v2: it is basically the first stable version :))

Author: am0o0

javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.qhelp

@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+			Controlling the value of arbitrary environment variables from user-controllable data is not safe.
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+			Restrict this operation only to privileged users or only for some not important environment variables.
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+			The following example allows unauthorized users to assign a value to any environment variable.
+		</p>
+
+		<sample src="examples/Bad_Value_And_Key_Assignment" />
+
+	</example>
+
+	<references>
+		<a href="https://huntr.com/bounties/00ec6847-125b-43e9-9658-d3cace1751d6/">Admin account TakeOver in mintplex-labs/anything-llm</a>
+	</references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-099/EnvInjectionWithKeyControl.ql renamed to javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql

@@ -1,8 +1,8 @@
 /**
- * @name User controlled environment injection
- * @description full control on creating environment variables from user controlled data is not secure
+ * @name User controlled arbitrary environment variable injection
+ * @description creating arbitrary environment variables from user controlled data is not secure
  * @kind path-problem
- * @id js/envinjection
+ * @id js/env-key-and-value-injection
  * @problem.severity error
  * @security-severity 7.5
  * @precision medium
@@ -46,19 +46,19 @@ class Configuration extends TaintTracking::Configuration {
 }
 
 from
-  Configuration cfg, Configuration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink,
+  Configuration cfg, Configuration cfg2, DataFlow::PathNode source, DataFlow::PathNode sink1,
   DataFlow::PathNode sink2
 where
-  cfg.hasFlowPath(source, sink) and
-  sink.getNode() = API::moduleImport("process").getMember("env").getAMember().asSink() and
+  cfg.hasFlowPath(source, sink1) and
+  sink1.getNode() = API::moduleImport("process").getMember("env").getAMember().asSink() and
   cfg2.hasFlowPath(source, sink2) and
-  sink.getNode().asExpr() =
+  sink2.getNode().asExpr() =
     NodeJSLib::process()
         .getAPropertyRead("env")
         .asExpr()
         .getParent()
         .(IndexExpr)
         .getAChildExpr()
         .(VarRef)
-select sink.getNode(), source, sink, "this environment variable assignment is $@.",
-  source.getNode(), "user controllable"
+select sink1.getNode(), source, sink1, "arbitrary environment variable assignment from this $@.",
+  source.getNode(), "user controllable source"

javascript/ql/src/experimental/Security/CWE-099/EnvInjection.qhelp renamed to javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.qhelp

@@ -25,7 +25,7 @@
 			The following example allows unauthorized users to assign a value to a critical environment variable.
 		</p>
 
-		<sample src="examples/Bad.js" />
+		<sample src="examples/Bad_Value_Assignment.js" />
 
 	</example>
 

javascript/ql/src/experimental/Security/CWE-099/EnvInjection.ql renamed to javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql

@@ -1,8 +1,8 @@
 /**
- * @name User controlled environment injection
- * @description full control on creating environment variables from user controlled data is not secure
+ * @name User controlled environment variable value injection
+ * @description assigning important environment variables from user controlled data is not secure
  * @kind path-problem
- * @id js/envinjection
+ * @id js/env-value-injection
  * @problem.severity error
  * @security-severity 7.5
  * @precision medium
@@ -24,7 +24,6 @@ class Configuration extends TaintTracking::Configuration {
   }
 }
 
-
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "this environment variable assignment is $@.",

javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_And_Key_Assignment.js

@@ -0,0 +1,8 @@
+const http = require('node:http');
+
+http.createServer((req, res) => {
+  const { EnvValue, EnvKey } = req.body;
+  process.env[EnvKey] = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});

javascript/ql/src/experimental/Security/CWE-099/examples/Bad.js renamed to javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_Assignment.js

@@ -0,0 +1,39 @@
+nodes
+| test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:5:9:5:39 | EnvKey |
+| test.js:5:9:5:39 | EnvValue |
+| test.js:5:11:5:18 | EnvValue |
+| test.js:5:21:5:26 | EnvKey |
+| test.js:5:32:5:39 | req.body |
+| test.js:5:32:5:39 | req.body |
+| test.js:6:15:6:20 | EnvKey |
+| test.js:6:15:6:20 | EnvKey |
+| test.js:6:25:6:32 | EnvValue |
+| test.js:6:25:6:32 | EnvValue |
+| test.js:7:15:7:20 | EnvKey |
+| test.js:7:15:7:20 | EnvKey |
+| test.js:7:25:7:32 | EnvValue |
+| test.js:7:25:7:32 | EnvValue |
+| test.js:8:24:8:31 | EnvValue |
+| test.js:8:24:8:31 | EnvValue |
+edges
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue |
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:8:24:8:31 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:8:24:8:31 | EnvValue |
+| test.js:5:11:5:18 | EnvValue | test.js:5:9:5:39 | EnvValue |
+| test.js:5:21:5:26 | EnvKey | test.js:5:9:5:39 | EnvKey |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
+#select
+| test.js:6:25:6:32 | EnvValue | test.js:5:32:5:39 | req.body | test.js:6:25:6:32 | EnvValue | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
+| test.js:7:25:7:32 | EnvValue | test.js:5:32:5:39 | req.body | test.js:7:25:7:32 | EnvValue | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
+| test.js:8:24:8:31 | EnvValue | test.js:5:32:5:39 | req.body | test.js:8:24:8:31 | EnvValue | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |

javascript/ql/test/experimental/Security/CWE-099/EnvInjection.qlref

@@ -0,0 +1,39 @@
+nodes
+| test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:5:9:5:39 | EnvKey |
+| test.js:5:9:5:39 | EnvValue |
+| test.js:5:11:5:18 | EnvValue |
+| test.js:5:21:5:26 | EnvKey |
+| test.js:5:32:5:39 | req.body |
+| test.js:5:32:5:39 | req.body |
+| test.js:6:15:6:20 | EnvKey |
+| test.js:6:15:6:20 | EnvKey |
+| test.js:6:25:6:32 | EnvValue |
+| test.js:6:25:6:32 | EnvValue |
+| test.js:7:15:7:20 | EnvKey |
+| test.js:7:15:7:20 | EnvKey |
+| test.js:7:25:7:32 | EnvValue |
+| test.js:7:25:7:32 | EnvValue |
+| test.js:8:24:8:31 | EnvValue |
+| test.js:8:24:8:31 | EnvValue |
+edges
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue |
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:8:24:8:31 | EnvValue |
+| test.js:5:9:5:39 | EnvValue | test.js:8:24:8:31 | EnvValue |
+| test.js:5:11:5:18 | EnvValue | test.js:5:9:5:39 | EnvValue |
+| test.js:5:21:5:26 | EnvKey | test.js:5:9:5:39 | EnvKey |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
+#select
+| test.js:6:25:6:32 | EnvValue | test.js:5:32:5:39 | req.body | test.js:6:25:6:32 | EnvValue | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
+| test.js:7:25:7:32 | EnvValue | test.js:5:32:5:39 | req.body | test.js:7:25:7:32 | EnvValue | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
+| test.js:8:24:8:31 | EnvValue | test.js:5:32:5:39 | req.body | test.js:8:24:8:31 | EnvValue | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |

javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvInjection.expected

@@ -0,0 +1 @@
+experimental/Security/CWE-099/EnvValueAndKeyInjection.ql