Merge pull request github#3625 from erik-krogh/CVE714

semmle-qlci · web-flow · commit ff6936caa757 · 2020-06-05T12:21:10.000+01:00
Approved by asgerf
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -827,6 +827,26 @@ module TaintTracking {
     override predicate appliesTo(Configuration cfg) { any() }
   }
 
+  /** A check of the form `type x === "undefined"`, which sanitized `x` in its "then" branch. */
+  class TypeOfUndefinedSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+    Expr x;
+    override EqualityTest astNode;
+
+    TypeOfUndefinedSanitizer() {
+      exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) |
+        str.getValue() = "undefined" and
+        typeof.getOperand() = x
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = astNode.getPolarity() and
+      e = x
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
+
   /** DEPRECATED. This class has been renamed to `MembershipTestSanitizer`. */
   deprecated class StringInclusionSanitizer = MembershipTestSanitizer;
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -173,6 +173,12 @@ nodes
 | lib/lib.js:307:39:307:42 | name |
 | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:314:40:314:43 | name |
+| lib/lib.js:314:40:314:43 | name |
+| lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:320:23:320:26 | name |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -381,6 +387,14 @@ edges
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
+| lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on libary input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -433,3 +447,5 @@ edges
 | lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
 | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
 | lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
+| lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:315:10:315:25 | "rm -rf " + name | String concatenation | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |
+| lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:320:11:320:26 | "rm -rf " + name | String concatenation | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -309,4 +309,14 @@ module.exports.sanitizer2 = function (name) {
 
   var sanitized = sanitizeShellString(name);
   cp.exec("rm -rf " + sanitized); // OK
+}
+
+module.exports.typeofcheck = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+	
+	if (typeof name === "undefined") {
+		cp.exec("rm -rf " + name); // OK
+	} else {
+		cp.exec("rm -rf " + name); // NOT OK
+	}
 }
