Merge pull request github#3702 from esbena/js/memory-exhaustion

JS: add query js/memory-exhaustion

Author: asgerf

change-notes/1.25/analysis-javascript.md

@@ -41,6 +41,7 @@
 | Creating biased random numbers from a cryptographically secure source (`js/biased-cryptographic-random`) | security, external/cwe/cwe-327 | Highlights mathematical operations on cryptographically secure numbers that can create biased results. Results are shown on LGTM by default. |
 | Storage of sensitive information in build artifact (`js/build-artifact-leak`) | security, external/cwe/cwe-312 | Highlights storage of sensitive information in build artifacts. Results are shown on LGTM by default. |
 | Improper code sanitization (`js/bad-code-sanitization`) | security, external/cwe/cwe-094, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights string concatenation where code is constructed without proper sanitization. Results are shown on LGTM by default. |
+| Resource exhaustion (`js/resource-exhaustion`) | security, external/cwe/cwe-770 | Highlights operations that may cause the resources of the application to be exhausted. Results are shown on LGTM by default. |
 
 ## Changes to existing queries
 

javascript/config/suites/javascript/security

@@ -44,6 +44,7 @@
 + semmlecode-javascript-queries/Security/CWE-730/RegExpInjection.ql: /Security/CWE/CWE-730
 + semmlecode-javascript-queries/Security/CWE-754/UnvalidatedDynamicMethodCall.ql: /Security/CWE/CWE-754
 + semmlecode-javascript-queries/Security/CWE-770/MissingRateLimiting.ql: /Security/CWE/CWE-770
++ semmlecode-javascript-queries/Security/CWE-770/ResourceExhaustion.ql: /Security/CWE/CWE-770
 + semmlecode-javascript-queries/Security/CWE-776/XmlBomb.ql: /Security/CWE/CWE-776
 + semmlecode-javascript-queries/Security/CWE-798/HardcodedCredentials.ql: /Security/CWE/CWE-798
 + semmlecode-javascript-queries/Security/CWE-807/ConditionalBypass.ql: /Security/CWE/CWE-807

javascript/ql/src/Security/CWE-770/ResourceExhaustion.qhelp

@@ -0,0 +1,113 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+
+			Applications are constrained by how many resources they can make use
+			of. Failing to respect these constraints may cause the application to
+			be unresponsive or crash. It is therefore problematic if attackers
+			can control the sizes or lifetimes of allocated objects.
+
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+
+			Ensure that attackers can not control object sizes and their
+			lifetimes. If object sizes and lifetimes must be controlled by
+			external parties, ensure you restrict the object sizes and lifetimes so that
+			they are within acceptable ranges.
+
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+
+			The following example allocates a buffer with a user-controlled
+			size.
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_buffer.js" />
+
+		<p>
+
+			This is problematic since an attacker can choose a size
+			that makes the application run out of memory. Even worse, in older
+			versions of Node.js, this could leak confidential memory.
+
+			To prevent such attacks, limit the buffer size:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_buffer_fixed.js" />
+
+	</example>
+
+	<example>
+
+		<p>
+
+			As another example, consider an application that allocates an
+			array with a user-controlled size, and then fills it with values:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_array.js" />
+
+		<p>
+			The allocation of the array itself is not problematic since arrays are
+			allocated sparsely, but the subsequent filling of the array will take
+			a long time, causing the application to be unresponsive, or even run
+			out of memory.
+
+			Again, a limit on the size will prevent the attack:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_array_fixed.js" />
+
+	</example>
+
+	<example>
+
+		<p>
+
+			Finally, the following example lets a user choose a delay after
+			which a function is executed:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_timeout.js" />
+
+		<p>
+
+			This is problematic because a large delay essentially makes the
+			application wait indefinitely before executing the function. Repeated
+			registrations of such delays will therefore use up all of the memory
+			in the application.
+
+			Again, a limit on the delay will prevent the attack:
+
+		</p>
+
+		<sample src="examples/ResourceExhaustion_timeout_fixed.js" />
+
+
+	</example>
+
+	<references>
+
+	</references>
+
+</qhelp>

javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Resource exhaustion
+ * @description Allocating objects or timers with user-controlled
+ *              sizes or durations can cause resource exhaustion.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id js/resource-exhaustion
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-770
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.ResourceExhaustion::ResourceExhaustion
+
+from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
+where dataflow.hasFlowPath(source, sink)
+select sink, source, sink, sink.getNode().(Sink).getProblemDescription() + " from $@.", source,
+  "here"

javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array.js

@@ -0,0 +1,10 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	let dogs = new Array(size).fill(x => "dog"); // BAD
+
+	// ... use the dogs
+});

javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_array_fixed.js

@@ -0,0 +1,16 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	if (size > 1024) {
+		res.statusCode = 400;
+		res.end("Bad request.");
+		return;
+	}
+
+	let dogs = new Array(size).fill(x => "dog"); // GOOD
+
+	// ... use the dogs
+});

javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_buffer.js

@@ -0,0 +1,10 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	let buffer = Buffer.alloc(size); // BAD
+
+	// ... use the buffer
+});

javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_buffer_fixed.js

@@ -0,0 +1,16 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var size = parseInt(url.parse(req.url, true).query.size);
+
+	if (size > 1024) {
+		res.statusCode = 400;
+		res.end("Bad request.");
+		return;
+	}
+
+	let buffer = Buffer.alloc(size); // GOOD
+
+	// ... use the buffer
+});

javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_timeout.js

@@ -0,0 +1,9 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var delay = parseInt(url.parse(req.url, true).query.delay);
+
+	setTimeout(f, delay); // BAD
+
+});

javascript/ql/src/Security/CWE-770/examples/ResourceExhaustion_timeout_fixed.js

@@ -0,0 +1,15 @@
+var http = require("http"),
+    url = require("url");
+
+var server = http.createServer(function(req, res) {
+	var delay = parseInt(url.parse(req.url, true).query.delay);
+
+	if (delay > 1000) {
+		res.statusCode = 400;
+		res.end("Bad request.");
+		return;
+	}
+
+	setTimeout(f, delay); // GOOD
+
+});