Merge pull request github#5449 from erik-krogh/asExec

Approved by esbena

Author: codeql-ci

javascript/change-notes/2021-03-19-async-execute.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The command injection security queries now recognize additional sinks.
+  Affected packages are
+    [async-execute](https://npmjs.com/package/async-execute)

javascript/ql/src/semmle/javascript/PackageExports.qll

@@ -70,6 +70,58 @@ private DataFlow::Node getAValueExportedByPackage() {
     result = cla.getAStaticMethod() or
     result = cla.getConstructor()
   )
+  or
+  // *****
+  // Common styles of transforming exported objects.
+  // *****
+  //
+  // Object.defineProperties
+  exists(DataFlow::MethodCallNode call |
+    call = DataFlow::globalVarRef("Object").getAMethodCall("defineProperties") and
+    [call, call.getArgument(0)] = getAValueExportedByPackage() and
+    result = call.getArgument(any(int i | i > 0))
+  )
+  or
+  // Object.defineProperty
+  exists(CallToObjectDefineProperty call |
+    [call, call.getBaseObject()] = getAValueExportedByPackage()
+  |
+    result = call.getPropertyDescriptor().getALocalSource().getAPropertyReference("value")
+    or
+    result =
+      call.getPropertyDescriptor()
+          .getALocalSource()
+          .getAPropertyReference("get")
+          .(DataFlow::FunctionNode)
+          .getAReturn()
+  )
+  or
+  // Object.assign and friends
+  exists(ExtendCall assign |
+    getAValueExportedByPackage() = [assign, assign.getDestinationOperand()] and
+    result = assign.getASourceOperand()
+  )
+  or
+  // Array.prototype.{map, reduce, entries, values}
+  exists(DataFlow::MethodCallNode map |
+    map.getMethodName() = ["map", "reduce", "entries", "values"] and
+    map = getAValueExportedByPackage()
+  |
+    result = map.getArgument(0).getABoundFunctionValue(_).getAReturn()
+    or
+    // assuming that the receiver of the call is somehow exported
+    result = map.getReceiver()
+  )
+  or
+  // Object.{fromEntries, freeze, seal, entries, values}
+  exists(DataFlow::MethodCallNode freeze |
+    freeze =
+      DataFlow::globalVarRef("Object")
+          .getAMethodCall(["fromEntries", "freeze", "seal", "entries", "values"])
+  |
+    freeze = getAValueExportedByPackage() and
+    result = freeze.getArgument(0)
+  )
 }
 
 /**

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -253,6 +253,12 @@ class TypeBackTracker extends TTypeBackTracker {
    */
   predicate start() { hasReturn = false and prop = "" }
 
+  /**
+   * Holds if this is the starting point of type backtracking, and the value is in the property named `propName`.
+   * The type tracking only ends after the property has been stored.
+   */
+  predicate isInProp(PropertyName propName) { hasReturn = false and prop = propName }
+
   /**
    * Holds if this is the end point of type tracking.
    */

javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll

@@ -43,9 +43,15 @@ private predicate execApi(string mod, int cmdArg, int optionsArg, boolean shell)
   )
   or
   shell = true and
-  mod = "exec" and
-  optionsArg = -2 and
-  cmdArg = 0
+  (
+    mod = "exec" and
+    optionsArg = -2 and
+    cmdArg = 0
+    or
+    mod = "async-execute" and
+    optionsArg = 1 and
+    cmdArg = 0
+  )
 }
 
 private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::InvokeNode {

javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected

@@ -205,6 +205,14 @@ nodes
 | lib/lib.js:405:39:405:42 | name |
 | lib/lib.js:406:22:406:25 | name |
 | lib/lib.js:406:22:406:25 | name |
+| lib/lib.js:413:39:413:42 | name |
+| lib/lib.js:413:39:413:42 | name |
+| lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:418:20:418:23 | name |
+| lib/lib.js:418:20:418:23 | name |
+| lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:419:25:419:28 | name |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -444,6 +452,14 @@ edges
 | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name |
 | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name |
 | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name |
+| lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -502,3 +518,5 @@ edges
 | lib/lib.js:351:10:351:27 | "rm -rf " + unsafe | lib/lib.js:349:29:349:34 | unsafe | lib/lib.js:351:22:351:27 | unsafe | $@ based on library input is later used in $@. | lib/lib.js:351:10:351:27 | "rm -rf " + unsafe | String concatenation | lib/lib.js:351:2:351:28 | cp.exec ... unsafe) | shell command |
 | lib/lib.js:366:17:366:56 | "learn  ... + model | lib/lib.js:360:20:360:23 | opts | lib/lib.js:366:28:366:42 | this.learn_args | $@ based on library input is later used in $@. | lib/lib.js:366:17:366:56 | "learn  ... + model | String concatenation | lib/lib.js:367:3:367:18 | cp.exec(command) | shell command |
 | lib/lib.js:406:10:406:25 | "rm -rf " + name | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name | $@ based on library input is later used in $@. | lib/lib.js:406:10:406:25 | "rm -rf " + name | String concatenation | lib/lib.js:406:2:406:26 | cp.exec ... + name) | shell command |
+| lib/lib.js:414:12:414:27 | "rm -rf " + name | lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name | $@ based on library input is later used in $@. | lib/lib.js:414:12:414:27 | "rm -rf " + name | String concatenation | lib/lib.js:414:2:414:28 | asyncEx ... + name) | shell command |
+| lib/lib.js:419:13:419:28 | "rm -rf " + name | lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name | $@ based on library input is later used in $@. | lib/lib.js:419:13:419:28 | "rm -rf " + name | String concatenation | lib/lib.js:419:3:419:29 | asyncEx ... + name) | shell command |

javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js

@@ -408,3 +408,35 @@ module.exports.sanitizer3 = function (name) {
 	var sanitized = yetAnohterSanitizer(name);
 	cp.exec("rm -rf " + sanitized); // OK
 }
+
+var asyncExec = require("async-execute");
+module.exports.asyncStuff = function (name) {
+	asyncExec("rm -rf " + name); // NOT OK
+}
+
+const myFuncs = {
+	myFunc: function (name) {
+		asyncExec("rm -rf " + name); // NOT OK
+	}
+};
+
+module.exports.blabity = {};
+
+Object.defineProperties(
+	module.exports.blabity,
+	Object.assign(
+		{},
+		Object.entries(myFuncs).reduce(
+			(props, [ key, value ]) => Object.assign(
+				props,
+				{
+					[key]: {
+						value,
+						configurable: true,
+					},
+				},
+			),
+			{}
+		)
+	)
+);