add model for puppeteer

Author: erik-krogh

javascript/ql/src/javascript.qll

@@ -102,6 +102,7 @@ import semmle.javascript.frameworks.Next
 import semmle.javascript.frameworks.NoSQL
 import semmle.javascript.frameworks.PkgCloud
 import semmle.javascript.frameworks.PropertyProjection
+import semmle.javascript.frameworks.Puppeteer
 import semmle.javascript.frameworks.React
 import semmle.javascript.frameworks.ReactNative
 import semmle.javascript.frameworks.Request

javascript/ql/src/semmle/javascript/frameworks/Puppeteer.qll

@@ -0,0 +1,125 @@
+import javascript
+
+/**
+ * Classes and predicates modelling the `puppeteer` library.
+ */
+module Puppeteer {
+  /**
+   * A reference to a module import of puppeteer.
+   */
+  private API::Node puppeteer() { result = API::moduleImport(["puppeteer", "puppeteer-core"]) }
+
+  private class BrowserTypeEntryPoint extends API::EntryPoint {
+    BrowserTypeEntryPoint() { this = "PuppeteerBrowserTypeEntryPoint" }
+
+    override DataFlow::SourceNode getAUse() { result.hasUnderlyingType("puppeteer", "Browser") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * A reference to a `Browser` from puppeteer.
+   */
+  private API::Node browser() {
+    result = API::root().getASuccessor(any(BrowserTypeEntryPoint b))
+    or
+    result = puppeteer().getMember(["launch", "connect"]).getReturn().getPromised()
+    or
+    result = [page(), context(), target()].getMember("browser").getReturn()
+  }
+
+  private class PageTypeEntryPoint extends API::EntryPoint {
+    PageTypeEntryPoint() { this = "PuppeteerPageTypeEntryPoint" }
+
+    override DataFlow::SourceNode getAUse() { result.hasUnderlyingType("puppeteer", "Page") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * A reference to a `Page` from puppeteer.
+   */
+  API::Node page() {
+    result = API::root().getASuccessor(any(PageTypeEntryPoint b))
+    or
+    result = [browser(), context()].getMember("newPage").getReturn().getPromised()
+    or
+    result = [browser(), context()].getMember("pages").getReturn().getPromised().getUnknownMember()
+    or
+    result = target().getMember("page").getReturn().getPromised()
+  }
+
+  private class TargetTypeEntryPoint extends API::EntryPoint {
+    TargetTypeEntryPoint() { this = "PuppeteerTargetTypeEntryPoint" }
+
+    override DataFlow::SourceNode getAUse() { result.hasUnderlyingType("puppeteer", "Target") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * A reference to a `Target` from puppeteer.
+   */
+  private API::Node target() {
+    result = API::root().getASuccessor(any(TargetTypeEntryPoint b))
+    or
+    result = [page(), browser()].getMember("target").getReturn()
+    or
+    result = context().getMember("targets").getReturn().getUnknownMember()
+    or
+    result = target().getMember("opener").getReturn()
+  }
+
+  private class ContextTypeEntryPoint extends API::EntryPoint {
+    ContextTypeEntryPoint() { this = "PuppeteerContextTypeEntryPoint" }
+
+    override DataFlow::SourceNode getAUse() {
+      result.hasUnderlyingType("puppeteer", "BrowserContext")
+    }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * A reference to a `BrowserContext` from puppeteer.
+   */
+  private API::Node context() {
+    result = API::root().getASuccessor(any(ContextTypeEntryPoint b))
+    or
+    result = [page(), target()].getMember("browserContext").getReturn()
+    or
+    result = browser().getMember("browserContexts").getReturn().getUnknownMember()
+    or
+    result = browser().getMember("createIncognitoBrowserContext").getReturn().getPromised()
+    or
+    result = browser().getMember("defaultBrowserContext").getReturn()
+  }
+
+  /**
+   * A call requesting a `Page` to navigate to some url, seen as a `ClientRequest`.
+   */
+  private class PuppeteerGotoCall extends ClientRequest::Range, API::InvokeNode {
+    PuppeteerGotoCall() { this = page().getMember("goto").getACall() }
+
+    override DataFlow::Node getUrl() { result = getArgument(0) }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+  }
+
+  /**
+   * A call requesting a `Page` to load a stylesheet or script, seen as a `ClientRequest`.
+   */
+  private class PuppeteerLoadResourceCall extends ClientRequest::Range, API::InvokeNode {
+    PuppeteerLoadResourceCall() {
+      this = page().getMember(["addStyleTag", "addScriptTag"]).getACall()
+    }
+
+    override DataFlow::Node getUrl() { result = getParameter(0).getMember("url").getARhs() }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -631,6 +631,20 @@ module TaintedPath {
     SendPathSink() { this = DataFlow::moduleImport("send").getACall().getArgument(1) }
   }
 
+  /**
+   * A path argument given to a `Page` in puppeteer, specifying where a pdf/screenshot should be saved.
+   */
+  private class PuppeteerPath extends TaintedPath::Sink {
+    PuppeteerPath() {
+      this =
+        Puppeteer::page()
+            .getMember(["pdf", "screenshot"])
+            .getParameter(0)
+            .getMember("path")
+            .getARhs()
+    }
+  }
+
   /**
    * Holds if there is a step `src -> dst` mapping `srclabel` to `dstlabel` relevant for path traversal vulnerabilities.
    */

javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected

@@ -5,6 +5,9 @@ test_ClientRequest
 | apollo.js:17:1:17:34 | new Pre ... yurl"}) |
 | apollo.js:20:1:20:77 | createN ... phql'}) |
 | apollo.js:23:1:23:31 | new Web ... wsUri}) |
+| puppeteer.ts:6:11:6:42 | page.go ... e.com') |
+| puppeteer.ts:8:5:8:61 | page.ad ... css" }) |
+| puppeteer.ts:18:30:18:50 | page.go ... estUrl) |
 | tst.js:11:5:11:16 | request(url) |
 | tst.js:13:5:13:20 | request.get(url) |
 | tst.js:15:5:15:23 | request.delete(url) |
@@ -136,6 +139,9 @@ test_getUrl
 | apollo.js:17:1:17:34 | new Pre ... yurl"}) | apollo.js:17:26:17:32 | "myurl" |
 | apollo.js:20:1:20:77 | createN ... phql'}) | apollo.js:20:30:20:75 | 'https: ... raphql' |
 | apollo.js:23:1:23:31 | new Web ... wsUri}) | apollo.js:23:25:23:29 | wsUri |
+| puppeteer.ts:6:11:6:42 | page.go ... e.com') | puppeteer.ts:6:21:6:41 | 'https: ... le.com' |
+| puppeteer.ts:8:5:8:61 | page.ad ... css" }) | puppeteer.ts:8:29:8:58 | "http:/ ... le.css" |
+| puppeteer.ts:18:30:18:50 | page.go ... estUrl) | puppeteer.ts:18:40:18:49 | requestUrl |
 | tst.js:11:5:11:16 | request(url) | tst.js:11:13:11:15 | url |
 | tst.js:13:5:13:20 | request.get(url) | tst.js:13:17:13:19 | url |
 | tst.js:15:5:15:23 | request.delete(url) | tst.js:15:20:15:22 | url |

javascript/ql/test/library-tests/frameworks/ClientRequests/puppeteer.ts

@@ -0,0 +1,20 @@
+import * as puppeteer from 'puppeteer';
+
+(async () => {
+    const browser = await puppeteer.launch();
+    const page = await browser.newPage();
+    await page.goto('https://example.com');
+
+    page.addStyleTag({ url: "http://example.org/style.css" })
+})();
+
+class Renderer {
+    private browser: puppeteer.Browser;
+    constructor(browser: puppeteer.Browser) {
+        this.browser = browser;
+    }
+    async foo(requestUrl: string): Promise<void> {
+        const page = await this.browser.newPage();
+        let response = await page.goto(requestUrl);
+    }
+}

javascript/ql/test/library-tests/frameworks/ClientRequests/tsconfig.json

@@ -0,0 +1 @@
+{}

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

@@ -2168,6 +2168,24 @@ nodes
 | other-fs-libraries.js:42:53:42:56 | path |
 | other-fs-libraries.js:42:53:42:56 | path |
 | other-fs-libraries.js:42:53:42:56 | path |
+| pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
@@ -6403,6 +6421,27 @@ edges
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" | pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" | pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" | pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
 | tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
 | tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
 | tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
@@ -8007,6 +8046,8 @@ edges
 | other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
 | other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
 | other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
+| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
+| pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
 | tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js

@@ -0,0 +1,18 @@
+const puppeteer = require('puppeteer');
+const parseTorrent = require('parse-torrent');
+
+(async () => {
+    let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data";
+
+    const browser = await puppeteer.launch();
+    const page = await browser.newPage();
+    await page.pdf({ path: tainted, format: 'a4' });
+
+    const pages = await browser.pages();
+    for (let i = 0; i < something(); i++) {
+        pages[i].screenshot({ path: tainted });
+    }
+
+    await browser.close();
+})();
+