Merge pull request github#6271 from erik-krogh/logs

codeql-ci · web-flow · commit 9aafe8242e53 · 2021-07-16T03:49:22.000-07:00
Approved by asgerf
diff --git a/javascript/change-notes/2021-07-12-logs.md b/javascript/change-notes/2021-07-12-logs.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The `js/log-injection` query now recognizes more logging frameworks.
+  Affected packages are
+    [pino](https://npmjs.com/package/pino)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -338,6 +338,45 @@ class StripAnsiStep extends TaintTracking::SharedTaintStep {
   }
 }
 
+/**
+ * Provides classes and predicates for working with the `pino` library.
+ */
+private module Pino {
+  /**
+   * Gets a logger instance created by importing the `pino` library.
+   */
+  private API::Node pinoApi() {
+    result = API::moduleImport("pino").getReturn()
+    or
+    result = pinoApi().getMember("child").getReturn()
+  }
+
+  /**
+   * Gets a logger instance from the `pino` library.
+   */
+  private API::Node pino() {
+    result = pinoApi()
+    or
+    // `pino` is installed as the "log" property on the request object in `Express` and similar libraries.
+    // in `Hapi` the property is "logger".
+    exists(HTTP::RequestExpr req, API::Node reqNode |
+      reqNode.getAnImmediateUse() = req.flow().getALocalSource() and
+      result = reqNode.getMember(["log", "logger"])
+    )
+  }
+
+  /**
+   * A logging call to the `pino` library.
+   */
+  private class PinoCall extends LoggerCall {
+    PinoCall() {
+      this = pino().getMember(["trace", "debug", "info", "warn", "error", "fatal"]).getACall()
+    }
+
+    override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
+  }
+}
+
 /**
  * A step through the [`ansi-to-html`](https://npmjs.org/package/ansi-to-html) library.
  */
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -76,6 +76,24 @@ nodes
 | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
 | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
 | logInjectionBad.js:66:35:66:42 | username |
+| logInjectionBad.js:72:9:72:36 | q |
+| logInjectionBad.js:72:13:72:36 | url.par ... , true) |
+| logInjectionBad.js:72:23:72:29 | req.url |
+| logInjectionBad.js:72:23:72:29 | req.url |
+| logInjectionBad.js:73:9:73:35 | username |
+| logInjectionBad.js:73:20:73:20 | q |
+| logInjectionBad.js:73:20:73:26 | q.query |
+| logInjectionBad.js:73:20:73:35 | q.query.username |
+| logInjectionBad.js:75:15:75:22 | username |
+| logInjectionBad.js:75:15:75:22 | username |
+| logInjectionBad.js:82:30:82:37 | username |
+| logInjectionBad.js:82:30:82:37 | username |
+| logInjectionBad.js:91:26:91:33 | username |
+| logInjectionBad.js:91:26:91:33 | username |
+| logInjectionBad.js:99:26:99:33 | username |
+| logInjectionBad.js:99:26:99:33 | username |
+| logInjectionBad.js:113:37:113:44 | username |
+| logInjectionBad.js:113:37:113:44 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -151,6 +169,23 @@ edges
 | logInjectionBad.js:64:20:64:35 | q.query.username | logInjectionBad.js:64:9:64:35 | username |
 | logInjectionBad.js:66:35:66:42 | username | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
 | logInjectionBad.js:66:35:66:42 | username | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
+| logInjectionBad.js:72:9:72:36 | q | logInjectionBad.js:73:20:73:20 | q |
+| logInjectionBad.js:72:13:72:36 | url.par ... , true) | logInjectionBad.js:72:9:72:36 | q |
+| logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:72:13:72:36 | url.par ... , true) |
+| logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:72:13:72:36 | url.par ... , true) |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:75:15:75:22 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:75:15:75:22 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:82:30:82:37 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:82:30:82:37 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:91:26:91:33 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:91:26:91:33 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:99:26:99:33 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:99:26:99:33 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:113:37:113:44 | username |
+| logInjectionBad.js:73:9:73:35 | username | logInjectionBad.js:113:37:113:44 | username |
+| logInjectionBad.js:73:20:73:20 | q | logInjectionBad.js:73:20:73:26 | q.query |
+| logInjectionBad.js:73:20:73:26 | q.query | logInjectionBad.js:73:20:73:35 | q.query.username |
+| logInjectionBad.js:73:20:73:35 | q.query.username | logInjectionBad.js:73:9:73:35 | username |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
@@ -168,3 +203,8 @@ edges
 | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
 | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
 | logInjectionBad.js:66:17:66:43 | prettyj ... ername) | logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:66:17:66:43 | prettyj ... ername) | $@ flows to log entry. | logInjectionBad.js:63:23:63:29 | req.url | User-provided value |
+| logInjectionBad.js:75:15:75:22 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:75:15:75:22 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
+| logInjectionBad.js:82:30:82:37 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:82:30:82:37 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
+| logInjectionBad.js:91:26:91:33 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:91:26:91:33 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
+| logInjectionBad.js:99:26:99:33 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:99:26:99:33 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
+| logInjectionBad.js:113:37:113:44 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:113:37:113:44 | username | $@ flows to log entry. | logInjectionBad.js:72:23:72:29 | req.url | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -64,4 +64,56 @@ const server3 = http.createServer((req, res) => {
     let username = q.query.username;
 
     console.log(prettyjson.render(username)); // NOT OK
+
+});
+
+const pino = require('pino')()
+const server4 = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+    let username = q.query.username;
+
+    pino.info(username); // NOT OK
+
+    function fastify() {
+        const fastify = require('fastify')({
+            logger: true
+        });
+        fastify.get('/', async (request, reply) => {
+            request.log.info(username); // NOT OK
+            return { hello: 'world' }
+        });
+    }
+
+    function express() {
+        const express = require('express');
+        const app = express();
+        app.get('/', (req, res) => {
+            req.log.info(username); // NOT OK
+            res.send({ hello: 'world' });
+        });
+    }
+
+    function http() {
+        const http = require('http');
+        const server = http.createServer((req, res) => {
+            req.log.info(username); // NOT OK
+            res.end('Hello World\n');
+        });
+        server.listen(3000);
+    }
+
+    function hapi() {
+        const Hapi = require('hapi');
+        const server = new Hapi.Server();
+        server.connection({ port: 3000 });
+        server.route({
+            method: 'GET',
+            path: '/',
+            handler: (request, reply) => {
+                request.logger.info(username); // NOT OK
+                reply({ hello: 'world' });
+            }
+        });
+        server.start();
+    }
 });
