add separate query for sinks that accepts data: URL

Author: am0o0

.vscode/settings.json

@@ -761,13 +761,6 @@ module NodeJSLib {
     }
   }
 
-  /**
-   * The dynamic import expression input can be a `data:` URL which loads any module from that data
-   */
-  class DynamicImport extends CodeInjection::Sink, DataFlow::ExprNode {
-    DynamicImport() { this = any(DynamicImportExpr e).getSource().flow() }
-  }
-
   /**
    * A call to a method from module `child_process`.
    */

javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly evaluating user input (for example, an HTTP request parameter) as code without properly
+sanitizing the input first allows an attacker arbitrary code execution. This can occur when user
+input is treated as JavaScript, or passed to a framework which interprets it as an expression to be
+evaluated. Examples include AngularJS expressions or JQuery selectors.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid including user input in any expression which may be dynamically evaluated. If user input must
+be included, use context-specific escaping before
+including it. It is important that the correct escaping is used for the type of evaluation that will
+occur.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows part of the page URL being evaluated as JavaScript code on the server. This allows an
+attacker to provide JavaScript within the URL and send it to server. client side attacks need victim users interaction 
+like clicking on a attacker provided URL.
+</p>
+
+<sample src="examples/CodeInjection.js" />
+
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
+</li>
+<li>
+PortSwigger Research Blog:
+<a href="https://portswigger.net/research/server-side-template-injection">Server-Side Template Injection</a>.
+</li>
+</references>
+</qhelp>

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.inc.qhelp

@@ -0,0 +1,6 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<include src="CodeInjection.inc.qhelp" />
+</qhelp>

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.qhelp

@@ -0,0 +1,98 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id js/code-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import DataFlow
+import DataFlow::PathGraph
+
+abstract class Sanitizer extends DataFlow::Node { }
+
+abstract class Sink extends DataFlow::Node { }
+
+/** A non-first leaf in a string-concatenation. Seen as a sanitizer for dynamic import code injection. */
+class NonFirstStringConcatLeaf extends Sanitizer {
+  NonFirstStringConcatLeaf() {
+    exists(StringOps::ConcatenationRoot root |
+      this = root.getALeaf() and
+      not this = root.getFirstLeaf()
+    )
+    or
+    exists(DataFlow::CallNode join |
+      join = DataFlow::moduleMember("path", "join").getACall() and
+      this = join.getArgument([1 .. join.getNumArgument() - 1])
+    )
+  }
+}
+
+/**
+ * The dynamic import expression input can be a `data:` URL which loads any module from that data
+ */
+class DynamicImport extends DataFlow::ExprNode {
+  DynamicImport() { this = any(DynamicImportExpr e).getSource().flow() }
+}
+
+/**
+ * The dynamic import expression input can be a `data:` URL which loads any module from that data
+ */
+class WorkerThreads extends DataFlow::Node {
+  WorkerThreads() {
+    this = API::moduleImport("node:worker_threads").getMember("Worker").getParameter(0).asSink()
+  }
+}
+
+class WorkerThreadsLabel extends FlowLabel {
+  WorkerThreadsLabel() { this = "worker_threads" }
+}
+
+class DynamicImportLabel extends FlowLabel {
+  DynamicImportLabel() { this = "DynamicImport" }
+}
+
+/**
+ * A taint-tracking configuration for reasoning about code injection vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CodeInjection" }
+
+  override predicate isSource(DataFlow::Node source, FlowLabel label) {
+    source instanceof RemoteFlowSource and
+    (label instanceof DynamicImportLabel or label instanceof WorkerThreadsLabel)
+  }
+
+  override predicate isSink(DataFlow::Node sink, FlowLabel label) {
+    sink instanceof DynamicImport and label instanceof DynamicImportLabel
+    or
+    sink instanceof WorkerThreads and label instanceof WorkerThreadsLabel
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::Node succ, FlowLabel predlbl, FlowLabel succlbl
+  ) {
+    exists(DataFlow::NewNode newUrl | succ = newUrl |
+      newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
+      pred = newUrl.getArgument(0)
+    ) and
+    predlbl instanceof WorkerThreadsLabel and
+    succlbl instanceof WorkerThreadsLabel
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, sink.getNode() + " depends on a $@.", source.getNode(),
+  "user-provided value"

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql

@@ -0,0 +1,14 @@
+const { Worker } = require('node:worker_threads');
+var app = require('express')();
+
+app.post('/path', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    const payloadURL = new URL(payload)
+    new Worker(payloadURL);
+});
+
+app.post('/path2', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    await import(payload)
+});
+

javascript/ql/src/experimental/Security/CWE-094-dataURL/examples/CodeInjection.js

@@ -0,0 +1,14 @@
+WARNING: Unused class Sink (/home/am/CodeQL-home/codeql-repo-amammad/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql:23,16-20)
+nodes
+| test.js:18:11:18:44 | payload |
+| test.js:18:21:18:44 | req.que ... rameter |
+| test.js:18:21:18:44 | req.que ... rameter |
+| test.js:20:18:20:24 | payload |
+| test.js:20:18:20:24 | payload |
+edges
+| test.js:18:11:18:44 | payload | test.js:20:18:20:24 | payload |
+| test.js:18:11:18:44 | payload | test.js:20:18:20:24 | payload |
+| test.js:18:21:18:44 | req.que ... rameter | test.js:18:11:18:44 | payload |
+| test.js:18:21:18:44 | req.que ... rameter | test.js:18:11:18:44 | payload |
+#select
+| test.js:20:18:20:24 | payload | test.js:18:21:18:44 | req.que ... rameter | test.js:20:18:20:24 | payload | payload depends on a $@. | test.js:18:21:18:44 | req.que ... rameter | user-provided value |

javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.expected

@@ -0,0 +1 @@
+experimental/Security/CWE-094-dataURL/CodeInjection.ql

javascript/ql/test/experimental/Security/CWE-094-dataURL/CodeInjection.qlref

@@ -0,0 +1,26 @@
+const { Worker } = require('node:worker_threads');
+var app = require('express')();
+
+app.post('/path', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    let payloadURL = new URL(payload + sth)
+    // NOT OK
+    new Worker(payloadURL);
+    // NOT OK
+    payloadURL = new URL(payload + sth)
+    new Worker(payloadURL);
+    // OK
+    payloadURL = new URL(sth + payload)
+    new Worker(payloadURL);
+});
+
+app.post('/path2', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    // NOT OK
+    await import(payload)
+    // NOT OK
+    await import(payload + sth)
+    // OK
+    await import(sth + payload)
+});
+