Split out "compromised" functionality

Author: aegilops

javascript/ql/lib/semmle/javascript/security/FunctionalityFromUntrustedSource.qll

@@ -42,11 +42,19 @@ module StaticCreation {
           "code\\.jquery\\.com", //
           "cdnjs\\.cloudflare\\.com", //
           "cdnjs\\.com", //
-          "cdn\\.polyfill\\.io", // compromised
-          "polyfill\\.io", // compromised
         ] + "/.*\\.js$")
   }
 
+  /** Holds if `url` refers to a compromised CDN, that should not be trusted. */
+  bindingset[url]
+  predicate isCompromisedCdn(string url) {
+    url.regexpMatch("(?i)^https?://" +
+        [
+          "cdn\\.polyfill\\.io", // See https://sansec.io/research/polyfill-supply-chain-attack for details
+          "polyfill\\.io",       // "
+        ] + "/.*$")
+  }
+
   /** A script element that refers to untrusted content. */
   class ScriptElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::ScriptElement {
     ScriptElementWithUntrustedContent() {
@@ -59,6 +67,19 @@ module StaticCreation {
     override string getProblem() { result = "Script loaded using unencrypted connection." }
   }
 
+  /** A script element that refers to compromised content. */
+  class CdnFromCompromisedSource extends AddsUntrustedUrl, HTML::ScriptElement {
+    CdnFromCompromisedSource() {
+      isCompromisedCdn(this.getSourcePath())
+    }
+
+    override string getUrl() { result = this.getSourcePath() }
+
+    override string getProblem() {
+      result = "Script loaded from compromised content delivery network."
+    }
+  }
+
   /** A script element that refers to untrusted content. */
   class CdnScriptElementWithUntrustedContent extends AddsUntrustedUrl, HTML::ScriptElement {
     CdnScriptElementWithUntrustedContent() {

javascript/ql/src/change-notes/2024-07-01-polyfill-io-compromised-script.md

@@ -1,4 +1,6 @@
 ---
 category: minorAnalysis
 ---
-* Added a new query, `js/polyfill-io-compromised-script`, which detects uses in HTML and JavaScript of the compromised `polyfill.io` content delivery network.
+* Added a new query, `js/polyfill-io-compromised-script`, which detects uses in HTML and JavaScript of the compromised `polyfill.io` content delivery network.
+* Modified existing query, `js/functionality-from-untrusted-source`, to add a new check for the compromised `polyfill.io` content delivery network.
+* Created a shared library, `semmle.javascript.security.FunctionalityFromUntrustedSource`, to separate the logic from the existing query and allow having a separate new Polyfill-specific query.