JS: Recognize RegExps in JSON schemas

asgerf · asgerf · commit 12079cd1e462 · 2021-03-02T12:39:04.000Z
diff --git a/javascript/ql/src/semmle/javascript/JsonSchema.qll b/javascript/ql/src/semmle/javascript/JsonSchema.qll
@@ -17,6 +17,34 @@ module JsonSchema {
     boolean getPolarity() { result = true }
   }
 
+  /** A data flow node that is used a JSON schema. */
+  abstract class SchemaRoot extends DataFlow::Node {
+  }
+
+  /** An object literal with a `$schema` property indicating it is the root of a JSON schema. */
+  private class SchemaNodeByTag extends SchemaRoot, DataFlow::ObjectLiteralNode {
+    SchemaNodeByTag() {
+      getAPropertyWrite("$schema").getRhs().getStringValue().matches("%//json-schema.org%")
+    }
+  }
+
+  /** Gets a data flow node that is part of a JSON schema. */
+  private DataFlow::SourceNode getAPartOfJsonSchema(DataFlow::TypeBackTracker t) {
+    t.start() and
+    result = any(SchemaRoot n).getALocalSource()
+    or
+    result = getAPartOfJsonSchema(t.continue()).getAPropertySource()
+    or
+    exists(DataFlow::TypeBackTracker t2 |
+      result = getAPartOfJsonSchema(t2).backtrack(t2, t)
+    )
+  }
+
+  /** Gets a data flow node that is part of a JSON schema. */
+  DataFlow::SourceNode getAPartOfJsonSchema() {
+    result = getAPartOfJsonSchema(DataFlow::TypeBackTracker::end())
+  }
+
   /** Provides a model of the `ajv` library. */
   module Ajv {
     /** A method on `Ajv` that returns `this`. */
@@ -91,5 +119,11 @@ module JsonSchema {
       /** Gets the ajv instance doing the validation. */
       Instance getAjvInstance() { result = instance }
     }
+
+    private class AjvSchemaNode extends SchemaRoot {
+      AjvSchemaNode() {
+        this = any(Instance i).ref().getMember(["addSchema", "validate", "compile", "compileAsync"]).getParameter(0).getARhs()
+      }
+    }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/Regexp.qll b/javascript/ql/src/semmle/javascript/Regexp.qll
@@ -865,6 +865,14 @@ predicate isInterpretedAsRegExp(DataFlow::Node source) {
       // because `String.prototype.search` returns a number
       not exists(PropAccess p | p.getBase() = mce.getEnclosingExpr())
     )
+    or
+    exists(DataFlow::SourceNode schema |
+      schema = JsonSchema::getAPartOfJsonSchema()
+    |
+      source = schema.getAPropertyWrite("pattern").getRhs()
+      or
+      source = schema.getAPropertySource("patternProperties").getAPropertyWrite().getPropertyNameExpr().flow()
+    )
   )
 }
 
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected b/javascript/ql/test/query-tests/Performance/ReDoS/ReDoS.expected
@@ -12,6 +12,9 @@
 | highlight.js:30:13:30:25 | (?:\\\\.\|[^`])+ | This part of the regular expression may cause exponential backtracking on strings starting with '`' and containing many repetitions of '\\\\_'. |
 | highlight.js:34:25:34:27 | \\w* | This part of the regular expression may cause exponential backtracking on strings starting with '?A' and containing many repetitions of 'A'. |
 | highlight.js:38:35:38:40 | [^()]* | This part of the regular expression may cause exponential backtracking on strings starting with 'A((' and containing many repetitions of '')('. |
+| jsonschema.js:5:15:5:21 | (a?a?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
+| jsonschema.js:15:23:15:29 | (a?a?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
+| jsonschema.js:20:18:20:24 | (a?a?)* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of 'a'. |
 | polynomial-redos.js:17:5:17:6 | .* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of ','. |
 | polynomial-redos.js:41:52:41:63 | [\\x21-\\x7E]* | This part of the regular expression may cause exponential backtracking on strings containing many repetitions of '?'. |
 | polynomial-redos.js:46:33:46:45 | [a-zA-Z_0-9]* | This part of the regular expression may cause exponential backtracking on strings starting with 'A' and containing many repetitions of 'A'. |
diff --git a/javascript/ql/test/query-tests/Performance/ReDoS/jsonschema.js b/javascript/ql/test/query-tests/Performance/ReDoS/jsonschema.js
@@ -0,0 +1,26 @@
+import Ajv from 'ajv';
+
+let thing = {
+    type: 'string',
+    pattern: '(a?a?)*b' // NOT OK
+}
+new Ajv().addSchema(thing, 'thing');
+
+export default {
+    $schema: "http://json-schema.org/draft-07/schema#",
+    type: "object",
+    properties: {
+        foo: {
+            type: "string",
+            pattern: "(a?a?)*b" // NOT OK
+        },
+        bar: {
+            type: "object",
+            patternProperties: {
+                "(a?a?)*b": { // NOT OK
+                    type: "number"
+                }
+            }
+        }
+    }
+};

Original file line number	Diff line number	Diff line change
`@@ -865,6 +865,14 @@ predicate isInterpretedAsRegExp(DataFlow::Node source) {`
`865`	`865`	// because `String.prototype.search` returns a number
`866`	`866`	`not exists(PropAccess p \| p.getBase() = mce.getEnclosingExpr())`
`867`	`867`	`)`
	`868`	`+ or`
	`869`	`+ exists(DataFlow::SourceNode schema \|`
	`870`	`+ schema = JsonSchema::getAPartOfJsonSchema()`
	`871`	`+ \|`
	`872`	`+ source = schema.getAPropertyWrite("pattern").getRhs()`
	`873`	`+ or`
	`874`	`+ source = schema.getAPropertySource("patternProperties").getAPropertyWrite().getPropertyNameExpr().flow()`
	`875`	`+ )`
`868`	`876`	`)`
`869`	`877`	`}`
`870`	`878`