recognize sensitive files by file-system writes

erik-krogh · erik-krogh · commit 09d969a8ad23 · 2020-06-25T15:19:42.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
@@ -112,4 +112,32 @@ module InsecureDownload {
       result instanceof Label::InsecureURL
     }
   }
+
+  /**
+   * Gets a node for the response from `request`, type-tracked using `t`. 
+   */
+  DataFlow::SourceNode clientRequestResponse(DataFlow::TypeTracker t, ClientRequest request) {
+    t.start() and
+    result = request.getAResponseDataNode()
+    or
+    exists(DataFlow::TypeTracker t2 | result = clientRequestResponse(t2, request).track(t2, t))
+  }
+
+  /**
+   * A url that is downloaded through an insecure connection, where the result ends up being saved to a sensitive location.
+   */
+  class FileWriteSink extends Sink {
+    ClientRequest request;
+    FileSystemWriteAccess write;
+
+    FileWriteSink() {
+      this = request.getUrl() and
+      clientRequestResponse(DataFlow::TypeTracker::end(), request).flowsTo(write.getADataNode())  and
+      hasUnsafeExtension(write.getAPathArgument().getStringValue())
+    }
+
+    override DataFlow::FlowLabel getALabel() { result instanceof Label::InsecureURL }
+
+    override DataFlow::Node getDownloadCall() { result = request }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected b/javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected
@@ -17,9 +17,12 @@ nodes
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
-| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
-| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
-| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
+| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
+| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
+| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
+| insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
+| insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
+| insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
 edges
 | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
 | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
@@ -33,11 +36,13 @@ edges
 | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
 | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
-| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" |
+| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
+| insecure-download.js:52:11:52:45 | "http:/ ... nknown" | insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
 #select
 | insecure-download.js:5:16:5:28 | installer.url | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:5:16:5:28 | installer.url | $@ of sensitive file from $@. | insecure-download.js:5:9:5:44 | nugget( ... => { }) | Download | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | HTTP source |
 | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:30:5:30:43 | nugget( ... e.APK") | Download | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | HTTP source |
 | insecure-download.js:37:23:37:25 | url | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:37:23:37:25 | url | $@ of sensitive file from $@. | insecure-download.js:37:5:37:42 | cp.exec ...  () {}) | Download | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
 | insecure-download.js:39:26:39:28 | url | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:39:26:39:28 | url | $@ of sensitive file from $@. | insecure-download.js:39:5:39:46 | cp.exec ...  () {}) | Download | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
 | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:41:5:41:42 | nugget( ... e.APK") | Download | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | HTTP source |
-| insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | $@ of sensitive file from $@. | insecure-download.js:46:5:46:71 | nugget( ... => { }) | Download | insecure-download.js:46:12:46:38 | "http:/ ... unsafe" | HTTP source |
+| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | $@ of sensitive file from $@. | insecure-download.js:48:5:48:71 | nugget( ... => { }) | Download | insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | HTTP source |
+| insecure-download.js:52:11:52:45 | "http:/ ... nknown" | insecure-download.js:52:11:52:45 | "http:/ ... nknown" | insecure-download.js:52:11:52:45 | "http:/ ... nknown" | $@ of sensitive file from $@. | insecure-download.js:52:5:54:6 | $.get(" ... \\n    }) | Download | insecure-download.js:52:11:52:45 | "http:/ ... nknown" | HTTP source |
diff --git a/javascript/ql/test/query-tests/Security/CWE-829/insecure-download.js b/javascript/ql/test/query-tests/Security/CWE-829/insecure-download.js
@@ -48,4 +48,12 @@ function test() {
     nugget("http://example.org/unsafe", {target: "foo.exe"}, () => { }) // NOT OK
 
     nugget("http://example.org/unsafe", {target: "foo.safe"}, () => { }) // OK
+
+    $.get("http://example.org/unsafe.unknown", function( data ) {
+        writeFileAtomic('unsafe.exe', data, {}, function (err) {}); // NOT OK
+    });
+
+    $.get("http://example.org/unsafe.unknown", function( data ) {
+        writeFileAtomic('foo.safe', data, {}, function (err) {}); // OK
+    });
 }
