Merge pull request github#3458 from esbena/js/NoSQLCodeInjection

semmle-qlci · web-flow · commit 2a341d973ddf · 2020-05-13T13:33:28.000+01:00
Approved by erik-krogh
diff --git a/change-notes/1.25/analysis-javascript.md b/change-notes/1.25/analysis-javascript.md
@@ -6,6 +6,8 @@
   - [fstream](https://www.npmjs.com/package/fstream)
   - [jGrowl](https://github.com/stanlemon/jGrowl)
   - [jQuery](https://jquery.com/)
+  - [marsdb](https://www.npmjs.com/package/marsdb)
+  - [minimongo](https://www.npmjs.com/package/minimongo/)
 
 ## New queries
 
@@ -23,6 +25,7 @@
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
 | Expression has no effect (`js/useless-expression`) | Less results | This query no longer flags an expression when that expression is the only content of the containing file. |
 | Unknown directive (`js/unknown-directive`) | Less results | This query no longer flags directives generated by the Babel compiler. |
+| Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving NoSQL code operators are now recognized. |
 
 ## Changes to libraries
 
diff --git a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
@@ -6,7 +6,17 @@ import javascript
 
 module NoSQL {
   /** An expression that is interpreted as a NoSQL query. */
-  abstract class Query extends Expr { }
+  abstract class Query extends Expr {
+    /** Gets an expression that is interpreted as a code operator in this query. */
+    DataFlow::Node getACodeOperator() { none() }
+  }
+}
+
+/**
+ * Gets the value of a `$where` property of an object that flows to `n`.
+ */
+private DataFlow::Node getADollarWherePropertyValue(DataFlow::Node n) {
+  result = n.getALocalSource().getAPropertyWrite("$where").getRhs()
 }
 
 /**
@@ -190,6 +200,10 @@ private module MongoDB {
    */
   class Query extends NoSQL::Query {
     Query() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+
+    override DataFlow::Node getACodeOperator() {
+      result = getADollarWherePropertyValue(this.flow())
+    }
   }
 }
 
@@ -678,6 +692,10 @@ private module Mongoose {
    */
   class MongoDBQueryPart extends NoSQL::Query {
     MongoDBQueryPart() { any(InvokeNode call).interpretsArgumentAsQuery(this.flow()) }
+
+    override DataFlow::Node getACodeOperator() {
+      result = getADollarWherePropertyValue(this.flow())
+    }
   }
 
   /**
@@ -713,3 +731,116 @@ private module Mongoose {
     }
   }
 }
+
+/**
+ * Provides classes modeling the Minimongo library.
+ */
+private module Minimongo {
+  /**
+   * Gets an expression that may refer to a Minimongo database.
+   */
+  private DataFlow::SourceNode getADb(DataFlow::TypeTracker t) {
+    t.start() and
+    // new (require('minimongo')[DBKINDNAME])()
+    result = DataFlow::moduleImport("minimongo").getAPropertyRead().getAnInvocation()
+    or
+    exists(DataFlow::TypeTracker t2 | result = getADb(t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to a Minimongo collection. */
+  private DataFlow::SourceNode getACollection(DataFlow::TypeTracker t) {
+    t.start() and
+    // db[COLLECTIONNAME]
+    result = getADb(DataFlow::TypeTracker::end()).getAPropertyRead()
+    or
+    exists(DataFlow::TypeTracker t2 | result = getACollection(t2).track(t2, t))
+  }
+
+  /**
+   * Provides signatures for the Collection methods.
+   */
+  module CollectionMethodSignatures {
+    /**
+     * Holds if Collection method `name` interprets parameter `n` as a query.
+     */
+    predicate interpretsArgumentAsQuery(string m, int queryArgIdx) {
+      // implements most of the MongoDB interface
+      MongoDB::CollectionMethodSignatures::interpretsArgumentAsQuery(m, queryArgIdx)
+    }
+  }
+
+  /** A call to a Minimongo query method. */
+  private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
+    int queryArgIdx;
+
+    QueryCall() {
+      exists(string m | this = getACollection(DataFlow::TypeTracker::end()).getAMethodCall(m) |
+        CollectionMethodSignatures::interpretsArgumentAsQuery(m, queryArgIdx)
+      )
+    }
+
+    override DataFlow::Node getAQueryArgument() { result = getArgument(queryArgIdx) }
+  }
+
+  /**
+   * An expression that is interpreted as a Minimongo query.
+   */
+  class Query extends NoSQL::Query {
+    Query() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+
+    override DataFlow::Node getACodeOperator() {
+      result = getADollarWherePropertyValue(this.flow())
+    }
+  }
+}
+
+/**
+ * Provides classes modeling the MarsDB library.
+ */
+private module MarsDB {
+  /**
+   * Gets an expression that may refer to a MarsDB database.
+   */
+  private DataFlow::SourceNode getADb(DataFlow::TypeTracker t) {
+    t.start() and
+    // Collection = require('marsdb')
+    result = DataFlow::moduleImport("marsdb")
+    or
+    exists(DataFlow::TypeTracker t2 | result = getADb(t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to a MarsDB collection. */
+  private DataFlow::SourceNode getACollection(DataFlow::TypeTracker t) {
+    t.start() and
+    // new Collection(...)
+    result =
+      getADb(DataFlow::TypeTracker::end()).getAPropertyRead("Collection").getAnInstantiation()
+    or
+    exists(DataFlow::TypeTracker t2 | result = getACollection(t2).track(t2, t))
+  }
+
+  /** A call to a MarsDB query method. */
+  private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
+    int queryArgIdx;
+
+    QueryCall() {
+      exists(string m | this = getACollection(DataFlow::TypeTracker::end()).getAMethodCall(m) |
+        // implements parts of the Minimongo interface
+        Minimongo::CollectionMethodSignatures::interpretsArgumentAsQuery(m, queryArgIdx)
+      )
+    }
+
+    override DataFlow::Node getAQueryArgument() { result = getArgument(queryArgIdx) }
+  }
+
+  /**
+   * An expression that is interpreted as a MarsDB query.
+   */
+  class Query extends NoSQL::Query {
+    Query() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+
+    override DataFlow::Node getACodeOperator() {
+      result = getADollarWherePropertyValue(this.flow())
+    }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/heuristics/AdditionalSinks.qll b/javascript/ql/src/semmle/javascript/heuristics/AdditionalSinks.qll
@@ -25,6 +25,8 @@ abstract class HeuristicSink extends DataFlow::Node { }
 
 private class HeuristicCodeInjectionSink extends HeuristicSink, CodeInjection::Sink {
   HeuristicCodeInjectionSink() {
+    isAssignedTo(this, "$where")
+    or
     isAssignedToOrConcatenatedWith(this, "(?i)(command|cmd|exec|code|script|program)")
     or
     isArgTo(this, "(?i)(eval|run)") // "exec" clashes too often with `RegExp.prototype.exec`
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -115,4 +115,11 @@ module CodeInjection {
       )
     }
   }
+
+  /**
+   * A code operator of a NoSQL query as a code injection sink.
+   */
+  class NoSQLCodeInjectionSink extends Sink {
+    NoSQLCodeInjectionSink() { any(NoSQL::Query q).getACodeOperator() = this }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -1,3 +1,6 @@
+| marsdb-flow-to.js:14:3:14:22 | db.myDoc.find(query) |
+| marsdb.js:16:3:16:17 | doc.find(query) |
+| minimongo.js:18:3:18:17 | doc.find(query) |
 | mongodb.js:18:7:18:21 | doc.find(query) |
 | mongodb.js:21:7:21:48 | doc.fin ... itle }) |
 | mongodb.js:24:7:24:53 | doc.fin ... r(1) }) |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -1,4 +1,25 @@
 nodes
+| marsdb-flow-to.js:10:9:10:18 | query |
+| marsdb-flow-to.js:10:17:10:18 | {} |
+| marsdb-flow-to.js:11:17:11:24 | req.body |
+| marsdb-flow-to.js:11:17:11:24 | req.body |
+| marsdb-flow-to.js:11:17:11:30 | req.body.title |
+| marsdb-flow-to.js:14:17:14:21 | query |
+| marsdb-flow-to.js:14:17:14:21 | query |
+| marsdb.js:12:9:12:18 | query |
+| marsdb.js:12:17:12:18 | {} |
+| marsdb.js:13:17:13:24 | req.body |
+| marsdb.js:13:17:13:24 | req.body |
+| marsdb.js:13:17:13:30 | req.body.title |
+| marsdb.js:16:12:16:16 | query |
+| marsdb.js:16:12:16:16 | query |
+| minimongo.js:14:9:14:18 | query |
+| minimongo.js:14:17:14:18 | {} |
+| minimongo.js:15:17:15:24 | req.body |
+| minimongo.js:15:17:15:24 | req.body |
+| minimongo.js:15:17:15:30 | req.body.title |
+| minimongo.js:18:12:18:16 | query |
+| minimongo.js:18:12:18:16 | query |
 | mongodb.js:12:11:12:20 | query |
 | mongodb.js:12:19:12:20 | {} |
 | mongodb.js:13:19:13:26 | req.body |
@@ -150,6 +171,33 @@ nodes
 | tst.js:10:46:10:58 | req.params.id |
 | tst.js:10:46:10:58 | req.params.id |
 edges
+| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
+| marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
+| marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query |
+| marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:11:17:11:30 | req.body.title |
+| marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:11:17:11:30 | req.body.title |
+| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:9:10:18 | query |
+| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:10:17:10:18 | {} |
+| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:14:17:14:21 | query |
+| marsdb-flow-to.js:11:17:11:30 | req.body.title | marsdb-flow-to.js:14:17:14:21 | query |
+| marsdb.js:12:9:12:18 | query | marsdb.js:16:12:16:16 | query |
+| marsdb.js:12:9:12:18 | query | marsdb.js:16:12:16:16 | query |
+| marsdb.js:12:17:12:18 | {} | marsdb.js:12:9:12:18 | query |
+| marsdb.js:13:17:13:24 | req.body | marsdb.js:13:17:13:30 | req.body.title |
+| marsdb.js:13:17:13:24 | req.body | marsdb.js:13:17:13:30 | req.body.title |
+| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:9:12:18 | query |
+| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:12:17:12:18 | {} |
+| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:16:12:16:16 | query |
+| marsdb.js:13:17:13:30 | req.body.title | marsdb.js:16:12:16:16 | query |
+| minimongo.js:14:9:14:18 | query | minimongo.js:18:12:18:16 | query |
+| minimongo.js:14:9:14:18 | query | minimongo.js:18:12:18:16 | query |
+| minimongo.js:14:17:14:18 | {} | minimongo.js:14:9:14:18 | query |
+| minimongo.js:15:17:15:24 | req.body | minimongo.js:15:17:15:30 | req.body.title |
+| minimongo.js:15:17:15:24 | req.body | minimongo.js:15:17:15:30 | req.body.title |
+| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:9:14:18 | query |
+| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:14:17:14:18 | {} |
+| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:18:12:18:16 | query |
+| minimongo.js:15:17:15:30 | req.body.title | minimongo.js:18:12:18:16 | query |
 | mongodb.js:12:11:12:20 | query | mongodb.js:18:16:18:20 | query |
 | mongodb.js:12:11:12:20 | query | mongodb.js:18:16:18:20 | query |
 | mongodb.js:12:19:12:20 | {} | mongodb.js:12:11:12:20 | query |
@@ -371,6 +419,9 @@ edges
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 #select
+| marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query depends on $@. | marsdb-flow-to.js:11:17:11:24 | req.body | a user-provided value |
+| marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query depends on $@. | marsdb.js:13:17:13:24 | req.body | a user-provided value |
+| minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query depends on $@. | minimongo.js:15:17:15:24 | req.body | a user-provided value |
 | mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query depends on $@. | mongodb.js:13:19:13:26 | req.body | a user-provided value |
 | mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query depends on $@. | mongodb.js:26:19:26:26 | req.body | a user-provided value |
 | mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query depends on $@. | mongodb.js:49:19:49:33 | req.query.title | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-from.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-from.js
@@ -0,0 +1,9 @@
+const MarsDB = require("marsdb");
+
+const myDoc = new MarsDB.Collection("myDoc");
+
+const db = {
+  myDoc
+};
+
+module.exports = db;
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb-flow-to.js
@@ -0,0 +1,15 @@
+const express = require("express"),
+      bodyParser = require("body-parser"),
+      db = require('./marsdb-flow-from');
+
+const app = express();
+
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.post("/documents/find", (req, res) => {
+  const query = {};
+  query.title = req.body.title;
+
+  // NOT OK: query is tainted by user-provided object value
+  db.myDoc.find(query);
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/marsdb.js
@@ -0,0 +1,17 @@
+const express = require("express"),
+  MarsDB = require("marsdb"),
+  bodyParser = require("body-parser");
+
+let doc = new MarsDB.Collection("myDoc");
+
+const app = express();
+
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.post("/documents/find", (req, res) => {
+  const query = {};
+  query.title = req.body.title;
+
+  // NOT OK: query is tainted by user-provided object value
+  doc.find(query);
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/minimongo.js
@@ -0,0 +1,19 @@
+const express = require("express"),
+  minimongo = require("minimongo"),
+  bodyParser = require("body-parser");
+
+var LocalDb = minimongo.MemoryDb,
+  db = new LocalDb(),
+  doc = db.myDocs;
+
+const app = express();
+
+app.use(bodyParser.urlencoded({ extended: true }));
+
+app.post("/documents/find", (req, res) => {
+  const query = {};
+  query.title = req.body.title;
+
+  // NOT OK: query is tainted by user-provided object value
+  doc.find(query);
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -1,4 +1,13 @@
 nodes
+| NoSQLCodeInjection.js:18:24:18:31 | req.body |
+| NoSQLCodeInjection.js:18:24:18:31 | req.body |
+| NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
+| NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
+| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
+| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
+| NoSQLCodeInjection.js:19:36:19:43 | req.body |
+| NoSQLCodeInjection.js:19:36:19:43 | req.body |
+| NoSQLCodeInjection.js:19:36:19:48 | req.body.name |
 | angularjs.js:10:22:10:29 | location |
 | angularjs.js:10:22:10:29 | location |
 | angularjs.js:10:22:10:36 | location.search |
@@ -108,6 +117,14 @@ nodes
 | tst.js:26:26:26:53 | locatio ... ring(1) |
 | tst.js:26:26:26:53 | locatio ... ring(1) |
 edges
+| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
+| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
+| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
+| NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query |
+| NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:36:19:48 | req.body.name |
+| NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:36:19:48 | req.body.name |
+| NoSQLCodeInjection.js:19:36:19:48 | req.body.name | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
+| NoSQLCodeInjection.js:19:36:19:48 | req.body.name | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name |
 | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search |
@@ -212,6 +229,8 @@ edges
 | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
 | tst.js:26:26:26:40 | location.search | tst.js:26:26:26:53 | locatio ... ring(1) |
 #select
+| NoSQLCodeInjection.js:18:24:18:37 | req.body.query | NoSQLCodeInjection.js:18:24:18:31 | req.body | NoSQLCodeInjection.js:18:24:18:37 | req.body.query | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:18:24:18:31 | req.body | User-provided value |
+| NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | $@ flows to here and is interpreted as code. | NoSQLCodeInjection.js:19:36:19:43 | req.body | User-provided value |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:29 | location | angularjs.js:10:22:10:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:10:22:10:29 | location | User-provided value |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:30 | location | angularjs.js:13:23:13:37 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:13:23:13:30 | location | User-provided value |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:35 | location | angularjs.js:16:28:16:42 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:16:28:16:35 | location | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/NoSQLCodeInjection.js

Original file line number	Diff line number	Diff line change
`@@ -115,4 +115,11 @@ module CodeInjection {`
`115`	`115`	`)`
`116`	`116`	`}`
`117`	`117`	`}`
	`118`	`+`
	`119`	`+ /**`
	`120`	`+ * A code operator of a NoSQL query as a code injection sink.`
	`121`	`+ */`
	`122`	`+ class NoSQLCodeInjectionSink extends Sink {`
	`123`	`+ NoSQLCodeInjectionSink() { any(NoSQL::Query q).getACodeOperator() = this }`
	`124`	`+ }`
`118`	`125`	`}`