Merge pull request #1290 from esben-semmle/js/semver-lib

JS: add SemVer library

Author: Max Schaefer

javascript/config/suites/javascript/security

@@ -25,6 +25,7 @@
 + semmlecode-javascript-queries/Security/CWE-346/CorsMisconfigurationForCredentials.ql: /Security/CWE/CWE-346
 + semmlecode-javascript-queries/Security/CWE-352/MissingCsrfMiddleware.ql: /Security/CWE/CWE-352
 + semmlecode-javascript-queries/Security/CWE-400/RemotePropertyInjection.ql: /Security/CWE/CWE-400
++ semmlecode-javascript-queries/Security/CWE-400/PrototypePollution.ql: /Security/CWE/CWE-400
 + semmlecode-javascript-queries/Security/CWE-502/UnsafeDeserialization.ql: /Security/CWE/CWE-502
 + semmlecode-javascript-queries/Security/CWE-506/HardcodedDataInterpretedAsCode.ql: /Security/CWE/CWE-506
 + semmlecode-javascript-queries/Security/CWE-601/ClientSideUrlRedirect.ql: /Security/CWE/CWE-601

javascript/ql/src/Security/CWE-400/PrototypePollution.ql

@@ -14,7 +14,15 @@
 import javascript
 import semmle.javascript.security.dataflow.PrototypePollution::PrototypePollution
 import DataFlow::PathGraph
+import semmle.javascript.dependencies.Dependencies
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Prototype pollution caused by merging a user-controlled value from $@.", source, "here"
+from
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Dependency dependency,
+  string dependencyId
+where
+  cfg.hasFlowPath(source, sink) and
+  dependency = sink.getNode().(Sink).getDependency() and
+  dependency.info(dependencyId, _)
+select sink.getNode(), source, sink,
+  "Prototype pollution caused by merging a user-controlled value from $@ using a vulnerable version of $@.",
+  source, "here", dependency, dependencyId

javascript/ql/src/semmle/javascript/AMD.qll

@@ -263,6 +263,13 @@ private class AmdDependencyImport extends Import {
     not exists(super.getImportedModule()) and
     result = resolveByAbsolutePath()
   }
+
+  override DataFlow::Node getImportedModuleNode() {
+    exists(Parameter param |
+      any(AmdModuleDefinition def).dependencyParameter(this, param) and
+      result = DataFlow::parameterNode(param)
+    )
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/ES2015Modules.qll

@@ -43,6 +43,22 @@ class ImportDeclaration extends Stmt, Import, @importdeclaration {
 
   /** Gets an import specifier of this import declaration. */
   ImportSpecifier getASpecifier() { result = getSpecifier(_) }
+
+  override DataFlow::Node getImportedModuleNode() {
+    // `import * as http from 'http'` or `import http from `http`'
+    exists(ImportSpecifier is |
+      is = getASpecifier() and
+      result = DataFlow::ssaDefinitionNode(SSA::definition(is))
+    |
+      is instanceof ImportNamespaceSpecifier and
+      count(getASpecifier()) = 1
+      or
+      is.getImportedName() = "default"
+    )
+    or
+    // `import { createServer } from 'http'`
+    result = DataFlow::destructuredModuleImportNode(this)
+  }
 }
 
 /** A literal path expression appearing in an `import` declaration. */

javascript/ql/src/semmle/javascript/Expr.qll

@@ -1562,6 +1562,8 @@ class DynamicImportExpr extends @dynamicimport, Expr, Import {
   override PathExpr getImportedPath() { result = getSource() }
 
   override Module getEnclosingModule() { result = getTopLevel() }
+
+  override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) }
 }
 
 /** A literal path expression appearing in a dynamic import. */

javascript/ql/src/semmle/javascript/Modules.qll

@@ -160,6 +160,11 @@ abstract class Import extends ASTNode {
       result = resolveFromTypeRoot()
     )
   }
+
+  /**
+   * Gets the data flow node that the default import of this import is available at.
+   */
+  abstract DataFlow::Node getImportedModuleNode();
 }
 
 /**

javascript/ql/src/semmle/javascript/NodeJS.qll

@@ -234,6 +234,8 @@ class Require extends CallExpr, Import {
           priority - (prioritiesPerCandidate() * r + numberOfExtensions() + 1))
     )
   }
+
+  override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) }
 }
 
 /** An argument to `require` or `require.resolve`, considered as a path expression. */

javascript/ql/src/semmle/javascript/TypeScript.qll

@@ -212,6 +212,8 @@ class ExternalModuleReference extends Expr, Import, @externalmodulereference {
   override ControlFlowNode getFirstControlFlowNode() {
     result = getExpression().getFirstControlFlowNode()
   }
+
+  override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) }
 }
 
 /** A literal path expression appearing in an external module reference. */

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -5,6 +5,7 @@
  */
 
 import javascript
+import semmle.javascript.dependencies.Dependencies
 
 /** A data flow node corresponding to an expression. */
 class ExprNode extends DataFlow::ValueNode {
@@ -461,37 +462,9 @@ module ModuleImportNode {
     string path;
 
     DefaultRange() {
-      // `require("http")`
-      exists(Require req | req.getImportedPath().getValue() = path |
-        this = DataFlow::valueNode(req)
-      )
-      or
-      // `import http = require("http")`
-      exists(ExternalModuleReference req | req.getImportedPath().getValue() = path |
-        this = DataFlow::valueNode(req)
-      )
-      or
-      // `import * as http from 'http'` or `import http from `http`'
-      exists(ImportDeclaration id, ImportSpecifier is |
-        id.getImportedPath().getValue() = path and
-        is = id.getASpecifier() and
-        this = DataFlow::ssaDefinitionNode(SSA::definition(is))
-      |
-        is instanceof ImportNamespaceSpecifier and
-        count(id.getASpecifier()) = 1
-        or
-        is.getImportedName() = "default"
-      )
-      or
-      // `import { createServer } from 'http'`
-      exists(ImportDeclaration id |
-        this = DataFlow::destructuredModuleImportNode(id) and
-        id.getImportedPath().getValue() = path
-      )
-      or
-      // declared AMD dependency
-      exists(AmdModuleDefinition amd |
-        this = DataFlow::parameterNode(amd.getDependencyParameter(path))
+      exists(Import i |
+        this = i.getImportedModuleNode() and
+        i.getImportedPath().getValue() = path
       )
       or
       // AMD require
@@ -515,6 +488,15 @@ module ModuleImportNode {
  */
 ModuleImportNode moduleImport(string path) { result.getPath() = path }
 
+/**
+ * Gets a (default) import of the given dependency `dep`, such as
+ * `require("lodash")` in a context where a package.json file includes
+ * `"lodash"` as a dependency.
+ */
+ModuleImportNode dependencyModuleImport(Dependency dep) {
+  result = dep.getAUse("import").(Import).getImportedModuleNode()
+}
+
 /**
  * Gets a data flow node that either imports `m` from the module with
  * the given `path`, or accesses `m` as a member on a default or

javascript/ql/src/semmle/javascript/dependencies/Dependencies.qll

@@ -23,7 +23,7 @@ abstract class Dependency extends Locatable {
   /**
    * A use of this dependency, which is of the given `kind`.
    *
-   * Currently, the only supported kind is `"import"`.
+   * Currently, the only supported kinds are `"import"` and `"use"`.
    */
   abstract Locatable getAUse(string kind);
 }