JS: Port experimental EnvValueAndKeyInjection to ConfigSig

asgerf · asgerf · commit 4f839070a090 · 2024-12-03T14:30:16.000+01:00
diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
@@ -11,20 +11,17 @@
  */
 
 import javascript
-import DataFlow::PathGraph
 
 /** A taint tracking configuration for unsafe environment injection. */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "envInjection" }
+module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink = keyOfEnv() or
     sink = valueOfEnv()
   }
 
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(DataFlow::InvokeNode ikn |
       ikn = DataFlow::globalVarRef("Object").getAMemberInvocation("keys")
     |
@@ -38,6 +35,8 @@ class Configuration extends TaintTracking::Configuration {
   }
 }
 
+module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;
+
 DataFlow::Node keyOfEnv() {
   result =
     NodeJSLib::process().getAPropertyRead("env").getAPropertyWrite().getPropertyNameExpr().flow()
@@ -56,13 +55,15 @@ private predicate readToProcessEnv(DataFlow::Node envKey, DataFlow::Node envValu
   )
 }
 
+import EnvValueAndKeyInjectionFlow::PathGraph
+
 from
-  Configuration cfgForValue, Configuration cfgForKey, DataFlow::PathNode source,
-  DataFlow::PathNode envKey, DataFlow::PathNode envValue
+  EnvValueAndKeyInjectionFlow::PathNode source, EnvValueAndKeyInjectionFlow::PathNode envKey,
+  EnvValueAndKeyInjectionFlow::PathNode envValue
 where
-  cfgForValue.hasFlowPath(source, envKey) and
+  EnvValueAndKeyInjectionFlow::flowPath(source, envKey) and
   envKey.getNode() = keyOfEnv() and
-  cfgForKey.hasFlowPath(source, envValue) and
+  EnvValueAndKeyInjectionFlow::flowPath(source, envValue) and
   envValue.getNode() = valueOfEnv() and
   readToProcessEnv(envKey.getNode(), envValue.getNode())
 select envKey.getNode(), source, envKey, "arbitrary environment variable assignment from this $@.",
diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected b/javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected
@@ -1,55 +1,32 @@
-nodes
-| test.js:5:9:5:28 | { EnvValue, EnvKey } |
-| test.js:5:9:5:39 | EnvKey |
-| test.js:5:9:5:39 | EnvValue |
-| test.js:5:11:5:18 | EnvValue |
-| test.js:5:21:5:26 | EnvKey |
-| test.js:5:32:5:39 | req.body |
-| test.js:5:32:5:39 | req.body |
-| test.js:6:15:6:20 | EnvKey |
-| test.js:6:15:6:20 | EnvKey |
-| test.js:6:25:6:32 | EnvValue |
-| test.js:6:25:6:32 | EnvValue |
-| test.js:7:15:7:20 | EnvKey |
-| test.js:7:15:7:20 | EnvKey |
-| test.js:7:25:7:32 | EnvValue |
-| test.js:7:25:7:32 | EnvValue |
-| test.js:13:9:13:28 | { EnvValue, EnvKey } |
-| test.js:13:9:13:39 | EnvKey |
-| test.js:13:9:13:39 | EnvValue |
-| test.js:13:11:13:18 | EnvValue |
-| test.js:13:21:13:26 | EnvKey |
-| test.js:13:32:13:39 | req.body |
-| test.js:13:32:13:39 | req.body |
-| test.js:15:15:15:20 | EnvKey |
-| test.js:15:15:15:20 | EnvKey |
-| test.js:16:26:16:33 | EnvValue |
-| test.js:16:26:16:33 | EnvValue |
 edges
-| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue |
-| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey |
-| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
-| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
-| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
-| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
-| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
-| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
-| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
-| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
-| test.js:5:11:5:18 | EnvValue | test.js:5:9:5:39 | EnvValue |
-| test.js:5:21:5:26 | EnvKey | test.js:5:9:5:39 | EnvKey |
-| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
-| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
-| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:11:13:18 | EnvValue |
-| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:21:13:26 | EnvKey |
-| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey |
-| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey |
-| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue |
-| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue |
-| test.js:13:11:13:18 | EnvValue | test.js:13:9:13:39 | EnvValue |
-| test.js:13:21:13:26 | EnvKey | test.js:13:9:13:39 | EnvKey |
-| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } |
-| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } |
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:9:5:39 | EnvKey | provenance |  |
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:9:5:39 | EnvValue | provenance |  |
+| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey | provenance |  |
+| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey | provenance |  |
+| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue | provenance |  |
+| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue | provenance |  |
+| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } | provenance |  |
+| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:9:13:39 | EnvKey | provenance |  |
+| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:9:13:39 | EnvValue | provenance |  |
+| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey | provenance |  |
+| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue | provenance |  |
+| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } | provenance |  |
+nodes
+| test.js:5:9:5:28 | { EnvValue, EnvKey } | semmle.label | { EnvValue, EnvKey } |
+| test.js:5:9:5:39 | EnvKey | semmle.label | EnvKey |
+| test.js:5:9:5:39 | EnvValue | semmle.label | EnvValue |
+| test.js:5:32:5:39 | req.body | semmle.label | req.body |
+| test.js:6:15:6:20 | EnvKey | semmle.label | EnvKey |
+| test.js:6:25:6:32 | EnvValue | semmle.label | EnvValue |
+| test.js:7:15:7:20 | EnvKey | semmle.label | EnvKey |
+| test.js:7:25:7:32 | EnvValue | semmle.label | EnvValue |
+| test.js:13:9:13:28 | { EnvValue, EnvKey } | semmle.label | { EnvValue, EnvKey } |
+| test.js:13:9:13:39 | EnvKey | semmle.label | EnvKey |
+| test.js:13:9:13:39 | EnvValue | semmle.label | EnvValue |
+| test.js:13:32:13:39 | req.body | semmle.label | req.body |
+| test.js:15:15:15:20 | EnvKey | semmle.label | EnvKey |
+| test.js:16:26:16:33 | EnvValue | semmle.label | EnvValue |
+subpaths
 #select
 | test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
 | test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
