Merge branch 'js-team-sprint' into https-fix

Author: erik-krogh

change-notes/1.25/analysis-javascript.md

@@ -37,6 +37,7 @@
 | Unsafe expansion of self-closing HTML tag (`js/unsafe-html-expansion`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights potential XSS vulnerabilities caused by unsafe expansion of self-closing HTML tags. |
 | Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights potential command injections due to a shell command being constructed from library inputs. Results are shown on LGTM by default. |
 | Download of sensitive file through insecure connection (`js/insecure-download`) | security, external/cwe/cwe-829 | Highlights downloads of sensitive files through an unencrypted protocol. Results are shown on LGTM by default. |
+| Storage of sensitive information in build artifact (`js/build-artifact-leak`) | security, external/cwe/cwe-312 | Highlights storage of sensitive information in build artifacts. Results are shown on LGTM by default. |
 | Improper code sanitization (`js/bad-code-sanitization`) | security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default. |
 
 ## Changes to existing queries

javascript/ql/src/Security/CWE-312/BuildArtifactLeak.qhelp

@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Sensitive information included in a build artifact can allow an attacker to access
+      the sensitive information if the artifact is published.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Only store information that is meant to be publicly available in a build artifact.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      The following example creates a <code>webpack</code> configuration that inserts all environment
+      variables from the host into the build artifact:
+    </p>
+    <sample src="examples/build-leak.js"/>
+    <p>
+      The environment variables might include API keys or other sensitive information, and the build-system
+      should instead insert only the environment variables that are supposed to be public. 
+    </p>
+    <p>
+      The issue has been fixed below, where only the <code>DEBUG</code> environment variable is inserted into the artifact.
+    </p>
+    <sample src="examples/build-leak-fixed.js"/>
+  </example>
+  <references>
+    <li>webpack: <a href="https://webpack.js.org/plugins/define-plugin/">DefinePlugin API</a>.</li>
+  </references>
+</qhelp>

javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Storage of sensitive information in build artifact
+ * @description Including sensitive information in a build artifact can
+ *              expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/build-artifact-leak
+ * @tags security
+ *       external/cwe/cwe-312
+ *       external/cwe/cwe-315
+ *       external/cwe/cwe-359
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.BuildArtifactLeak::BuildArtifactLeak
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Sensitive data returned by $@ is stored in a build artifact here.", source.getNode(),
+  source.getNode().(CleartextLogging::Source).describe()

javascript/ql/src/Security/CWE-312/examples/build-leak-fixed.js

@@ -0,0 +1,9 @@
+const webpack = require("webpack");
+
+module.exports = [{
+    plugins: [
+        new webpack.DefinePlugin({
+            'process.env': JSON.stringify({ DEBUG: process.env.DEBUG })
+        })
+    ]
+}];

javascript/ql/src/Security/CWE-312/examples/build-leak.js

@@ -0,0 +1,9 @@
+const webpack = require("webpack");
+
+module.exports = [{
+    plugins: [
+        new webpack.DefinePlugin({
+            "process.env": JSON.stringify(process.env)
+        })
+    ]
+}];

javascript/ql/src/semmle/javascript/Arrays.qll

@@ -40,6 +40,11 @@ module ArrayTaintTracking {
       succ = call
     )
     or
+    // `array.reduce` with tainted value in callback
+    call.(DataFlow::MethodCallNode).getMethodName() = "reduce" and
+    pred = call.getArgument(0).(DataFlow::FunctionNode).getAReturn() and // Require the argument to be a closure to avoid spurious call/return flow
+    succ = call
+    or
     // `array.push(e)`, `array.unshift(e)`: if `e` is tainted, then so is `array`.
     exists(string name |
       name = "push" or

javascript/ql/src/semmle/javascript/security/dataflow/BuildArtifactLeak.qll

@@ -0,0 +1,45 @@
+/**
+ * Provides a dataflow tracking configuration for reasoning about
+ * storage of sensitive information in build artifact.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextLogging::Configuration` is needed, otherwise
+ * `CleartextLoggingCustomizations` should be imported instead.
+ */
+
+import javascript
+
+/**
+ * Classes and predicates for storage of sensitive information in build artifact query.
+ */
+module BuildArtifactLeak {
+  import BuildArtifactLeakCustomizations::BuildArtifactLeak
+  import CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
+
+  /**
+   * A taint tracking configuration for storage of sensitive information in build artifact.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "BuildArtifactLeak" }
+
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
+      source.(CleartextLogging::Source).getLabel() = lbl
+    }
+
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
+      sink.(Sink).getLabel() = lbl
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      node instanceof CleartextLogging::Barrier
+    }
+
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      CleartextLogging::isSanitizerEdge(pred, succ)
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
+      CleartextLogging::isAdditionalTaintStep(src, trg)
+    }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/BuildArtifactLeakCustomizations.qll

@@ -0,0 +1,32 @@
+/**
+ * Provides default sinks for reasoning about storage of sensitive information
+ * in build artifact, as well as extension points for adding your own.
+ */
+
+import javascript
+private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.security.SensitiveActions::HeuristicNames
+
+/**
+ * Sinks for storage of sensitive information in build artifact.
+ */
+module BuildArtifactLeak {
+  /**
+   * A data flow sink for storage of sensitive information in a build artifact.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets a data-flow label that leaks information for this sink.
+     */
+    DataFlow::FlowLabel getLabel() { result.isTaint() }
+  }
+
+  /**
+   * An instantiation of `webpack.DefintePlugin` that stores information in a compiled JavaScript file.
+   */
+  class WebpackDefinePluginSink extends Sink {
+    WebpackDefinePluginSink() {
+      this = DataFlow::moduleMember("webpack", "DefinePlugin").getAnInstantiation().getAnArgument()
+    }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll

@@ -35,23 +35,11 @@ module CleartextLogging {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
 
     override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
-      succ.(DataFlow::PropRead).getBase() = pred
+      CleartextLogging::isSanitizerEdge(pred, succ)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
-      // A taint propagating data flow edge through objects: a tainted write taints the entire object.
-      exists(DataFlow::PropWrite write |
-        write.getRhs() = src and
-        trg.(DataFlow::SourceNode).flowsTo(write.getBase())
-      )
-      or
-      // Taint through the arguments object.
-      exists(DataFlow::CallNode call, Function f |
-        src = call.getAnArgument() and
-        f = call.getACallee() and
-        not call.isImprecise() and
-        trg.asExpr() = f.getArgumentsVariable().getAnAccess()
-      )
+      CleartextLogging::isAdditionalTaintStep(src, trg)
     }
   }
 }

javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll

@@ -176,17 +176,50 @@ module CleartextLogging {
 
     override string describe() { result = "process environment" }
 
-    override DataFlow::FlowLabel getLabel() {
-      result.isTaint() or
-      result instanceof PartiallySensitiveMap
-    }
+    override DataFlow::FlowLabel getLabel() { result.isTaint() }
+  }
+
+  /**
+   * Holds if the edge `pred` -> `succ` should be sanitized for clear-text logging of sensitive information.
+   */
+  predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+    succ.(DataFlow::PropRead).getBase() = pred
   }
 
   /**
-   * A flow label describing a map that might contain sensitive information in some properties.
-   * Property reads on such maps where the property name is fixed is unlikely to leak sensitive information.
+   * Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information.
    */
-  class PartiallySensitiveMap extends DataFlow::FlowLabel {
-    PartiallySensitiveMap() { this = "PartiallySensitiveMap" }
+  predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
+    // A taint propagating data flow edge through objects: a tainted write taints the entire object.
+    exists(DataFlow::PropWrite write |
+      write.getRhs() = src and
+      trg.(DataFlow::SourceNode).flowsTo(write.getBase())
+    )
+    or
+    // A property-copy step,
+    // dst[x] = src[x]
+    // dst[x] = JSON.stringify(src[x])
+    exists(DataFlow::PropWrite write, DataFlow::PropRead read |
+      read = write.getRhs()
+      or
+      exists(DataFlow::MethodCallNode stringify |
+        stringify = write.getRhs() and
+        stringify = DataFlow::globalVarRef("JSON").getAMethodCall("stringify") and
+        stringify.getArgument(0) = read
+      )
+    |
+      not exists(write.getPropertyName()) and
+      not exists(read.getPropertyName()) and
+      src = read.getBase() and
+      trg = write.getBase().getALocalSource()
+    )
+    or
+    // Taint through the arguments object.
+    exists(DataFlow::CallNode call, Function f |
+      src = call.getAnArgument() and
+      f = call.getACallee() and
+      not call.isImprecise() and
+      trg.asExpr() = f.getArgumentsVariable().getAnAccess()
+    )
   }
 }