Merge pull request #1918 from esben-semmle/js/improve-getAResponseDataNode

Approved by asger-semmle

Author: semmle-qlci

change-notes/1.23/analysis-javascript.md

@@ -24,9 +24,11 @@
 | Client-side cross-site scripting (`js/xss`) | More results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized. |
 | Code injection (`js/code-injection`) | More results | More potential vulnerabilities involving functions that manipulate DOM event handler attributes are now recognized. |
 | Hard-coded credentials (`js/hardcoded-credentials`) | Fewer false-positive results | This rule now flags fewer password examples. |
+| Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false-positive results | The query recognizes valid checks in more cases. 
+| Network data written to file (`js/http-to-file-access`) | Fewer false-positive results | This query has been renamed to better match its intended purpose, and now only considers network data untrusted. | 
 | Password in configuration file (`js/password-in-configuration-file`) | Fewer false-positive results | This rule now flags fewer password examples. |
 | Prototype pollution (`js/prototype-pollution`) | More results | The query now highlights vulnerable uses of jQuery and Angular, and the results are shown on LGTM by default. |
-| Incorrect suffix check (`js/incorrect-suffix-check`) | Fewer false-positive results | The query recognizes valid checks in more cases. |
+| Uncontrolled command line (`js/command-line-injection`) | More results | This query now treats responses from servers as untrusted. |
 
 ## Changes to QL libraries
 

javascript/ql/src/Security/CWE-078/CommandInjection.ql

@@ -16,11 +16,11 @@ import javascript
 import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
 import DataFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight, Source sourceNode
 where
   cfg.hasFlowPath(source, sink) and
   if cfg.isSinkWithHighlight(sink.getNode(), _)
   then cfg.isSinkWithHighlight(sink.getNode(), highlight)
-  else highlight = sink.getNode()
-select highlight, source, sink, "This command depends on $@.", source.getNode(),
-  "a user-provided value"
+  else highlight = sink.getNode() and
+  sourceNode = source.getNode()
+select highlight, source, sink, "This command depends on $@.", sourceNode, sourceNode.getSourceType()

javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql

@@ -1,6 +1,6 @@
 /**
- * @name User-controlled data written to file
- * @description Writing user-controlled data directly to the file system allows arbitrary file upload and might indicate a backdoor.
+ * @name Network data written to file
+ * @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.
  * @kind path-problem
  * @problem.severity warning
  * @precision medium

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

@@ -452,6 +452,8 @@ module ClientRequest {
           or
           prop = "responseText" and responseType = "text"
           or
+          prop = "responseUrl" and responseType = "text"
+          or
           prop = "statusText" and responseType = "text"
           or
           prop = "responseXML" and responseType = "document"

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -735,34 +735,17 @@ module NodeJSLib {
         result = this.(DataFlow::SourceNode).getAMethodCall(name).getArgument(0)
       )
     }
-  }
 
-  /**
-   * A data flow node that is the parameter of a result callback for an HTTP or HTTPS request made by a Node.js process, for example `res` in `https.request(url, (res) => {})`.
-   */
-  private class ClientRequestCallbackParam extends DataFlow::ParameterNode, RemoteFlowSource {
-    ClientRequestCallbackParam() {
-      exists(NodeJSClientRequest req |
-        this = req.(DataFlow::MethodCallNode).getCallback(1).getParameter(0)
+    override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
+      promise = false and
+      exists(DataFlow::ParameterNode res, DataFlow::CallNode onData |
+        res = getCallback(1).getParameter(0) and
+        onData = res.getAMethodCall("on") and
+        onData.getArgument(0).mayHaveStringValue("data") and
+        result = onData.getCallback(1).getParameter(0) and
+        responseType = "arraybuffer"
       )
     }
-
-    override string getSourceType() { result = "NodeJSClientRequest callback parameter" }
-  }
-
-  /**
-   * A data flow node that is the parameter of a data callback for an HTTP or HTTPS request made by a Node.js process, for example `body` in `http.request(url, (res) => {res.on('data', (body) => {})})`.
-   */
-  private class ClientRequestCallbackData extends RemoteFlowSource {
-    ClientRequestCallbackData() {
-      exists(ClientRequestCallbackParam rcp, DataFlow::MethodCallNode mcn |
-        rcp.getAMethodCall("on") = mcn and
-        mcn.getArgument(0).mayHaveStringValue("data") and
-        this = mcn.getCallback(1).getParameter(0)
-      )
-    }
-
-    override string getSourceType() { result = "http.request data parameter" }
   }
 
   /**

javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll

@@ -31,4 +31,25 @@ private class JSONStringifyAsCommandInjectionSource extends HeuristicSource,
   JSONStringifyAsCommandInjectionSource() {
     this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
   }
+
+  override string getSourceType() { result = "a string from JSON.stringify" }
+}
+
+/**
+ * A response from a remote server.
+ */
+class RemoteServerResponse extends HeuristicSource, RemoteFlowSource {
+  RemoteServerResponse() {
+    exists(ClientRequest r |
+      this = r.getAResponseDataNode() and
+      not exists(string url, string protocolPattern |
+        // exclude URLs to the current host
+        r.getUrl().mayHaveStringValue(url) and
+        protocolPattern = "(?[a-z+]{3,10}:)" and
+        not url.regexpMatch(protocolPattern + "?//.*")
+      )
+    )
+  }
+
+  override string getSourceType() { result = "a response from a remote server" }
 }

javascript/ql/src/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll

@@ -11,7 +11,10 @@ module CommandInjection {
   /**
    * A data flow source for command-injection vulnerabilities.
    */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this remote flow source. */
+    abstract string getSourceType();
+  }
 
   /**
    * A data flow sink for command-injection vulnerabilities.
@@ -26,6 +29,17 @@ module CommandInjection {
   /** A source of remote user input, considered as a flow source for command injection. */
   class RemoteFlowSourceAsSource extends Source {
     RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+
+    override string getSourceType() { result = "a user-provided value" }
+  }
+
+  /**
+   * A response from a server, considered as a flow source for command injection.
+   */
+  class ServerResponse extends Source {
+    ServerResponse() { this = any(ClientRequest r).getAResponseDataNode() }
+
+    override string getSourceType() { result = "a server-provided value" }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll

@@ -24,10 +24,22 @@ module HttpToFileAccess {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
-  class RemoteFlowSourceAsSource extends Source {
+  deprecated class RemoteFlowSourceAsSource extends DataFlow::Node {
     RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
   }
 
+  /**
+   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+   */
+  private class RequestInputAccessAsSource extends Source {
+    RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
+  }
+
+  /** A response from a server, considered as a flow source for writing user-controlled data to files. */
+  private class ServerResponseAsSource extends Source {
+    ServerResponseAsSource() { this = any(ClientRequest r).getAResponseDataNode() }
+  }
+
   /** A sink that represents file access method (write, append) argument */
   class FileAccessAsSink extends Sink {
     FileAccessAsSink() { exists(FileSystemWriteAccess src | this = src.getADataNode()) }

javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected

@@ -137,8 +137,6 @@ test_RemoteFlowSources
 | src/http.js:6:26:6:32 | req.url |
 | src/http.js:8:3:8:20 | req.headers.cookie |
 | src/http.js:9:3:9:17 | req.headers.foo |
-| src/http.js:21:33:21:40 | response |
-| src/http.js:23:28:23:32 | chunk |
 | src/http.js:29:26:29:33 | response |
 | src/http.js:30:28:30:32 | chunk |
 | src/http.js:40:23:40:30 | authInfo |

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -67,6 +67,8 @@ nodes
 | other.js:17:27:17:29 | cmd |
 | other.js:18:22:18:24 | cmd |
 | other.js:19:36:19:38 | cmd |
+| third-party-command-injection.js:5:20:5:26 | command |
+| third-party-command-injection.js:6:21:6:27 | command |
 edges
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:17:13:17:15 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:18:17:18:19 | cmd |
@@ -134,6 +136,7 @@ edges
 | other.js:5:15:5:44 | url.par ... ).query | other.js:5:15:5:49 | url.par ... ry.path |
 | other.js:5:15:5:49 | url.par ... ry.path | other.js:5:9:5:49 | cmd |
 | other.js:5:25:5:31 | req.url | other.js:5:15:5:38 | url.par ... , true) |
+| third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command |
 #select
 | child_process-test.js:17:13:17:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:17:13:17:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:18:17:18:19 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:18:17:18:19 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
@@ -160,3 +163,4 @@ edges
 | other.js:17:27:17:29 | cmd | other.js:5:25:5:31 | req.url | other.js:17:27:17:29 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:18:22:18:24 | cmd | other.js:5:25:5:31 | req.url | other.js:18:22:18:24 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:19:36:19:38 | cmd | other.js:5:25:5:31 | req.url | other.js:19:36:19:38 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
+| third-party-command-injection.js:6:21:6:27 | command | third-party-command-injection.js:5:20:5:26 | command | third-party-command-injection.js:6:21:6:27 | command | This command depends on $@. | third-party-command-injection.js:5:20:5:26 | command | a server-provided value |