Merge pull request github#3447 from erik-krogh/LibCmdInjection

Approved by asgerf, mchammer01

Author: semmle-qlci

change-notes/1.25/analysis-javascript.md

@@ -29,6 +29,7 @@
 | Cross-site scripting through DOM (`js/xss-through-dom`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are not shown on LGTM by default. |
 | Incomplete HTML attribute sanitization (`js/incomplete-html-attribute-sanitization`) | security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default. |
 | Unsafe expansion of self-closing HTML tag (`js/unsafe-html-expansion`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags. |
+| Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 

javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.qhelp

@@ -0,0 +1,75 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+	<p>
+		
+		Dynamically constructing a shell command with inputs from exported 
+		functions may inadvertently change the meaning of the shell command.
+		
+		Clients using the exported function may use inputs containing
+		characters that the shell interprets in a special way, for instance
+		quotes and spaces.
+
+		This can result in the shell command misbehaving, or even
+		allowing a malicious user to execute arbitrary commands on the system.
+	</p>
+
+
+</overview>
+<recommendation>
+
+	<p>
+		If possible, provide the dynamic arguments to the shell as an array 
+		using a safe API such as <code>child_process.execFile</code> to avoid
+		interpretation by the shell.
+	</p>
+
+	<p>
+		Alternatively, if the shell command must be constructed
+		dynamically, then add code to ensure that special characters 
+		do not alter the shell command unexpectedly.
+	</p>
+
+</recommendation>
+<example>
+
+	<p>
+		The following example shows a dynamically constructed shell
+		command that downloads a file from a remote URL.
+	</p>
+
+	<sample src="examples/unsafe-shell-command-construction.js" />
+
+	<p>
+		The shell command will, however, fail to work as intended if the
+		input contains spaces or other special characters interpreted in a 
+		special way by the shell. 
+	</p>
+
+	<p>
+		Even worse, a client might pass in user-controlled
+		data, not knowing that the input is interpreted as a shell command. 
+		This could allow a malicious user to provide the input <code>http://example.org; cat /etc/passwd</code>
+		in order to execute the command <code>cat /etc/passwd</code>.
+	</p>
+
+	<p>
+		To avoid such potentially catastrophic behaviors, provide the
+		inputs from exported functions as an argument that does not
+		get interpreted by a shell:
+	</p>
+
+	<sample src="examples/unsafe-shell-command-construction_fixed.js" />
+
+</example>
+<references>
+
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+	</li>
+
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Unsafe shell command constructed from library input
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/shell-command-constructed-from-input
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.UnsafeShellCommandConstruction::UnsafeShellCommandConstruction
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
+where cfg.hasFlowPath(source, sink) and sinkNode = sink.getNode()
+select sinkNode.getAlertLocation(), source, sink, "$@ based on libary input is later used in $@.",
+  sinkNode.getAlertLocation(), sinkNode.getSinkType(), sinkNode.getCommandExecution(),
+  "shell command"

javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction.js

@@ -0,0 +1,5 @@
+var cp = require("child_process");
+
+module.exports = function download(path, callback) {
+  cp.exec("wget " + path, callback);
+}

javascript/ql/src/Security/CWE-078/examples/unsafe-shell-command-construction_fixed.js

@@ -0,0 +1,5 @@
+var cp = require("child_process");
+
+module.exports = function download(path, callback) {
+  cp.execFile("wget", [path], callback);
+}

javascript/ql/src/semmle/javascript/PackageExports.qll

@@ -0,0 +1,71 @@
+/**
+ * EXPERIMENTAL. This API may change in the future.
+ *
+ * Provides predicates for working with values exported from a package.
+ */
+
+import javascript
+
+/**
+ * Gets the number of occurrences of "/" in `path`.
+ */
+bindingset[path]
+private int countSlashes(string path) { result = count(path.splitAt("/")) - 1 }
+
+/**
+ * Gets the topmost package.json that appears in the project.
+ *
+ * There can be multiple results if the there exists multiple package.json that are equally deeply nested in the folder structure.
+ * Results are limited to package.json files that are at most nested 2 directories deep.
+ */
+PackageJSON getTopmostPackageJSON() {
+  result =
+    min(PackageJSON j |
+      countSlashes(j.getFile().getRelativePath()) <= 3
+    |
+      j order by countSlashes(j.getFile().getRelativePath())
+    )
+}
+
+/**
+ * Gets a value exported by the main module from the package.json `packageJSON`.
+ * The value is either directly the `module.exports` value, a nested property of `module.exports`, or a method on an exported class.
+ */
+DataFlow::Node getAValueExportedBy(PackageJSON packageJSON) {
+  result = getAnExportFromModule(packageJSON.getMainModule())
+  or
+  result = getAValueExportedBy(packageJSON).(DataFlow::PropWrite).getRhs()
+  or
+  exists(DataFlow::SourceNode callee |
+    callee = getAValueExportedBy(packageJSON).(DataFlow::NewNode).getCalleeNode().getALocalSource()
+  |
+    result = callee.getAPropertyRead("prototype").getAPropertyWrite()
+    or
+    result = callee.(DataFlow::ClassNode).getAnInstanceMethod()
+  )
+  or
+  result = getAValueExportedBy(packageJSON).getALocalSource()
+  or
+  result = getAValueExportedBy(packageJSON).(DataFlow::SourceNode).getAPropertyReference()
+  or
+  exists(Module mod |
+    mod = getAValueExportedBy(packageJSON).getEnclosingExpr().(Import).getImportedModule()
+  |
+    result = getAnExportFromModule(mod)
+  )
+  or
+  exists(DataFlow::ClassNode cla | cla = getAValueExportedBy(packageJSON) |
+    result = cla.getAnInstanceMethod() or
+    result = cla.getAStaticMethod() or
+    result = cla.getConstructor()
+  )
+}
+
+/**
+ * Gets an exported node from the module `mod`.
+ */
+private DataFlow::Node getAnExportFromModule(Module mod) {
+  result.analyze().getAValue() = mod.(NodeModule).getAModuleExportsValue()
+  or
+  exists(ASTNode export | result.getEnclosingExpr() = export | mod.exports(_, export))
+}

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -779,7 +779,8 @@ module TaintTracking {
    */
   class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
     AdHocWhitelistCheckSanitizer() {
-      getCalleeName().regexpMatch("(?i).*((?<!un)safe|whitelist|allow|(?<!un)auth(?!or\\b)).*") and
+      getCalleeName()
+          .regexpMatch("(?i).*((?<!un)safe|whitelist|(?<!in)valid|allow|(?<!un)auth(?!or\\b)).*") and
       getNumArgument() = 1
     }
 

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -449,10 +449,7 @@ module NodeJSLib {
 
     private DataFlow::SourceNode fsModule(DataFlow::TypeTracker t) {
       exists(string moduleName |
-        moduleName = "fs" or
-        moduleName = "graceful-fs" or
-        moduleName = "fs-extra" or
-        moduleName = "original-fs"
+        moduleName = ["mz/fs", "original-fs", "fs-extra", "graceful-fs", "fs"]
       |
         result = DataFlow::moduleImport(moduleName)
         or
@@ -621,6 +618,8 @@ module NodeJSLib {
 
     ChildProcessMethodCall() {
       this = maybePromisified(DataFlow::moduleMember("child_process", methodName)).getACall()
+      or
+      this = DataFlow::moduleMember("mz/child_process", methodName).getACall()
     }
 
     private DataFlow::Node getACommandArgument(boolean shell) {

javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll

@@ -52,7 +52,7 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
     result = pred.backtrack(t2, t)
     or
     t = t2.continue() and
-    TaintTracking::arrayFunctionTaintStep(result, pred, _)
+    TaintTracking::arrayFunctionTaintStep(any(DataFlow::Node n | result.flowsTo(n)), pred, _)
   )
 }
 

javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll

@@ -0,0 +1,35 @@
+/**
+ * Provides a taint tracking configuration for reasoning about shell command
+ * constructed from library input vulnerabilities (CWE-078).
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeShellCommandConstruction::Configuration` is needed, otherwise
+ * `UnsafeShellCommandConstructionCustomizations` should be imported instead.
+ */
+
+import javascript
+
+/**
+ * Classes and predicates for the shell command constructed from library input query.
+ */
+module UnsafeShellCommandConstruction {
+  import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
+
+  /**
+   * A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "UnsafeShellCommandConstruction" }
+
+    override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof PathExistsSanitizerGuard or
+      guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
+    }
+  }
+}