Merge pull request #4450 from asgerf/js/angular

Approved by erik-krogh

Author: codeql-ci

change-notes/1.26/analysis-javascript.md

@@ -2,7 +2,10 @@
 
 ## General improvements
 
+* Angular-specific taint sources and sinks are now recognized by the security queries.
+
 * Support for the following frameworks and libraries has been improved:
+  - [@angular/*](https://www.npmjs.com/package/@angular/core)
   - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
   - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
   - [bluebird](https://www.npmjs.com/package/bluebird)

javascript/ql/src/javascript.qll

@@ -65,6 +65,7 @@ import semmle.javascript.YAML
 import semmle.javascript.dataflow.DataFlow
 import semmle.javascript.dataflow.TaintTracking
 import semmle.javascript.dataflow.TypeInference
+import semmle.javascript.frameworks.Angular2
 import semmle.javascript.frameworks.AngularJS
 import semmle.javascript.frameworks.AsyncPackage
 import semmle.javascript.frameworks.AWS

javascript/ql/src/semmle/javascript/frameworks/Angular2.qll

@@ -0,0 +1,221 @@
+/**
+ * Provides classes for working with Angular (also known as Angular 2.x) applications.
+ */
+
+private import javascript
+private import semmle.javascript.security.dataflow.Xss
+private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations
+private import semmle.javascript.DynamicPropertyAccess
+
+/**
+ * Provides classes for working with Angular (also known as Angular 2.x) applications.
+ */
+module Angular2 {
+  /** Gets a reference to a `Router` object. */
+  DataFlow::SourceNode router() { result.hasUnderlyingType("@angular/router", "Router") }
+
+  /** Gets a reference to a `RouterState` object. */
+  DataFlow::SourceNode routerState() {
+    result.hasUnderlyingType("@angular/router", "RouterState")
+    or
+    result = router().getAPropertyRead("routerState")
+  }
+
+  /** Gets a reference to a `RouterStateSnapshot` object. */
+  DataFlow::SourceNode routerStateSnapshot() {
+    result.hasUnderlyingType("@angular/router", "RouterStateSnapshot")
+    or
+    result = routerState().getAPropertyRead("snapshot")
+  }
+
+  /** Gets a reference to an `ActivatedRoute` object. */
+  DataFlow::SourceNode activatedRoute() {
+    result.hasUnderlyingType("@angular/router", "ActivatedRoute")
+  }
+
+  /** Gets a reference to an `ActivatedRouteSnapshot` object. */
+  DataFlow::SourceNode activatedRouteSnapshot() {
+    result.hasUnderlyingType("@angular/router", "ActivatedRouteSnapshot")
+    or
+    result = activatedRoute().getAPropertyRead("snapshot")
+  }
+
+  /**
+   * Gets a data flow node referring to the value of the route property `name`, accessed
+   * via one of the following patterns:
+   * ```js
+   * route.snapshot.name
+   * route.snapshot.data.name
+   * route.name.subscribe(x => ...)
+   * ```
+   */
+  DataFlow::SourceNode activatedRouteProp(string name) {
+    // this.route.snapshot.foo
+    result = activatedRouteSnapshot().getAPropertyRead(name)
+    or
+    // this.route.snapshot.data.foo
+    result = activatedRouteSnapshot().getAPropertyRead("data").getAPropertyRead(name)
+    or
+    // this.route.foo.subscribe(foo => { ... })
+    result =
+      activatedRoute()
+          .getAPropertyRead(name)
+          .getAMethodCall("subscribe")
+          .getABoundCallbackParameter(0, 0)
+  }
+
+  /** Gets an array of URL segments matched by some route. */
+  private DataFlow::SourceNode urlSegmentArray() { result = activatedRouteProp("url") }
+
+  /** Gets a data flow node referring to a `UrlSegment` object matched by some route. */
+  DataFlow::SourceNode urlSegment() {
+    result = getAnEnumeratedArrayElement(urlSegmentArray())
+    or
+    result = urlSegmentArray().getAPropertyRead(any(string s | exists(s.toInt())))
+  }
+
+  /** Gets a reference to a `ParamMap` object, usually containing values from the URL. */
+  DataFlow::SourceNode paramMap() {
+    result.hasUnderlyingType("@angular/router", "ParamMap")
+    or
+    result = activatedRouteProp(["paramMap", "queryParamMap"])
+    or
+    result = urlSegment().getAPropertyRead("parameterMap")
+  }
+
+  /** Gets a reference to a `Params` object, usually containing values from the URL. */
+  DataFlow::SourceNode paramDictionaryObject() {
+    result.hasUnderlyingType("@angular/router", "Params") and
+    not result instanceof DataFlow::ObjectLiteralNode // ignore object literals found by contextual typing
+    or
+    result = activatedRouteProp(["params", "queryParams"])
+    or
+    result = paramMap().getAPropertyRead("params")
+    or
+    result = urlSegment().getAPropertyRead("parameters")
+  }
+
+  /**
+   * A value from `@angular/router` derived from the URL.
+   */
+  class AngularSource extends RemoteFlowSource {
+    AngularSource() {
+      this = paramMap().getAMethodCall(["get", "getAll"])
+      or
+      this = paramDictionaryObject()
+      or
+      this = activatedRouteProp("fragment")
+      or
+      this = urlSegment().getAPropertyRead("path")
+      or
+      // Note that Router.url and RouterStateSnapshot.url are strings, not UrlSegment[]
+      this = router().getAPropertyRead("url")
+      or
+      this = routerStateSnapshot().getAPropertyRead("url")
+    }
+
+    override string getSourceType() { result = "Angular route parameter" }
+  }
+
+  /** Gets a reference to a `DomSanitizer` object. */
+  DataFlow::SourceNode domSanitizer() {
+    result.hasUnderlyingType("@angular/platform-browser", "DomSanitizer")
+  }
+
+  /** A value that is about to be promoted to a trusted HTML or CSS value. */
+  private class AngularXssSink extends DomBasedXss::Sink {
+    AngularXssSink() {
+      this =
+        domSanitizer()
+            .getAMethodCall(["bypassSecurityTrustHtml", "bypassSecurityTrustStyle"])
+            .getArgument(0)
+    }
+  }
+
+  /** A value that is about to be promoted to a trusted script value. */
+  private class AngularCodeInjectionSink extends CodeInjection::Sink {
+    AngularCodeInjectionSink() {
+      this = domSanitizer().getAMethodCall(["bypassSecurityTrustScript"]).getArgument(0)
+    }
+  }
+
+  /**
+   * A value that is about to be promoted to a trusted URL or resource URL value.
+   */
+  private class AngularUrlSink extends ClientSideUrlRedirect::Sink {
+    // We mark this as a client URL redirect sink for precision reasons, though its description can be a bit confusing.
+    AngularUrlSink() {
+      this =
+        domSanitizer()
+            .getAMethodCall(["bypassSecurityTrustUrl", "bypassSecurityTrustResourceUrl"])
+            .getArgument(0)
+    }
+  }
+
+  private predicate taintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode call |
+      call = DataFlow::moduleMember("@angular/router", "convertToParamMap").getACall()
+      or
+      call = router().getAMemberCall(["parseUrl", "serializeUrl"])
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+
+  private class AngularTaintStep extends TaintTracking::AdditionalTaintStep {
+    AngularTaintStep() { taintStep(_, this) }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) { taintStep(pred, succ) }
+  }
+
+  /** Gets a reference to an `HttpClient` object. */
+  DataFlow::SourceNode httpClient() {
+    result.hasUnderlyingType("@angular/common/http", "HttpClient")
+  }
+
+  private class AngularClientRequest extends ClientRequest::Range, DataFlow::MethodCallNode {
+    int argumentOffset;
+
+    AngularClientRequest() {
+      this = httpClient().getAMethodCall("request") and argumentOffset = 1
+      or
+      this = httpClient().getAMethodCall() and
+      not getMethodName() = "request" and
+      argumentOffset = 0
+    }
+
+    override DataFlow::Node getUrl() { result = getArgument(argumentOffset) }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() {
+      getMethodName() = ["patch", "post", "put"] and
+      result = getArgument(argumentOffset + 1)
+      or
+      result = getOptionArgument(argumentOffset + 1, "body")
+    }
+  }
+
+  private string getInternalName(string name) {
+    exists(Identifier id |
+      result = id.getName() and
+      name = result.regexpCapture("\\u0275(DomAdapter|getDOM)", 1)
+    )
+  }
+
+  /** Gets a reference to a `DomAdapter`, which provides acess to raw DOM elements. */
+  private DataFlow::SourceNode domAdapter() {
+    // Note: these are internal properties, prefixed with the "latin small letter barred O (U+0275)" character.
+    // Despite being internal, some codebases do access them.
+    result.hasUnderlyingType("@angular/common", getInternalName("DomAdapter"))
+    or
+    result = DataFlow::moduleImport("@angular/common").getAMemberCall(getInternalName("getDOM"))
+  }
+
+  /** A reference to the DOM location obtained through `DomAdapter.getLocation()`. */
+  private class DomAdapterLocation extends DOM::LocationSource::Range {
+    DomAdapterLocation() { this = domAdapter().getAMethodCall("getLocation") }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll

@@ -14,6 +14,11 @@ import UrlConcatenation
 module ClientSideUrlRedirect {
   import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect
 
+  // Materialize flow labels
+  private class ConcreteDocumentUrl extends DocumentUrl {
+    ConcreteDocumentUrl() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unvalidated URL redirections.
    */

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -6,7 +6,6 @@
 
 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources
-private import UrlConcatenation
 
 module ClientSideUrlRedirect {
   private import Xss::DomBasedXss as DomBasedXss
@@ -30,7 +29,7 @@ module ClientSideUrlRedirect {
    * A flow label for values that represent the URL of the current document, and
    * hence are only partially user-controlled.
    */
-  class DocumentUrl extends DataFlow::FlowLabel {
+  abstract class DocumentUrl extends DataFlow::FlowLabel {
     DocumentUrl() { this = "document.url" }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownload.qll

@@ -14,6 +14,15 @@ import javascript
 module InsecureDownload {
   import InsecureDownloadCustomizations::InsecureDownload
 
+  // Materialize flow labels
+  private class ConcreteSensitiveInsecureURL extends Label::SensitiveInsecureURL {
+    ConcreteSensitiveInsecureURL() { this = this }
+  }
+
+  private class ConcreteInsecureURL extends Label::InsecureURL {
+    ConcreteInsecureURL() { this = this }
+  }
+
   /**
    * A taint tracking configuration for download of sensitive file through insecure connection.
    */

javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStar.qll

@@ -12,6 +12,11 @@ import javascript
 module PostMessageStar {
   import PostMessageStarCustomizations::PostMessageStar
 
+  // Materialize flow labels
+  private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
+    ConcretePartiallyTaintedObject() { this = this }
+  }
+
   /**
    * A taint tracking configuration for cross-window communication with unrestricted origin.
    *

javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStarCustomizations.qll

@@ -26,7 +26,7 @@ module PostMessageStar {
   /**
    * A flow label representing an object with at least one tainted property.
    */
-  class PartiallyTaintedObject extends DataFlow::FlowLabel {
+  abstract class PartiallyTaintedObject extends DataFlow::FlowLabel {
     PartiallyTaintedObject() { this = "partially tainted object" }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollution.qll

@@ -15,6 +15,11 @@ import semmle.javascript.dependencies.SemVer
 module PrototypePollution {
   import PrototypePollutionCustomizations::PrototypePollution
 
+  // Materialize flow labels
+  private class ConcreteTaintedObjectWrapper extends TaintedObjectWrapper {
+    ConcreteTaintedObjectWrapper() { this = this }
+  }
+
   /**
    * A taint tracking configuration for user-controlled objects flowing into deep `extend` calls,
    * leading to prototype pollution.

javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll

@@ -24,11 +24,13 @@ module PrototypePollution {
    * }
    * ```
    */
-  module TaintedObjectWrapper {
-    private class TaintedObjectWrapper extends DataFlow::FlowLabel {
-      TaintedObjectWrapper() { this = "tainted-object-wrapper" }
-    }
+  abstract class TaintedObjectWrapper extends DataFlow::FlowLabel {
+    TaintedObjectWrapper() { this = "tainted-object-wrapper" }
+  }
 
+  /** Companion module to the `TaintedObjectWrapper` class. */
+  module TaintedObjectWrapper {
+    /** Gets the instance of the `TaintedObjectWrapper` label. */
     TaintedObjectWrapper label() { any() }
   }