JS: Add schema validation as TaintedObject sanitizer

Author: asgerf

javascript/ql/src/javascript.qll

@@ -36,6 +36,7 @@ import semmle.javascript.InclusionTests
 import semmle.javascript.JSDoc
 import semmle.javascript.JSON
 import semmle.javascript.JsonParsers
+import semmle.javascript.JsonSchema
 import semmle.javascript.JsonStringifiers
 import semmle.javascript.JSX
 import semmle.javascript.Lines

javascript/ql/src/semmle/javascript/JsonSchema.qll

@@ -0,0 +1,73 @@
+/**
+ * Provides classes and predicates for working with JSON schema libraries.
+ */
+
+import javascript
+
+/**
+ * Provides classes and predicates for working with JSON schema libraries.
+ */
+module JsonSchema {
+  /** A call that validates an input against a JSON schema. */
+  abstract class ValidationCall extends DataFlow::CallNode {
+    /** Gets the data flow node whose value is being validated. */
+    abstract DataFlow::Node getInput();
+
+    /** Gets the return value that indicates successful validation. */
+    boolean getPolarity() { result = true }
+  }
+
+  /** Provides a model of the `ajv` library. */
+  module Ajv {
+    /** A method on `Ajv` that returns `this`. */
+    private string chainedMethod() {
+      result =
+        ["addSchema", "addMetaSchema", "removeSchema", "addFormat", "addKeyword", "removeKeyword"]
+    }
+
+    /** An instance of `ajv`. */
+    class Instance extends API::InvokeNode {
+      Instance() { this = API::moduleImport("ajv").getAnInstantiation() }
+
+      /** Gets the data flow node holding the options passed to this `Ajv` instance. */
+      DataFlow::Node getOptionsArg() { result = getArgument(0) }
+
+      /** Gets an API node that refers to this object. */
+      API::Node ref() {
+        result = getReturn()
+        or
+        result = ref().getMember(chainedMethod()).getReturn()
+      }
+    }
+
+    /** A call to the `validate` method of `ajv`. */
+    class AjvValidationCall extends ValidationCall {
+      Instance instance;
+      int argIndex;
+
+      AjvValidationCall() {
+        this = instance.ref().getMember("validate").getACall() and argIndex = 1
+        or
+        this = instance.ref().getMember(["compile", "getSchema"]).getReturn().getACall() and
+        argIndex = 0
+        or
+        this = instance.ref().getMember("compileAsync").getPromised().getACall() and argIndex = 0
+      }
+
+      override DataFlow::Node getInput() { result = getArgument(argIndex) }
+
+      /** Gets the argument holding additional options to the call. */
+      DataFlow::Node getOwnOptionsArg() { result = getArgument(argIndex + 1) }
+
+      /** Gets a data flow passed as the extra options to this validation call or to the underlying `Ajv` instance. */
+      DataFlow::Node getAnOptionsArg() {
+        result = getOwnOptionsArg()
+        or
+        result = instance.getOptionsArg()
+      }
+
+      /** Gets the ajv instance doing the validation. */
+      Instance getAjvInstance() { result = instance }
+    }
+  }
+}

javascript/ql/src/semmle/javascript/security/TaintedObject.qll

@@ -120,4 +120,19 @@ module TaintedObject {
       label = label()
     }
   }
+
+  /**
+   * A sanitizer guard that validates an input against a JSON schema.
+   */
+  private class JsonSchemaValidationGuard extends SanitizerGuard {
+    JsonSchema::ValidationCall call;
+
+    JsonSchemaValidationGuard() { this = call }
+
+    override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
+      outcome = call.getPolarity() and
+      e = call.getInput().asExpr() and
+      label = label()
+    }
+  }
 }

javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected

@@ -1,3 +1,7 @@
+| json-schema-validator.js:27:13:27:27 | doc.find(query) |
+| json-schema-validator.js:30:13:30:27 | doc.find(query) |
+| json-schema-validator.js:33:13:33:27 | doc.find(query) |
+| json-schema-validator.js:35:9:35:23 | doc.find(query) |
 | marsdb-flow-to.js:14:3:14:22 | db.myDoc.find(query) |
 | marsdb.js:16:3:16:17 | doc.find(query) |
 | minimongo.js:18:3:18:17 | doc.find(query) |

javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected

@@ -1,4 +1,12 @@
 nodes
+| json-schema-validator.js:25:15:25:48 | query |
+| json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
+| json-schema-validator.js:25:34:25:47 | req.query.data |
+| json-schema-validator.js:25:34:25:47 | req.query.data |
+| json-schema-validator.js:33:22:33:26 | query |
+| json-schema-validator.js:33:22:33:26 | query |
+| json-schema-validator.js:35:18:35:22 | query |
+| json-schema-validator.js:35:18:35:22 | query |
 | marsdb-flow-to.js:10:9:10:18 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} |
 | marsdb-flow-to.js:11:17:11:24 | req.body |
@@ -250,6 +258,13 @@ nodes
 | tst.js:10:46:10:58 | req.params.id |
 | tst.js:10:46:10:58 | req.params.id |
 edges
+| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
+| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
+| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query |
+| json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query |
+| json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) | json-schema-validator.js:25:15:25:48 | query |
+| json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
+| json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:9:10:18 | query | marsdb-flow-to.js:14:17:14:21 | query |
 | marsdb-flow-to.js:10:17:10:18 | {} | marsdb-flow-to.js:10:9:10:18 | query |
@@ -586,6 +601,8 @@ edges
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 #select
+| json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
+| json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | marsdb-flow-to.js:14:17:14:21 | query | marsdb-flow-to.js:11:17:11:24 | req.body | marsdb-flow-to.js:14:17:14:21 | query | This query depends on $@. | marsdb-flow-to.js:11:17:11:24 | req.body | a user-provided value |
 | marsdb.js:16:12:16:16 | query | marsdb.js:13:17:13:24 | req.body | marsdb.js:16:12:16:16 | query | This query depends on $@. | marsdb.js:13:17:13:24 | req.body | a user-provided value |
 | minimongo.js:18:12:18:16 | query | minimongo.js:15:17:15:24 | req.body | minimongo.js:18:12:18:16 | query | This query depends on $@. | minimongo.js:15:17:15:24 | req.body | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-089/untyped/json-schema-validator.js

@@ -0,0 +1,37 @@
+import Ajv from 'ajv';
+import express from 'express';
+import { MongoClient } from 'mongodb';
+
+const app = express();
+
+const schema = {
+    type: 'object',
+    properties: {
+        date: { type: 'string' },
+        title: { type: 'string' },
+    },
+};
+const ajv = new Ajv();
+const checkSchema = ajv.compile(schema);
+
+function validate(x) {
+    return x != null;
+}
+
+app.post('/documents/find', (req, res) => {
+    MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
+        let doc = db.collection('doc');
+
+        const query = JSON.parse(req.query.data);
+        if (checkSchema(query)) {
+            doc.find(query); // OK
+        }
+        if (ajv.validate(schema, query)) {
+            doc.find(query); // OK
+        }
+        if (validate(query)) {
+            doc.find(query); // NOT OK - validate() doesn't sanitize
+        }
+        doc.find(query); // NOT OK
+    });
+});