taint |
 | tst.js:77:17:77:38 | String( ... y.data) | tst.js:77:9:77:38 | taint |
 | tst.js:77:24:77:37 | req.query.data | tst.js:77:17:77:38 | String( ... y.data) |
 | tst.js:77:24:77:37 | req.query.data | tst.js:77:17:77:38 | String( ... y.data) |
@@ -134,6 +138,8 @@ edges
 | tst.js:82:12:82:21 | "" + taint | tst.js:82:5:82:22 | object["" + taint] |
 | tst.js:82:12:82:21 | "" + taint | tst.js:82:5:82:22 | object["" + taint] |
 | tst.js:82:17:82:21 | taint | tst.js:82:12:82:21 | "" + taint |
+| tst.js:87:16:87:20 | taint | tst.js:87:9:87:21 | object[taint] |
+| tst.js:87:16:87:20 | taint | tst.js:87:9:87:21 | object[taint] |
 #select
 | lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | here |
 | lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | here |
@@ -147,3 +153,4 @@ edges
 | tst.js:48:9:48:11 | obj | tst.js:5:24:5:37 | req.query.data | tst.js:48:9:48:11 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | here |
 | tst.js:80:5:80:17 | object[taint] | tst.js:77:24:77:37 | req.query.data | tst.js:80:5:80:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | here |
 | tst.js:82:5:82:22 | object["" + taint] | tst.js:77:24:77:37 | req.query.data | tst.js:82:5:82:22 | object["" + taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | here |
+| tst.js:87:9:87:21 | object[taint] | tst.js:77:24:77:37 | req.query.data | tst.js:87:9:87:21 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:77:24:77:37 | req.query.data | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js
@@ -80,5 +80,11 @@ app.get('/', (req, res) => {
     object[taint][taint] = taint; // NOT OK
 
     object["" + taint]["" + taint] = taint; // NOT OK
+
+    if (!taint.includes("__proto__")) {
+        object[taint][taint] = taint; // OK
+    } else {
+        object[taint][taint] = taint; // NOT OK
+    }
 });
 

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,8 @@ class Configuration extends TaintTracking::Configuration {`
`84`	`84`	`guard instanceof InstanceofCheck or`
`85`	`85`	`guard instanceof IsArrayCheck or`
`86`	`86`	`guard instanceof TypeofCheck or`
`87`		`- guard instanceof EqualityCheck`
	`87`	`+ guard instanceof EqualityCheck or`
	`88`	`+ guard instanceof IncludesCheck`
`88`	`89`	`}`
`89`	`90`	`}`
`90`	`91`
`@@ -204,3 +205,15 @@ private class EqualityCheck extends TaintTracking::SanitizerGuardNode, DataFlow:`
`204`	`205`	`outcome = astNode.getPolarity().booleanNot()`
`205`	`206`	`}`
`206`	`207`	`}`
	`208`	`+`
	`209`	`+/**`
	`210`	+ * Sanitizer guard of the form `x.includes("__proto__")`.
	`211`	`+ */`
	`212`	`+private class IncludesCheck extends TaintTracking::LabeledSanitizerGuardNode, InclusionTest {`
	`213`	`+ IncludesCheck() { this.getContainedNode().mayHaveStringValue("__proto__") }`
	`214`	`+`
	`215`	`+ override predicate sanitizes(boolean outcome, Expr e) {`
	`216`	`+ e = getContainerNode().asExpr() and`
	`217`	`+ outcome = getPolarity().booleanNot()`
	`218`	`+ }`
	`219`	`+}`