Merge pull request #5066 from CaptainFreak/express-hbs-lfr

JS: add query for Express-HBS LFR

Author: erik-krogh

javascript/ql/src/experimental/Security/CWE-073/TemplateObjectInjection.ql

@@ -0,0 +1,49 @@
+/**
+ * @name Template Object Injection
+ * @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/template-object-injection
+ * @tags security
+ *       external/cwe/cwe-073
+ *       external/cwe/cwe-094
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.TaintedObject
+
+class TemplateObjInjectionConfig extends TaintTracking::Configuration {
+  TemplateObjInjectionConfig() { this = "TemplateObjInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    TaintedObject::isSource(source, label)
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    label = TaintedObject::label() and
+    exists(MethodCallExpr mc |
+      Express::isResponse(mc.getReceiver()) and
+      mc.getMethodName() = "render" and
+      sink.asExpr() = mc.getArgument(1)
+    )
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof TaintedObject::SanitizerGuard
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+  ) {
+    TaintedObject::step(src, trg, inlbl, outlbl)
+  }
+}
+
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Template object injection due to $@.", source.getNode(),
+  "user-provided value"

javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection.js

@@ -0,0 +1,10 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter
+    var queryParameter = req.query.queryParameter
+    
+    res.render('template', bodyParameter)
+    res.render('template', queryParameter)
+});

javascript/ql/src/experimental/Security/CWE-073/documentation-examples/TemplateObjectInjection_fixed.js

@@ -0,0 +1,10 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter
+    var queryParameter = req.query.queryParameter
+    
+    res.render('template', {bodyParameter})
+    res.render('template', {queryParameter})
+});

javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.expected

@@ -0,0 +1,55 @@
+nodes
+| tst.js:5:9:5:46 | bodyParameter |
+| tst.js:5:25:5:32 | req.body |
+| tst.js:5:25:5:32 | req.body |
+| tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:6:26:6:49 | req.que ... rameter |
+| tst.js:8:28:8:40 | bodyParameter |
+| tst.js:8:28:8:40 | bodyParameter |
+| tst.js:9:28:9:41 | queryParameter |
+| tst.js:9:28:9:41 | queryParameter |
+| tst.js:18:19:18:32 | queryParameter |
+| tst.js:18:19:18:32 | queryParameter |
+| tst.js:21:24:21:26 | obj |
+| tst.js:21:24:21:26 | obj |
+| tst.js:22:28:22:30 | obj |
+| tst.js:22:28:22:30 | obj |
+| tst.js:24:11:24:24 | str |
+| tst.js:24:17:24:19 | obj |
+| tst.js:24:17:24:24 | obj + "" |
+| tst.js:27:28:27:42 | JSON.parse(str) |
+| tst.js:27:28:27:42 | JSON.parse(str) |
+| tst.js:27:39:27:41 | str |
+edges
+| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
+| tst.js:5:9:5:46 | bodyParameter | tst.js:8:28:8:40 | bodyParameter |
+| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:5:25:5:32 | req.body | tst.js:5:25:5:46 | req.bod ... rameter |
+| tst.js:5:25:5:46 | req.bod ... rameter | tst.js:5:9:5:46 | bodyParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:9:28:9:41 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
+| tst.js:6:9:6:49 | queryParameter | tst.js:18:19:18:32 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:6:26:6:49 | req.que ... rameter | tst.js:6:9:6:49 | queryParameter |
+| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
+| tst.js:18:19:18:32 | queryParameter | tst.js:21:24:21:26 | obj |
+| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
+| tst.js:21:24:21:26 | obj | tst.js:22:28:22:30 | obj |
+| tst.js:21:24:21:26 | obj | tst.js:24:17:24:19 | obj |
+| tst.js:24:11:24:24 | str | tst.js:27:39:27:41 | str |
+| tst.js:24:17:24:19 | obj | tst.js:24:17:24:24 | obj + "" |
+| tst.js:24:17:24:24 | obj + "" | tst.js:24:11:24:24 | str |
+| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
+| tst.js:27:39:27:41 | str | tst.js:27:28:27:42 | JSON.parse(str) |
+#select
+| tst.js:8:28:8:40 | bodyParameter | tst.js:5:25:5:32 | req.body | tst.js:8:28:8:40 | bodyParameter | Template object injection due to $@. | tst.js:5:25:5:32 | req.body | user-provided value |
+| tst.js:9:28:9:41 | queryParameter | tst.js:6:26:6:49 | req.que ... rameter | tst.js:9:28:9:41 | queryParameter | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
+| tst.js:22:28:22:30 | obj | tst.js:6:26:6:49 | req.que ... rameter | tst.js:22:28:22:30 | obj | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |
+| tst.js:27:28:27:42 | JSON.parse(str) | tst.js:6:26:6:49 | req.que ... rameter | tst.js:27:28:27:42 | JSON.parse(str) | Template object injection due to $@. | tst.js:6:26:6:49 | req.que ... rameter | user-provided value |

javascript/ql/test/experimental/Security/CWE-073/TemplateObjectInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-073/TemplateObjectInjection.ql

javascript/ql/test/experimental/Security/CWE-073/tst.js

@@ -0,0 +1,28 @@
+var app = require('express')();
+app.set('view engine', 'hbs');
+
+app.post('/path', function(req, res) {
+    var bodyParameter = req.body.bodyParameter;
+    var queryParameter = req.query.queryParameter;
+
+    res.render('template', bodyParameter); // NOT OK
+    res.render('template', queryParameter); // NOT OK
+
+    if (typeof bodyParameter === "string") {
+        res.render('template', bodyParameter); // OK
+    }
+    res.render('template', queryParameter + ""); // OK
+
+    res.render('template', {profile: bodyParameter}); // OK
+
+    indirect(res, queryParameter);
+}); 
+
+function indirect(res, obj) {
+    res.render("template", obj); // NOT OK
+
+    const str = obj + "";
+    res.render("template", str); // OK 
+
+    res.render("template", JSON.parse(str)); // NOT OK
+}