Merge pull request #230 from esben-semmle/js/ad-hoc-whitelisting

semmle-qlci · web-flow · commit a93939b8270b · 2018-09-26T14:14:25.000+01:00
Approved by xiemaisi
diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md
@@ -4,6 +4,8 @@
 
 * Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.
 
+* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
+
 * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
   - file system access, for example through [fs-extra](https://github.com/jprichardson/node-fs-extra) or [globby](https://www.npmjs.com/package/globby)
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -614,6 +614,26 @@ module TaintTracking {
 
   }
 
+  /**
+   * A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its "then" branch.
+   *
+   * `<isWhitelisted>` is a call with callee name 'safe', 'whitelist', 'allow', or similar.
+   *
+   * This sanitizer is not enabled by default.
+   */
+  class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
+    AdHocWhitelistCheckSanitizer() {
+      getCalleeName().regexpMatch("(?i).*((?<!un)safe|whitelist|allow|(?<!un)auth(?!or\\b)).*") and
+      getNumArgument() = 1
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = true and
+      e = getArgument(0).asExpr()
+    }
+
+  }
+
   /** A check of the form `if(x in o)`, which sanitizes `x` in its "then" branch. */
   class InSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentials.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentials.qll
@@ -49,6 +49,11 @@ module CorsMisconfigurationForCredentials {
       super.isSanitizer(node) or
       node instanceof Sanitizer
     }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
+    }
+
   }
 
   /** A source of remote user input, considered as a flow source for CORS misconfiguration. */
diff --git a/javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll b/javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll
@@ -23,4 +23,9 @@ class ExampleConfiguration extends TaintTracking::Configuration {
     )
   }
 
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    // add additional generic sanitizers
+    guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
+  }
+
 }
diff --git a/javascript/ql/test/library-tests/TaintBarriers/SanitizingGuard.expected b/javascript/ql/test/library-tests/TaintBarriers/SanitizingGuard.expected
@@ -36,3 +36,5 @@
 | tst.js:214:9:214:24 | o.indexOf(v) < 0 | ExampleConfiguration | false | tst.js:214:19:214:19 | v |
 | tst.js:220:9:220:25 | o.indexOf(v) > -1 | ExampleConfiguration | true | tst.js:220:19:220:19 | v |
 | tst.js:226:9:226:26 | -1 >= o.indexOf(v) | ExampleConfiguration | false | tst.js:226:25:226:25 | v |
+| tst.js:236:9:236:24 | isWhitelisted(v) | ExampleConfiguration | true | tst.js:236:23:236:23 | v |
+| tst.js:240:9:240:28 | config.allowValue(v) | ExampleConfiguration | true | tst.js:240:27:240:27 | v |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/TaintedSink.expected b/javascript/ql/test/library-tests/TaintBarriers/TaintedSink.expected
@@ -34,3 +34,5 @@
 | tst.js:215:14:215:14 | v | tst.js:199:13:199:20 | SOURCE() |
 | tst.js:223:14:223:14 | v | tst.js:199:13:199:20 | SOURCE() |
 | tst.js:227:14:227:14 | v | tst.js:199:13:199:20 | SOURCE() |
+| tst.js:239:14:239:14 | v | tst.js:235:13:235:20 | SOURCE() |
+| tst.js:243:14:243:14 | v | tst.js:235:13:235:20 | SOURCE() |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected b/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected
@@ -29,3 +29,5 @@
 | tst.js:217:14:217:14 | v | ExampleConfiguration |
 | tst.js:221:14:221:14 | v | ExampleConfiguration |
 | tst.js:229:14:229:14 | v | ExampleConfiguration |
+| tst.js:237:14:237:14 | v | ExampleConfiguration |
+| tst.js:241:14:241:14 | v | ExampleConfiguration |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/tst.js b/javascript/ql/test/library-tests/TaintBarriers/tst.js
@@ -230,3 +230,16 @@ function RelationalIndexOfCheckSanitizer () {
     }
 
 }
+
+function adhocWhitelisting() {
+    var v = SOURCE();
+    if (isWhitelisted(v))
+        SINK(v);
+    else
+        SINK(v);
+    if (config.allowValue(v))
+        SINK(v);
+    else
+        SINK(v);
+
+}

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,11 @@ module CorsMisconfigurationForCredentials {`
`49`	`49`	`super.isSanitizer(node) or`
`50`	`50`	`node instanceof Sanitizer`
`51`	`51`	`}`
	`52`	`+`
	`53`	`+ override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {`
	`54`	`+ guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer`
	`55`	`+ }`
	`56`	`+`
`52`	`57`	`}`
`53`	`58`
`54`	`59`	`/** A source of remote user input, considered as a flow source for CORS misconfiguration. */`
Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,9 @@ class ExampleConfiguration extends TaintTracking::Configuration {`
`23`	`23`	`)`
`24`	`24`	`}`
`25`	`25`
	`26`	`+ override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {`
	`27`	`+ // add additional generic sanitizers`
	`28`	`+ guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer`
	`29`	`+ }`
	`30`	`+`
`26`	`31`	`}`