Merge pull request #1544 from esben-semmle/js/additional-configuration-splitting

Approved by xiemaisi

Author: semmle-qlci

javascript/ql/src/semmle/javascript/heuristics/AdditionalSinks.qll

@@ -7,16 +7,16 @@
 import javascript
 private import SyntacticHeuristics
 private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
-private import semmle.javascript.security.dataflow.CommandInjection
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
 private import semmle.javascript.security.dataflow.DomBasedXss as DomBasedXss
 private import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
-private import semmle.javascript.security.dataflow.SqlInjection
-private import semmle.javascript.security.dataflow.NosqlInjection
-private import semmle.javascript.security.dataflow.TaintedPath
-private import semmle.javascript.security.dataflow.RegExpInjection
-private import semmle.javascript.security.dataflow.ClientSideUrlRedirect
-private import semmle.javascript.security.dataflow.ServerSideUrlRedirect
-private import semmle.javascript.security.dataflow.InsecureRandomness
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.TaintedPathCustomizations
+private import semmle.javascript.security.dataflow.RegExpInjectionCustomizations
+private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations
+private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
+private import semmle.javascript.security.dataflow.InsecureRandomnessCustomizations
 
 /**
  * A heuristic sink for data flow in a security query.

javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll

@@ -6,7 +6,7 @@
 
 import javascript
 import SyntacticHeuristics
-private import semmle.javascript.security.dataflow.CommandInjection
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
 
 /**
  * A heuristic source of data flow in a security query.

javascript/ql/src/semmle/javascript/security/dataflow/BrokenCryptoAlgorithm.qll

@@ -1,29 +1,16 @@
 /**
- * Provides a taint tracking configuration for reasoning about sensitive information in broken or weak cryptographic algorithms.
+ * Provides a taint tracking configuration for reasoning about
+ * sensitive information in broken or weak cryptographic algorithms.
+ *
+ * Note, for performance reasons: only import this file if
+ * `BrokenCryptoAlgorithm::Configuration` is needed, otherwise
+ * `BrokenCryptoAlgorithmCustomizations` should be imported instead.
  */
 
 import javascript
-private import semmle.javascript.security.SensitiveActions
-private import semmle.javascript.frameworks.CryptoLibraries
 
 module BrokenCryptoAlgorithm {
-  /**
-   * A data flow source for sensitive information in broken or weak cryptographic algorithms.
-   */
-  abstract class Source extends DataFlow::Node {
-    /** Gets a string that describes the type of this data flow source. */
-    abstract string describe();
-  }
-
-  /**
-   * A data flow sink for sensitive information in broken or weak cryptographic algorithms.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for sensitive information in broken or weak cryptographic algorithms.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import BrokenCryptoAlgorithmCustomizations::BrokenCryptoAlgorithm
 
   /**
    * A taint tracking configuration for sensitive information in broken or weak cryptographic algorithms.
@@ -46,26 +33,4 @@ module BrokenCryptoAlgorithm {
       node instanceof Sanitizer
     }
   }
-
-  /**
-   * A sensitive expression, viewed as a data flow source for sensitive information
-   * in broken or weak cryptographic algorithms.
-   */
-  class SensitiveExprSource extends Source, DataFlow::ValueNode {
-    override SensitiveExpr astNode;
-
-    override string describe() { result = astNode.describe() }
-  }
-
-  /**
-   * An expression used by a broken or weak cryptographic algorithm.
-   */
-  class WeakCryptographicOperationSink extends Sink {
-    WeakCryptographicOperationSink() {
-      exists(CryptographicOperation application |
-        application.getAlgorithm().isWeak() and
-        this.asExpr() = application.getInput()
-      )
-    }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmCustomizations.qll

@@ -0,0 +1,51 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * sensitive information in broken or weak cryptographic algorithms,
+ * as well as extension points for adding your own.
+ */
+
+import javascript
+private import semmle.javascript.security.SensitiveActions
+private import semmle.javascript.frameworks.CryptoLibraries
+
+module BrokenCryptoAlgorithm {
+  /**
+   * A data flow source for sensitive information in broken or weak cryptographic algorithms.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this data flow source. */
+    abstract string describe();
+  }
+
+  /**
+   * A data flow sink for sensitive information in broken or weak cryptographic algorithms.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for sensitive information in broken or weak cryptographic algorithms.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sensitive expression, viewed as a data flow source for sensitive information
+   * in broken or weak cryptographic algorithms.
+   */
+  class SensitiveExprSource extends Source, DataFlow::ValueNode {
+    override SensitiveExpr astNode;
+
+    override string describe() { result = astNode.describe() }
+  }
+
+  /**
+   * An expression used by a broken or weak cryptographic algorithm.
+   */
+  class WeakCryptographicOperationSink extends Sink {
+    WeakCryptographicOperationSink() {
+      exists(CryptographicOperation application |
+        application.getAlgorithm().isWeak() and
+        this.asExpr() = application.getInput()
+      )
+    }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll

@@ -1,29 +1,16 @@
 /**
- * Provides a dataflow tracking configuration for reasoning about clear-text logging of sensitive information.
+ * Provides a dataflow tracking configuration for reasoning about
+ * clear-text logging of sensitive information.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextLogging::Configuration` is needed, otherwise
+ * `CleartextLoggingCustomizations` should be imported instead.
  */
 
 import javascript
-private import semmle.javascript.dataflow.InferredTypes
-private import semmle.javascript.security.SensitiveActions::HeuristicNames
 
 module CleartextLogging {
-  /**
-   * A data flow source for clear-text logging of sensitive information.
-   */
-  abstract class Source extends DataFlow::Node {
-    /** Gets a string that describes the type of this data flow source. */
-    abstract string describe();
-  }
-
-  /**
-   * A data flow sink for clear-text logging of sensitive information.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A barrier for clear-text logging of sensitive information.
-   */
-  abstract class Barrier extends DataFlow::Node { }
+  import CleartextLoggingCustomizations::CleartextLogging
 
   /**
    * A dataflow tracking configuration for clear-text logging of sensitive information.
@@ -57,122 +44,4 @@ module CleartextLogging {
       )
     }
   }
-
-  /**
-   * An argument to a logging mechanism.
-   */
-  class LoggerSink extends Sink {
-    LoggerSink() { this = any(LoggerCall log).getAMessageComponent() }
-  }
-
-  /**
-   * A data flow node that does not contain a clear-text password, according to its syntactic name.
-   */
-  private class NameGuidedNonCleartextPassword extends NonCleartextPassword {
-    NameGuidedNonCleartextPassword() {
-      exists(string name | name.regexpMatch(notSensitive()) |
-        this.asExpr().(VarAccess).getName() = name
-        or
-        this.(DataFlow::PropRead).getPropertyName() = name
-        or
-        this.(DataFlow::InvokeNode).getCalleeName() = name
-      )
-      or
-      // avoid i18n strings
-      this
-          .(DataFlow::PropRead)
-          .getBase()
-          .asExpr()
-          .(VarRef)
-          .getName()
-          .regexpMatch("(?is).*(messages|strings).*")
-    }
-  }
-
-  /**
-   * A data flow node that is definitely not an object.
-   */
-  private class NonObject extends NonCleartextPassword {
-    NonObject() {
-      forall(AbstractValue v | v = analyze().getAValue() | not v.getType() = TTObject())
-    }
-  }
-
-  /**
-   * A data flow node that receives flow that is not a clear-text password.
-   */
-  private class NonCleartextPasswordFlow extends NonCleartextPassword {
-    NonCleartextPasswordFlow() {
-      any(NonCleartextPassword other).(DataFlow::SourceNode).flowsTo(this)
-    }
-  }
-
-  /**
-   * A call that might obfuscate a password, for example through hashing.
-   */
-  private class ObfuscatorCall extends Barrier, DataFlow::InvokeNode {
-    ObfuscatorCall() { getCalleeName().regexpMatch(notSensitive()) }
-  }
-
-  /**
-   * A data flow node that does not contain a clear-text password.
-   */
-  abstract private class NonCleartextPassword extends DataFlow::Node { }
-
-  /**
-   * An object with a property that may contain password information
-   *
-   * This is a source since `console.log(obj)` will show the properties of `obj`.
-   */
-  private class ObjectPasswordPropertySource extends DataFlow::ValueNode, Source {
-    string name;
-
-    ObjectPasswordPropertySource() {
-      exists(DataFlow::PropWrite write |
-        name.regexpMatch(maybePassword()) and
-        not name.regexpMatch(notSensitive()) and
-        write = this.(DataFlow::SourceNode).getAPropertyWrite(name) and
-        // avoid safe values assigned to presumably unsafe names
-        not write.getRhs() instanceof NonCleartextPassword
-      )
-    }
-
-    override string describe() { result = "an access to " + name }
-  }
-
-  /** An access to a variable or property that might contain a password. */
-  private class ReadPasswordSource extends DataFlow::ValueNode, Source {
-    string name;
-
-    ReadPasswordSource() {
-      // avoid safe values assigned to presumably unsafe names
-      not this instanceof NonCleartextPassword and
-      name.regexpMatch(maybePassword()) and
-      (
-        this.asExpr().(VarAccess).getName() = name
-        or
-        exists(DataFlow::SourceNode base |
-          this = base.getAPropertyRead(name) and
-          // avoid safe values assigned to presumably unsafe names
-          exists(DataFlow::SourceNode baseObj | baseObj.flowsTo(base) |
-            not base.getAPropertyWrite(name).getRhs() instanceof NonCleartextPassword
-          )
-        )
-      )
-    }
-
-    override string describe() { result = "an access to " + name }
-  }
-
-  /** A call that might return a password. */
-  private class CallPasswordSource extends DataFlow::ValueNode, DataFlow::InvokeNode, Source {
-    string name;
-
-    CallPasswordSource() {
-      name = getCalleeName() and
-      name.regexpMatch("(?is)getPassword")
-    }
-
-    override string describe() { result = "a call to " + name }
-  }
 }