Merge pull request github#11672 from asgerf/js/extensions

asgerf · web-flow · commit bfe9ee3ead94 · 2022-12-13T15:34:11.000+01:00
JS: Add data extension sinks
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll
@@ -11,6 +11,10 @@ module NoSql {
     /** Gets an expression that is interpreted as a code operator in this query. */
     DataFlow::Node getACodeOperator() { none() }
   }
+
+  private class QueryFromModel extends Query {
+    QueryFromModel() { this = ModelOutput::getASinkNode("nosql-injection").asSink() }
+  }
 }
 
 /** DEPRECATED: Alias for NoSql */
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -235,4 +235,8 @@ module ClientSideUrlRedirect {
       this = NextJS::nextRouter().getAMemberCall(["push", "replace"]).getArgument(0)
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -410,4 +410,8 @@ module CodeInjection {
 
   /** DEPRECATED: Alias for JsonStringifySanitizer */
   deprecated class JSONStringifySanitizer = JsonStringifySanitizer;
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
@@ -50,4 +50,8 @@ module CommandInjection {
   class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
     SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("command-line-injection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
@@ -342,4 +342,8 @@ module DomBasedXss {
       outcome = super.getPolarity()
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -150,4 +150,8 @@ module ReflectedXss {
       this.(Http::RequestHeaderAccess).getAHeaderName() = "referer"
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
@@ -73,4 +73,12 @@ module RequestForgery {
       pred = url.getArgument(0)
     )
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("request-forgery").asSink() }
+
+    override DataFlow::Node getARequest() { result = this }
+
+    override string getKind() { result = "endpoint" }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
@@ -62,4 +62,8 @@ module ServerSideUrlRedirect {
       )
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -946,4 +946,8 @@ module TaintedPath {
       )
     )
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("path-injection").asSink() }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -49,4 +49,8 @@ module UnsafeDeserialization {
       )
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("unsafe-deserialization").asSink() }
+  }
 }
diff --git a/javascript/ql/test/library-tests/DataExtensions/Test.expected b/javascript/ql/test/library-tests/DataExtensions/Test.expected
@@ -0,0 +1,7 @@
+commandInjectionSinks
+| execa.example.js:2:7:2:9 | cmd |
+sqlInjectionSinks
+| connection.example.ts:4:20:4:20 | q |
+| connection.example.ts:9:18:9:18 | q |
+remoteFlowSources
+| message.example.js:1:46:1:50 | event |
diff --git a/javascript/ql/test/library-tests/DataExtensions/Test.ql b/javascript/ql/test/library-tests/DataExtensions/Test.ql
@@ -0,0 +1,11 @@
+import javascript
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+
+query predicate commandInjectionSinks(DataFlow::Node node) {
+  node instanceof CommandInjection::Sink
+}
+
+query predicate sqlInjectionSinks(DataFlow::Node node) { node instanceof SqlInjection::Sink }
+
+query predicate remoteFlowSources(RemoteFlowSource node) { any() }
diff --git a/javascript/ql/test/library-tests/DataExtensions/connection.example.ts b/javascript/ql/test/library-tests/DataExtensions/connection.example.ts
@@ -0,0 +1,9 @@
+import { Connection } from "@example/mysql";
+
+function submit(connection: Connection, q: string) {
+  connection.query(q); // <-- add 'q' as a SQL injection sink
+}
+
+import { getConnection } from "@example/db";
+let connection = getConnection();
+connection.query(q); // <-- add 'q' as a SQL injection sink
diff --git a/javascript/ql/test/library-tests/DataExtensions/connection.model.yml b/javascript/ql/test/library-tests/DataExtensions/connection.model.yml
@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - [
+          "@example/mysql.Connection",
+          "Member[query].Argument[0]",
+          "sql-injection",
+        ]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - [
+          "@example/mysql.Connection",
+          "@example/db",
+          "Member[getConnection].ReturnValue",
+        ]
diff --git a/javascript/ql/test/library-tests/DataExtensions/execa.example.js b/javascript/ql/test/library-tests/DataExtensions/execa.example.js
@@ -0,0 +1,2 @@
+import { shell } from "@example/execa";
+shell(cmd);
diff --git a/javascript/ql/test/library-tests/DataExtensions/execa.model.yml b/javascript/ql/test/library-tests/DataExtensions/execa.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - [
+          "@example/execa",
+          "Member[shell].Argument[0]",
+          "command-line-injection",
+        ]
diff --git a/javascript/ql/test/library-tests/DataExtensions/message.example.js b/javascript/ql/test/library-tests/DataExtensions/message.example.js
@@ -0,0 +1,7 @@
+window.addEventListener("message", function (event) {
+    let data = event.data; // <-- add 'event.data' as a taint source
+});
+
+window.addEventListener("onclick", function (event) {
+    let data = event.data; // <-- 'event.data' should not be a taint source
+});
diff --git a/javascript/ql/test/library-tests/DataExtensions/message.model.yml b/javascript/ql/test/library-tests/DataExtensions/message.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sourceModel
+    data:
+      - [
+          "global",
+          "Member[addEventListener].WithStringArgument[0=message].Argument[1].Parameter[0].Member[data]",
+          "remote-flow",
+        ]
diff --git a/javascript/ql/test/qlpack.yml b/javascript/ql/test/qlpack.yml
@@ -5,3 +5,5 @@ dependencies:
   codeql/javascript-queries: ${workspace}
 extractor: javascript
 tests: .
+dataExtensions:
+  - library-tests/DataExtensions/*.model.yml

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,10 @@ module NoSql {`
`11`	`11`	`/** Gets an expression that is interpreted as a code operator in this query. */`
`12`	`12`	`DataFlow::Node getACodeOperator() { none() }`
`13`	`13`	`}`
	`14`	`+`
	`15`	`+ private class QueryFromModel extends Query {`
	`16`	`+ QueryFromModel() { this = ModelOutput::getASinkNode("nosql-injection").asSink() }`
	`17`	`+ }`
`14`	`18`	`}`
`15`	`19`
`16`	`20`	`/** DEPRECATED: Alias for NoSql */`
Original file line number	Diff line number	Diff line change
`@@ -235,4 +235,8 @@ module ClientSideUrlRedirect {`
`235`	`235`	`this = NextJS::nextRouter().getAMemberCall(["push", "replace"]).getArgument(0)`
`236`	`236`	`}`
`237`	`237`	`}`
	`238`	`+`
	`239`	`+ private class SinkFromModel extends Sink {`
	`240`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }`
	`241`	`+ }`
`238`	`242`	`}`
Original file line number	Diff line number	Diff line change
`@@ -410,4 +410,8 @@ module CodeInjection {`
`410`	`410`
`411`	`411`	`/** DEPRECATED: Alias for JsonStringifySanitizer */`
`412`	`412`	`deprecated class JSONStringifySanitizer = JsonStringifySanitizer;`
	`413`	`+`
	`414`	`+ private class SinkFromModel extends Sink {`
	`415`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }`
	`416`	`+ }`
`413`	`417`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,4 +50,8 @@ module CommandInjection {`
`50`	`50`	`class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {`
`51`	`51`	`SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }`
`52`	`52`	`}`
	`53`	`+`
	`54`	`+ private class SinkFromModel extends Sink {`
	`55`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("command-line-injection").asSink() }`
	`56`	`+ }`
`53`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -342,4 +342,8 @@ module DomBasedXss {`
`342`	`342`	`outcome = super.getPolarity()`
`343`	`343`	`}`
`344`	`344`	`}`
	`345`	`+`
	`346`	`+ private class SinkFromModel extends Sink {`
	`347`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }`
	`348`	`+ }`
`345`	`349`	`}`
Original file line number	Diff line number	Diff line change
`@@ -150,4 +150,8 @@ module ReflectedXss {`
`150`	`150`	`this.(Http::RequestHeaderAccess).getAHeaderName() = "referer"`
`151`	`151`	`}`
`152`	`152`	`}`
	`153`	`+`
	`154`	`+ private class SinkFromModel extends Sink {`
	`155`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }`
	`156`	`+ }`
`153`	`157`	`}`
Original file line number	Diff line number	Diff line change
`@@ -73,4 +73,12 @@ module RequestForgery {`
`73`	`73`	`pred = url.getArgument(0)`
`74`	`74`	`)`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+ private class SinkFromModel extends Sink {`
	`78`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("request-forgery").asSink() }`
	`79`	`+`
	`80`	`+ override DataFlow::Node getARequest() { result = this }`
	`81`	`+`
	`82`	`+ override string getKind() { result = "endpoint" }`
	`83`	`+ }`
`76`	`84`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,4 +62,8 @@ module ServerSideUrlRedirect {`
`62`	`62`	`)`
`63`	`63`	`}`
`64`	`64`	`}`
	`65`	`+`
	`66`	`+ private class SinkFromModel extends Sink {`
	`67`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }`
	`68`	`+ }`
`65`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -946,4 +946,8 @@ module TaintedPath {`
`946`	`946`	`)`
`947`	`947`	`)`
`948`	`948`	`}`
	`949`	`+`
	`950`	`+ private class SinkFromModel extends Sink {`
	`951`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("path-injection").asSink() }`
	`952`	`+ }`
`949`	`953`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,4 +49,8 @@ module UnsafeDeserialization {`
`49`	`49`	`)`
`50`	`50`	`}`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ private class SinkFromModel extends Sink {`
	`54`	`+ SinkFromModel() { this = ModelOutput::getASinkNode("unsafe-deserialization").asSink() }`
	`55`	`+ }`
`52`	`56`	`}`