JS: Add model of d3

asgerf · asgerf · commit 18cfe72e9958 · 2021-03-11T10:05:05.000Z
diff --git a/javascript/change-notes/2021-03-10-d3.md b/javascript/change-notes/2021-03-10-d3.md
@@ -0,0 +1,6 @@
+lgtm,codescanning
+* Support for `d3` has improved. The XSS queries now recognize HTML injection sinks
+  from the `d3` API.
+  Affected packages are
+    [d3](https://npmjs.com/package/d3),
+    [d3-selection](https://npmjs.com/package/d3-selection).
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
@@ -80,6 +80,7 @@ import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries
 import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries
+import semmle.javascript.frameworks.D3
 import semmle.javascript.frameworks.DateFunctions
 import semmle.javascript.frameworks.DigitalOcean
 import semmle.javascript.frameworks.Electron
diff --git a/javascript/ql/src/semmle/javascript/frameworks/D3.qll b/javascript/ql/src/semmle/javascript/frameworks/D3.qll
@@ -0,0 +1,82 @@
+/** Provides classes and predicates modelling aspects of the `d3` library. */
+private import javascript
+private import semmle.javascript.security.dataflow.Xss
+
+/** Provides classes and predicates modelling aspects of the `d3` library. */
+module D3 {
+  /** Gets an API node referring to the `d3` module. */
+  API::Node d3() {
+    result = API::moduleImport("d3")
+    or
+    result = API::moduleImport("d3-node").getInstance().getMember("d3")
+  }
+
+  /**
+   * Gets an API node referring to the given module, or to `d3`.
+   *
+   * Useful for accessing modules that are re-exported by `d3`.
+   */
+  bindingset[name]
+  API::Node d3Module(string name) {
+    result = d3() // all d3 modules are re-exported as part of 'd3'
+    or
+    result = API::moduleImport(name)
+  }
+
+  /** Gets an API node referring to a `d3` selection object, such as `d3.selection()`. */
+  API::Node d3Selection() {
+    result = d3Module("d3-selection").getMember(["selection", "select", "selectAll"]).getReturn()
+    or
+    exists(API::CallNode call, string name |
+      call = d3Selection().getMember(name).getACall() and
+      result = call.getReturn()
+    |
+      name = ["select", "selectAll", "filter", "merge", "selectChild", "selectChildren", "selection", "insert", "remove", "clone", "sort", "order", "raise", "lower", "append", "data", "join", "enter", "exit", "call"]
+      or
+      name = ["text", "html", "datum"] and
+      call.getNumArgument() > 0 // exclude 0-argument version, which returns the current value
+      or
+      name = ["attr", "classed", "style", "property", "on"] and
+      call.getNumArgument() > 1 // exclude 1-argument version, which returns the current value
+    )
+    or
+    result = d3Selection().getMember("call").getParameter(0).getParameter(0)
+  }
+
+  private class D3XssSink extends DomBasedXss::Sink {
+    D3XssSink() {
+      exists(API::Node htmlArg |
+        htmlArg = d3Selection().getMember("html").getParameter(0) and
+        this = [htmlArg, htmlArg.getReturn()].getARhs()
+      )
+    }
+  }
+
+  private class D3DomValueSource extends DOM::DomValueSource::Range {
+    D3DomValueSource() {
+      this = d3Selection().getMember("each").getReceiver().getAnImmediateUse()
+      or
+      this = d3Selection().getMember("node").getReturn().getAnImmediateUse()
+      or
+      this = d3Selection().getMember("nodes").getReturn().getUnknownMember().getAnImmediateUse()
+    }
+  }
+
+  private class D3AttributeDefinition extends DOM::AttributeDefinition {
+    DataFlow::CallNode call;
+
+    D3AttributeDefinition() {
+      call = d3Selection().getMember("attr").getACall() and
+      call.getNumArgument() > 1 and
+      this = call.asExpr()
+    }
+
+    override string getName() {
+      result = call.getArgument(0).getStringValue()
+    }
+
+    override DataFlow::Node getValueNode() {
+      result = call.getArgument(1)
+    }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll b/javascript/ql/src/semmle/javascript/frameworks/jQuery.qll
@@ -479,8 +479,8 @@ module JQuery {
         // either a reference to a global variable `$` or `jQuery`
         this = DataFlow::globalVarRef(any(string jq | jq = "$" or jq = "jQuery"))
         or
-        // or imported from a module named `jquery`
-        this = DataFlow::moduleImport("jquery")
+        // or imported from a module named `jquery` or `zepto`
+        this = DataFlow::moduleImport(["jquery", "zepto"])
         or
         this.hasUnderlyingType("JQueryStatic")
       }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -92,6 +92,16 @@ nodes
 | classnames.js:15:47:15:63 | clsx(window.name) |
 | classnames.js:15:52:15:62 | window.name |
 | classnames.js:15:52:15:62 | window.name |
+| d3.js:4:12:4:22 | window.name |
+| d3.js:4:12:4:22 | window.name |
+| d3.js:11:15:11:24 | getTaint() |
+| d3.js:11:15:11:24 | getTaint() |
+| d3.js:12:20:12:29 | getTaint() |
+| d3.js:12:20:12:29 | getTaint() |
+| d3.js:14:20:14:29 | getTaint() |
+| d3.js:14:20:14:29 | getTaint() |
+| d3.js:21:15:21:24 | getTaint() |
+| d3.js:21:15:21:24 | getTaint() |
 | dates.js:9:9:9:69 | taint |
 | dates.js:9:17:9:69 | decodeU ... ing(1)) |
 | dates.js:9:36:9:50 | window.location |
@@ -772,6 +782,22 @@ edges
 | classnames.js:15:47:15:63 | clsx(window.name) | classnames.js:15:31:15:78 | `<span  ... <span>` |
 | classnames.js:15:52:15:62 | window.name | classnames.js:15:47:15:63 | clsx(window.name) |
 | classnames.js:15:52:15:62 | window.name | classnames.js:15:47:15:63 | clsx(window.name) |
+| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() |
+| d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() |
 | dates.js:9:9:9:69 | taint | dates.js:11:63:11:67 | taint |
 | dates.js:9:9:9:69 | taint | dates.js:12:66:12:70 | taint |
 | dates.js:9:9:9:69 | taint | dates.js:13:59:13:63 | taint |
@@ -1338,6 +1364,10 @@ edges
 | classnames.js:11:31:11:79 | `<span  ... <span>` | classnames.js:10:45:10:55 | window.name | classnames.js:11:31:11:79 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:10:45:10:55 | window.name | user-provided value |
 | classnames.js:13:31:13:83 | `<span  ... <span>` | classnames.js:13:57:13:67 | window.name | classnames.js:13:31:13:83 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:13:57:13:67 | window.name | user-provided value |
 | classnames.js:15:31:15:78 | `<span  ... <span>` | classnames.js:15:52:15:62 | window.name | classnames.js:15:31:15:78 | `<span  ... <span>` | Cross-site scripting vulnerability due to $@. | classnames.js:15:52:15:62 | window.name | user-provided value |
+| d3.js:11:15:11:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:11:15:11:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
+| d3.js:12:20:12:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:12:20:12:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
+| d3.js:14:20:14:29 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:14:20:14:29 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
+| d3.js:21:15:21:24 | getTaint() | d3.js:4:12:4:22 | window.name | d3.js:21:15:21:24 | getTaint() | Cross-site scripting vulnerability due to $@. | d3.js:4:12:4:22 | window.name | user-provided value |
 | dates.js:11:31:11:70 | `Time i ... aint)}` | dates.js:9:36:9:50 | window.location | dates.js:11:31:11:70 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:50 | window.location | user-provided value |
 | dates.js:12:31:12:73 | `Time i ... aint)}` | dates.js:9:36:9:50 | window.location | dates.js:12:31:12:73 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:50 | window.location | user-provided value |
 | dates.js:13:31:13:72 | `Time i ... time)}` | dates.js:9:36:9:50 | window.location | dates.js:13:31:13:72 | `Time i ... time)}` | Cross-site scripting vulnerability due to $@. | dates.js:9:36:9:50 | window.location | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/d3.js
@@ -0,0 +1,22 @@
+const d3 = require('d3');
+
+function getTaint() {
+    return window.name;
+}
+
+function doSomething() {
+    d3.select('#main')
+        .attr('width', 100)
+        .style('color', 'red')
+        .html(getTaint()) // NOT OK
+        .html(d => getTaint()) // NOT OK
+        .call(otherFunction)
+        .html(d => getTaint()); // NOT OK
+}
+
+
+function otherFunction(selection) {
+    selection
+        .attr('foo', 'bar')
+        .html(getTaint()); // NOT OK
+}
