Merge pull request #195 from esben-semmle/js/reflected-xss-through-filenames

Approved by asger-semmle

Author: semmle-qlci

change-notes/1.19/analysis-javascript.md

@@ -4,11 +4,15 @@
 
 * Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.
 
+* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
+  - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby)
+
+
 ## New queries
 
-| **Query**                   | **Tags**  | **Purpose**                                                        |
-|-----------------------------|-----------|--------------------------------------------------------------------|
-| *@name of query (Query ID)* | *Tags*    |*Aim of the new query and whether it is enabled by default or not*  |
+| **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |
+|-----------------------------------------------|------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
 
 ## Changes to existing queries
 

javascript/config/suites/javascript/security

@@ -2,6 +2,7 @@
 + semmlecode-javascript-queries/Security/CWE-022/TaintedPath.ql: /Security/CWE/CWE-022
 + semmlecode-javascript-queries/Security/CWE-078/CommandInjection.ql: /Security/CWE/CWE-078
 + semmlecode-javascript-queries/Security/CWE-079/ReflectedXss.ql: /Security/CWE/CWE-079
++ semmlecode-javascript-queries/Security/CWE-079/StoredXss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-079/Xss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-089/SqlInjection.ql: /Security/CWE/CWE-089
 + semmlecode-javascript-queries/Security/CWE-094/CodeInjection.ql: /Security/CWE/CWE-094

javascript/ql/src/Security/CWE-079/StoredXss.qhelp

@@ -0,0 +1,63 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+	<p>
+
+		Directly using uncontrolled stored value (for example, file names) to
+		create HTML content without properly sanitizing the input first,
+		allows for a cross-site scripting vulnerability.
+
+	</p>
+	<p>
+
+		This kind of vulnerability is also called <i>stored</i> cross-site
+		scripting, to distinguish it from other types of cross-site scripting.
+
+	</p>
+</overview>
+
+<recommendation>
+	<p>
+
+		To guard against cross-site scripting, consider using contextual
+		output encoding/escaping before using uncontrolled stored values to
+		create HTML content, or one of the other solutions that are mentioned
+		in the references.
+
+	</p>
+</recommendation>
+
+<example>
+	<p>
+
+		The following example code writes file names directly to a HTTP
+		response. This leaves the website vulnerable to cross-site scripting,
+		if an attacker can choose the file names on the disk.
+
+	</p>
+	<sample src="examples/StoredXss.js" />
+	<p>
+		Sanitizing the file names prevents the vulnerability:
+	</p>
+	<sample src="examples/StoredXssGood.js" />
+</example>
+
+<references>
+	<li>
+		OWASP:
+		<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">XSS
+		(Cross Site Scripting) Prevention Cheat Sheet</a>.
+	</li>
+	<li>
+		OWASP
+		<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+		Scripting</a>.
+	</li>
+	<li>
+		Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+	</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-079/StoredXss.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Stored cross-site scripting
+ * @description Using uncontrolled stored values in HTML allows for
+ *              a stored cross-site scripting vulnerability.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/stored-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.StoredXss::StoredXss
+
+from Configuration xss, DataFlow::Node source, DataFlow::Node sink
+where xss.hasFlow(source, sink)
+select sink, "Stored cross-site scripting vulnerability due to $@.",
+       source, "stored value"

javascript/ql/src/Security/CWE-079/examples/StoredXss.js

@@ -0,0 +1,14 @@
+var express = require('express'),
+    fs = require('fs');
+
+express().get('/list-directory', function(req, res) {
+    fs.readdir('/public', function (error, fileNames) {
+        var list = '<ul>';
+        fileNames.forEach(fileName => {
+            // BAD: `fileName` can contain HTML elements
+            list += '<li>' + fileName '</li>';
+        });
+        list += '</ul>'
+        res.send(list);
+    });
+});

javascript/ql/src/Security/CWE-079/examples/StoredXssGood.js

@@ -0,0 +1,15 @@
+var express = require('express'),
+    fs = require('fs'),
+    escape = require('escape-html');
+
+express().get('/list-directory', function(req, res) {
+    fs.readdir('/public', function (error, fileNames) {
+        var list = '<ul>';
+        fileNames.forEach(fileName => {
+            // GOOD: escaped `fileName` can not contain HTML elements
+            list += '<li>' + escape(fileName) '</li>';
+        });
+        list += '</ul>'
+        res.send(list);
+    });
+});

javascript/ql/src/javascript.qll

@@ -59,6 +59,7 @@ import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries
 import semmle.javascript.frameworks.DigitalOcean
 import semmle.javascript.frameworks.Electron
+import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging

javascript/ql/src/semmle/javascript/Concepts.qll

@@ -29,6 +29,13 @@ abstract class FileSystemAccess extends DataFlow::Node {
   abstract DataFlow::Node getAPathArgument();
 }
 
+/**
+ * A data flow node that contains a file name or an array of file names from the local file system.
+ */
+abstract class FileNameSource extends DataFlow::Node {
+
+}
+
 /**
  * A data flow node that performs a database access.
  */

javascript/ql/src/semmle/javascript/frameworks/Files.qll

@@ -0,0 +1,103 @@
+/**
+ * Provides classes for working with file system libraries.
+ */
+
+import javascript
+
+/**
+ * A file name from the `walk-sync` library.
+ */
+private class WalkSyncFileNameSource extends FileNameSource {
+
+  WalkSyncFileNameSource() {
+    // `require('walkSync')()`
+    this = DataFlow::moduleImport("walkSync").getACall()
+  }
+
+}
+
+/**
+ * A file name or an array of file names from the `walk` library.
+ */
+private class WalkFileNameSource extends FileNameSource {
+
+  WalkFileNameSource() {
+    // `stats.name` in `require('walk').walk(_).on(_,  (_, stats) => stats.name)`
+    exists (DataFlow::FunctionNode callback |
+      callback = DataFlow::moduleMember("walk", "walk").getACall().getAMethodCall("on").getCallback(1) |
+      this = callback.getParameter(1).getAPropertyRead("name")
+    )
+  }
+
+}
+
+/**
+ * A file name or an array of file names from the `glob` library.
+ */
+private class GlobFileNameSource extends FileNameSource {
+
+  GlobFileNameSource() {
+    exists (string moduleName |
+      moduleName = "glob" |
+      // `require('glob').sync(_)`
+      this = DataFlow::moduleMember(moduleName, "sync").getACall()
+      or
+      // `name` in `require('glob')(_, (e, name) => ...)`
+      this = DataFlow::moduleImport(moduleName).getACall().getCallback([1..2]).getParameter(1)
+      or
+      exists (DataFlow::NewNode instance |
+        instance = DataFlow::moduleMember(moduleName, "Glob").getAnInstantiation() |
+        // `name` in `new require('glob').Glob(_, (e, name) => ...)`
+        this = instance.getCallback([1..2]).getParameter(1) or
+        // `new require('glob').Glob(_).found`
+        this = instance.getAPropertyRead("found")
+      )
+    )
+  }
+
+}
+
+/**
+ * A file name or an array of file names from the `globby` library.
+ */
+private class GlobbyFileNameSource extends FileNameSource {
+
+  GlobbyFileNameSource() {
+    exists (string moduleName |
+      moduleName = "globby" |
+      // `require('globby').sync(_)`
+      this = DataFlow::moduleMember(moduleName, "sync").getACall()
+      or
+      // `files` in `require('globby')(_).then(files => ...)`
+      this = DataFlow::moduleImport(moduleName).getACall().getAMethodCall("then").getCallback(0).getParameter(0)
+    )
+  }
+
+}
+
+/**
+ * A file name or an array of file names from the `fast-glob` library.
+ */
+private class FastGlobFileNameSource extends FileNameSource {
+
+  FastGlobFileNameSource() {
+    exists (string moduleName |
+      moduleName = "fast-glob" |
+      // `require('fast-glob').sync(_)`
+      this = DataFlow::moduleMember(moduleName, "sync").getACall()
+      or
+      exists (DataFlow::SourceNode f |
+        f = DataFlow::moduleImport(moduleName)
+        or
+        f = DataFlow::moduleMember(moduleName, "async") |
+        // `files` in `require('fast-glob')(_).then(files => ...)` and
+        // `files` in `require('fast-glob').async(_).then(files => ...)`
+        this = f.getACall().getAMethodCall("then").getCallback(0).getParameter(0)
+      )
+      or
+      // `file` in `require('fast-glob').stream(_).on(_,  file => ...)`
+      this = DataFlow::moduleMember(moduleName, "stream").getACall().getAMethodCall("on").getCallback(1).getParameter(0)
+    )
+  }
+
+}

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -336,17 +336,26 @@ module NodeJSLib {
     )
   }
 
+  /**
+   * A member `member` from module `fs` or its drop-in replacements `graceful-fs` or `fs-extra`.
+   */
+  private DataFlow::SourceNode fsModuleMember(string member) {
+    exists (string moduleName |
+      moduleName = "fs" or
+      moduleName = "graceful-fs" or
+      moduleName = "fs-extra" |
+      result = DataFlow::moduleMember(moduleName, member)
+    )
+  }
 
   /**
-   * A call to a method from module `fs` or `graceful-fs`.
+   * A call to a method from module `fs`, `graceful-fs` or `fs-extra`.
    */
   private class NodeJSFileSystemAccess extends FileSystemAccess, DataFlow::CallNode {
     string methodName;
 
     NodeJSFileSystemAccess() {
-      exists (string moduleName | this = DataFlow::moduleMember(moduleName, methodName).getACall() |
-        moduleName = "fs" or moduleName = "graceful-fs"
-      )
+      this = fsModuleMember(methodName).getACall()
     }
 
     override DataFlow::Node getAPathArgument() {
@@ -356,6 +365,22 @@ module NodeJSLib {
     }
   }
 
+  /**
+   * A data flow node that contains a file name or an array of file names from the local file system.
+   */
+  private class NodeJSFileNameSource extends FileNameSource {
+
+    NodeJSFileNameSource() {
+      exists (string name |
+        name = "readdir" or
+        name = "realpath" |
+        this = fsModuleMember(name).getACall().getCallback([1..2]).getParameter(1) or
+        this = fsModuleMember(name + "Sync").getACall()
+      )
+    }
+
+  }
+  
   /**
    * A call to a method from module `child_process`.
    */