Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478

Author: erik-krogh

change-notes/1.25/analysis-javascript.md

@@ -11,6 +11,8 @@
   - [marsdb](https://www.npmjs.com/package/marsdb)
   - [minimongo](https://www.npmjs.com/package/minimongo/)
   - [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise)
+  - [ssh2](https://www.npmjs.com/package/ssh2)
+  - [ssh2-streams](https://www.npmjs.com/package/ssh2-streams)
 
 ## New queries
 

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -710,23 +710,25 @@ module NodeJSLib {
   }
 
   /**
-   * A call to a method from module `vm`
+   * DEPRECATED Use `VmModuleMemberInvocation` instead.
    */
-  class VmModuleMethodCall extends DataFlow::CallNode {
-    string methodName;
+  deprecated class VmModuleMethodCall = VmModuleMemberInvocation;
+
+  /**
+   * An invocation of a member from module `vm`
+   */
+  class VmModuleMemberInvocation extends DataFlow::InvokeNode {
+    string memberName;
 
-    VmModuleMethodCall() { this = DataFlow::moduleMember("vm", methodName).getACall() }
+    VmModuleMemberInvocation() { this = DataFlow::moduleMember("vm", memberName).getAnInvocation() }
 
     /**
-     * Gets the code to be executed as part of this call.
+     * Gets the code to be executed as part of this invocation.
      */
     DataFlow::Node getACodeArgument() {
-      (
-        methodName = "runInContext" or
-        methodName = "runInNewContext" or
-        methodName = "runInThisContext"
-      ) and
-      // all of the above methods take the command as their first argument
+      memberName in ["Script", "SourceTextModule", "compileFunction", "runInContext",
+            "runInNewContext", "runInThisContext"] and
+      // all of the above methods/constructors take the command as their first argument
       result = getArgument(0)
     }
   }

javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll

@@ -51,13 +51,9 @@ private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::I
         )
         or
         shell = true and
-        (
-          mod = "exec" and
-          optionsArg = -2 and
-          cmdArg = 0
-          or
-          mod = "remote-exec" and cmdArg = 1 and optionsArg = -1
-        )
+        mod = "exec" and
+        optionsArg = -2 and
+        cmdArg = 0
       ) and
       callee = DataFlow::moduleImport(mod)
     |
@@ -97,3 +93,33 @@ private boolean getSync(string name) {
   then result = true
   else result = false
 }
+
+private class RemoteCommandExecutor extends SystemCommandExecution, DataFlow::InvokeNode {
+  int cmdArg;
+
+  RemoteCommandExecutor() {
+    this = DataFlow::moduleImport("remote-exec").getACall() and
+    cmdArg = 1
+    or
+    exists(DataFlow::SourceNode ssh2, DataFlow::SourceNode client |
+      ssh2 = DataFlow::moduleImport("ssh2") and
+      (client = ssh2 or client = ssh2.getAPropertyRead("Client")) and
+      this = client.getAnInstantiation().getAMethodCall("exec") and
+      cmdArg = 0
+    )
+    or
+    exists(DataFlow::SourceNode ssh2stream |
+      ssh2stream = DataFlow::moduleMember("ssh2-streams", "SSH2Stream") and
+      this = ssh2stream.getAnInstantiation().getAMethodCall("exec") and
+      cmdArg = 1
+    )
+  }
+
+  override DataFlow::Node getACommandArgument() { result = getArgument(cmdArg) }
+
+  override predicate isShellInterpreted(DataFlow::Node arg) { arg = getACommandArgument() }
+
+  override predicate isSync() { none() }
+
+  override DataFlow::Node getOptionsArg() { none() }
+}

javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll

@@ -48,7 +48,9 @@ module CodeInjection {
    * `vm` module.
    */
   class NodeJSVmSink extends Sink, DataFlow::ValueNode {
-    NodeJSVmSink() { exists(NodeJSLib::VmModuleMethodCall call | this = call.getACodeArgument()) }
+    NodeJSVmSink() {
+      exists(NodeJSLib::VmModuleMemberInvocation inv | this = inv.getACodeArgument())
+    }
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -93,6 +93,12 @@ nodes
 | other.js:18:22:18:24 | cmd |
 | other.js:19:36:19:38 | cmd |
 | other.js:19:36:19:38 | cmd |
+| other.js:22:21:22:23 | cmd |
+| other.js:22:21:22:23 | cmd |
+| other.js:23:28:23:30 | cmd |
+| other.js:23:28:23:30 | cmd |
+| other.js:26:34:26:36 | cmd |
+| other.js:26:34:26:36 | cmd |
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:5:20:5:26 | command |
 | third-party-command-injection.js:6:21:6:27 | command |
@@ -184,6 +190,12 @@ edges
 | other.js:5:9:5:49 | cmd | other.js:18:22:18:24 | cmd |
 | other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd |
 | other.js:5:9:5:49 | cmd | other.js:19:36:19:38 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:22:21:22:23 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:22:21:22:23 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:23:28:23:30 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
+| other.js:5:9:5:49 | cmd | other.js:26:34:26:36 | cmd |
 | other.js:5:15:5:38 | url.par ... , true) | other.js:5:15:5:44 | url.par ... ).query |
 | other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
 | other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
@@ -226,4 +238,7 @@ edges
 | other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
+| other.js:22:21:22:23 | cmd | other.js:5:25:5:31 | req.url | other.js:22:21:22:23 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
+| other.js:23:28:23:30 | cmd | other.js:5:25:5:31 | req.url | other.js:23:28:23:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
+| other.js:26:34:26:36 | cmd | other.js:5:25:5:31 | req.url | other.js:26:34:26:36 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |

javascript/ql/test/query-tests/Security/CWE-078/other.js

@@ -17,4 +17,11 @@ var server = http.createServer(function(req, res) {
     require("exec-async")(cmd); // NOT OK
     require("execa")(cmd); // NOT OK
     require("remote-exec")(target, cmd); // NOT OK
+
+    const ssh2 = require("ssh2");
+    new ssh2().exec(cmd); // NOT OK
+    new ssh2.Client().exec(cmd); // NOT OK
+
+    const SSH2Stream = require("ssh2-streams").SSH2Stream;
+    new SSH2Stream().exec(false, cmd); // NOT OK
 });

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -76,6 +76,18 @@ nodes
 | express.js:12:8:12:53 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") |
 | express.js:12:28:12:46 | req.param("wobble") |
+| express.js:15:22:15:54 | req.par ... ction") |
+| express.js:15:22:15:54 | req.par ... ction") |
+| express.js:15:22:15:54 | req.par ... ction") |
+| express.js:17:30:17:53 | req.par ... cript") |
+| express.js:17:30:17:53 | req.par ... cript") |
+| express.js:17:30:17:53 | req.par ... cript") |
+| express.js:19:37:19:70 | req.par ... odule") |
+| express.js:19:37:19:70 | req.par ... odule") |
+| express.js:19:37:19:70 | req.par ... odule") |
+| express.js:21:19:21:48 | req.par ... ntext") |
+| express.js:21:19:21:48 | req.par ... ntext") |
+| express.js:21:19:21:48 | req.par ... ntext") |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:7:17:7:33 | req.param("code") |
@@ -193,6 +205,10 @@ edges
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
+| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") |
+| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") |
+| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") |
+| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |
@@ -248,6 +264,10 @@ edges
 | express.js:7:24:7:69 | "return ...  + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
 | express.js:9:34:9:79 | "return ...  + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
 | express.js:12:8:12:53 | "return ...  + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |
+| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") | $@ flows to here and is interpreted as code. | express.js:15:22:15:54 | req.par ... ction") | User-provided value |
+| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") | $@ flows to here and is interpreted as code. | express.js:17:30:17:53 | req.par ... cript") | User-provided value |
+| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") | $@ flows to here and is interpreted as code. | express.js:19:37:19:70 | req.par ... odule") | User-provided value |
+| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") | $@ flows to here and is interpreted as code. | express.js:21:19:21:48 | req.par ... ntext") | User-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | $@ flows to here and is interpreted as code. | react-native.js:7:17:7:33 | req.param("code") | User-provided value |
 | react-native.js:10:23:10:29 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:10:23:10:29 | tainted | $@ flows to here and is interpreted as code. | react-native.js:7:17:7:33 | req.param("code") | User-provided value |
 | tst.js:2:6:2:83 | documen ... t=")+8) | tst.js:2:6:2:22 | document.location | tst.js:2:6:2:83 | documen ... t=")+8) | $@ flows to here and is interpreted as code. | tst.js:2:6:2:22 | document.location | User-provided value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -80,6 +80,18 @@ nodes
 | express.js:12:8:12:53 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") |
 | express.js:12:28:12:46 | req.param("wobble") |
+| express.js:15:22:15:54 | req.par ... ction") |
+| express.js:15:22:15:54 | req.par ... ction") |
+| express.js:15:22:15:54 | req.par ... ction") |
+| express.js:17:30:17:53 | req.par ... cript") |
+| express.js:17:30:17:53 | req.par ... cript") |
+| express.js:17:30:17:53 | req.par ... cript") |
+| express.js:19:37:19:70 | req.par ... odule") |
+| express.js:19:37:19:70 | req.par ... odule") |
+| express.js:19:37:19:70 | req.par ... odule") |
+| express.js:21:19:21:48 | req.par ... ntext") |
+| express.js:21:19:21:48 | req.par ... ntext") |
+| express.js:21:19:21:48 | req.par ... ntext") |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") |
 | react-native.js:7:17:7:33 | req.param("code") |
@@ -201,6 +213,10 @@ edges
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
 | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ...  + "];" |
+| express.js:15:22:15:54 | req.par ... ction") | express.js:15:22:15:54 | req.par ... ction") |
+| express.js:17:30:17:53 | req.par ... cript") | express.js:17:30:17:53 | req.par ... cript") |
+| express.js:19:37:19:70 | req.par ... odule") | express.js:19:37:19:70 | req.par ... odule") |
+| express.js:21:19:21:48 | req.par ... ntext") | express.js:21:19:21:48 | req.par ... ntext") |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js

@@ -9,5 +9,14 @@ app.get('/some/path', function(req, res) {
   require("vm").runInThisContext("return wibbles[" + req.param("wobble") + "];");
   var runC = require("vm").runInNewContext;
   // NOT OK
-  runC("return wibbles[" + req.param("wobble") + "];");  
+  runC("return wibbles[" + req.param("wobble") + "];");
+  var vm = require("vm");
+  // NOT OK
+  vm.compileFunction(req.param("code_compileFunction"));
+  // NOT OK
+  var script = new vm.Script(req.param("code_Script"));
+  // NOT OK
+  var mdl = new vm.SourceTextModule(req.param("code_SourceTextModule"));
+  // NOT OK
+  vm.runInContext(req.param("code_runInContext"), vm.createContext());
 });