Merge pull request #2092 from esben-semmle/js/brittle-system-reflection-command

Approved by mchammer01, xiemaisi

Author: semmle-qlci

change-notes/1.23/analysis-javascript.md

@@ -19,6 +19,7 @@
 | Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
 | Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are not shown on LGTM by default. |
 | Suspicious method name (`js/suspicious-method-name-declaration`)          | correctness, typescript, methods                                  | Highlights suspiciously named methods where the developer likely meant to write a constructor or function. Results are shown on LGTM by default. |
+| Shell command built from environment values (`js/shell-command-injection-from-environment`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-088 | Highlights shell commands that may change behavior inadvertently depending on the execution environment, indicating a possible violation of [CWE-78](https://cwe.mitre.org/data/definitions/78.html). Results are shown on LGTM by default.|
 | Use of returnless function (`js/use-of-returnless-function`)              | maintainability, correctness                                      | Highlights calls where the return value is used, but the callee never returns a value. Results are shown on LGTM by default. |
 | Useless regular expression character escape (`js/useless-regexp-character-escape`) | correctness, security, external/cwe/cwe-20 | Highlights regular expression strings with useless character escapes, indicating a possible violation of [CWE-20](https://cwe.mitre.org/data/definitions/20.html). Results are shown on LGTM by default. |
 | Unreachable method overloads (`js/unreachable-method-overloads`)          | correctness, typescript                                           | Highlights method overloads that are impossible to use from client code. Results are shown on LGTM by default. |

javascript/config/suites/javascript/security

@@ -9,6 +9,7 @@
 + semmlecode-javascript-queries/Security/CWE-022/ZipSlip.ql: /Security/CWE/CWE-022
 + semmlecode-javascript-queries/Security/CWE-078/CommandInjection.ql: /Security/CWE/CWE-078
 + semmlecode-javascript-queries/Security/CWE-078/IndirectCommandInjection.ql: /Security/CWE/CWE-078
++ semmlecode-javascript-queries/Security/CWE-078/ShellCommandInjectionFromEnvironment: /Security/CWE/CWE-078
 + semmlecode-javascript-queries/Security/CWE-079/ReflectedXss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-079/StoredXss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-079/Xss.ql: /Security/CWE/CWE-079

javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.qhelp

@@ -0,0 +1,103 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+	<p>
+
+		Dynamically constructing a shell command with values from the
+		local environment, such as file paths, may inadvertently
+		change the meaning of the shell command.
+
+		Such changes can occur when an environment value contains
+		characters that the shell interprets in a special way, for instance
+		quotes and spaces.
+
+		This can result in the shell command misbehaving, or even
+		allowing a malicious user to execute arbitrary commands on the system.
+
+	</p>
+
+
+</overview>
+<recommendation>
+
+	<p>
+
+		If possible, use hard-coded string literals to specify the
+		shell command to run, and provide the dynamic arguments to the shell
+		command separately to avoid interpretation by the shell.
+
+	</p>
+
+	<p>
+
+		Alternatively, if the shell command must be constructed
+		dynamically, then add code to ensure that special characters in
+		environment values do not alter the shell command unexpectedly.
+
+	</p>
+
+</recommendation>
+<example>
+
+	<p>
+
+		The following example shows a dynamically constructed shell
+		command that recursively removes a temporary directory that is located
+		next to the currently executing JavaScript file. Such utilities are
+		often found in custom build scripts.
+
+	</p>
+
+	<sample src="examples/shell-command-injection-from-environment.js" />
+
+	<p>
+
+		The shell command will, however, fail to work as intended if the
+		absolute path of the script's directory contains spaces. In that
+		case, the shell command will interpret the absolute path as multiple
+		paths, instead of a single path.
+	</p>
+
+	<p>
+
+		For instance, if the absolute path of
+		the temporary directory is <code>/home/username/important
+		project/temp</code>, then the shell command will recursively delete
+		<code>/home/username/important</code> and <code>project/temp</code>,
+		where the latter path gets resolved relative to the working directory
+		of the JavaScript process.
+
+	</p>
+
+
+	<p>
+
+		Even worse, although less likely, a malicious user could
+		provide the path <code>/home/username/; cat /etc/passwd #/important
+		project/temp</code> in order to execute the command <code>cat
+		/etc/passwd</code>.
+
+	</p>
+
+	<p>
+
+		To avoid such potentially catastrophic behaviors, provide the
+		directory as an argument that does not get interpreted by a
+		shell:
+
+	</p>
+
+	<sample src="examples/shell-command-injection-from-environment_fixed.js" />
+
+</example>
+<references>
+
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+	</li>
+
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql

@@ -0,0 +1,29 @@
+/**
+ * @name Shell command built from environment values
+ * @description Building a shell command string with values from the enclosing
+ *              environment may cause subtle bugs or vulnerabilities.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/shell-command-injection-from-environment
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironment::ShellCommandInjectionFromEnvironment
+
+from
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight,
+  Source sourceNode
+where
+  sourceNode = source.getNode() and
+  cfg.hasFlowPath(source, sink) and
+  if cfg.isSinkWithHighlight(sink.getNode(), _)
+  then cfg.isSinkWithHighlight(sink.getNode(), highlight)
+  else highlight = sink.getNode()
+select highlight, source, sink, "This shell command depends on an uncontrolled $@.", sourceNode,
+  sourceNode.getSourceType()

javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment.js

@@ -0,0 +1,6 @@
+var cp = require("child_process"),
+  path = require("path");
+function cleanupTemp() {
+  let cmd = "rm -rf " + path.join(__dirname, "temp");
+  cp.execSync(cmd); // BAD
+}

javascript/ql/src/Security/CWE-078/examples/shell-command-injection-from-environment_fixed.js

@@ -0,0 +1,7 @@
+var cp = require("child_process"),
+  path = require("path");
+function cleanupTemp() {
+  let cmd = "rm",
+    args = ["-rf", path.join(__dirname, "temp")];
+  cp.execFileSync(cmd, args); // GOOD
+}

javascript/ql/src/semmle/javascript/Concepts.qll

@@ -14,6 +14,9 @@ abstract class SystemCommandExecution extends DataFlow::Node {
   /** Gets an argument to this execution that specifies the command. */
   abstract DataFlow::Node getACommandArgument();
 
+  /** Holds if a shell interprets `arg`. */
+  predicate isShellInterpreted(DataFlow::Node arg) { none() }
+
   /**
    * Gets an argument to this command execution that specifies the argument list
    * to the command.

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -573,21 +573,32 @@ module NodeJSLib {
       this = DataFlow::moduleMember("child_process", methodName).getACall()
     }
 
-    override DataFlow::Node getACommandArgument() {
+    private DataFlow::Node getACommandArgument(boolean shell) {
       // check whether this is an invocation of an exec/spawn/fork method
       (
-        methodName = "exec" or
-        methodName = "execSync" or
-        methodName = "execFile" or
-        methodName = "execFileSync" or
-        methodName = "spawn" or
-        methodName = "spawnSync" or
-        methodName = "fork"
+        shell = true and
+        (
+          methodName = "exec" or
+          methodName = "execSync"
+        )
+        or
+        shell = false and
+        (
+          methodName = "execFile" or
+          methodName = "execFileSync" or
+          methodName = "spawn" or
+          methodName = "spawnSync" or
+          methodName = "fork"
+        )
       ) and
       // all of the above methods take the command as their first argument
       result = getArgument(0)
     }
 
+    override DataFlow::Node getACommandArgument() { result = getACommandArgument(_) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { arg = getACommandArgument(true) }
+
     override DataFlow::Node getArgumentList() {
       (
         methodName = "execFile" or

javascript/ql/src/semmle/javascript/frameworks/ShellJS.qll

@@ -158,6 +158,8 @@ module ShellJS {
     ShellJSExec() { name = "exec" }
 
     override DataFlow::Node getACommandArgument() { result = getArgument(0) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) { arg = getACommandArgument() }
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/SystemCommandExecutors.qll

@@ -8,36 +8,51 @@ import javascript
 private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::InvokeNode {
   int cmdArg;
 
+  boolean shell;
+
   SystemCommandExecutors() {
     exists(string mod, DataFlow::SourceNode callee |
       exists(string method |
-        mod = "cross-spawn" and method = "sync" and cmdArg = 0
+        mod = "cross-spawn" and method = "sync" and cmdArg = 0 and shell = false
         or
         mod = "execa" and
         (
-          method = "shell" or
-          method = "shellSync" or
-          method = "stdout" or
-          method = "stderr" or
-          method = "sync"
+          shell = false and
+          (
+            method = "shell" or
+            method = "shellSync" or
+            method = "stdout" or
+            method = "stderr" or
+            method = "sync"
+          )
+          or
+          shell = true and
+          (method = "command" or method = "commandSync")
         ) and
         cmdArg = 0
       |
         callee = DataFlow::moduleMember(mod, method)
       )
       or
       (
-        mod = "cross-spawn" and cmdArg = 0
-        or
-        mod = "cross-spawn-async" and cmdArg = 0
-        or
-        mod = "exec" and cmdArg = 0
-        or
-        mod = "exec-async" and cmdArg = 0
-        or
-        mod = "execa" and cmdArg = 0
+        shell = false and
+        (
+          mod = "cross-spawn" and cmdArg = 0
+          or
+          mod = "cross-spawn-async" and cmdArg = 0
+          or
+          mod = "exec-async" and cmdArg = 0
+          or
+          mod = "execa" and cmdArg = 0
+        )
         or
-        mod = "remote-exec" and cmdArg = 1
+        shell = true and
+        (
+          mod = "exec" and
+          cmdArg = 0
+          or
+          mod = "remote-exec" and cmdArg = 1
+        )
       ) and
       callee = DataFlow::moduleImport(mod)
     |
@@ -46,4 +61,8 @@ private class SystemCommandExecutors extends SystemCommandExecution, DataFlow::I
   }
 
   override DataFlow::Node getACommandArgument() { result = getArgument(cmdArg) }
+
+  override predicate isShellInterpreted(DataFlow::Node arg) {
+    arg = getACommandArgument() and shell = true
+  }
 }