Merge pull request #5378 from asgerf/js/meta-problem-queries

codeql-ci · web-flow · commit c08230ce1e5f · 2021-03-16T03:58:12.000-07:00
Approved by esbena
diff --git a/javascript/ql/src/meta/alerts/CallGraph.ql b/javascript/ql/src/meta/alerts/CallGraph.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Call graph
+ * @description An edge in the call graph.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/call-graph
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+
+from DataFlow::InvokeNode invoke, Function f
+where invoke.getACallee() = f
+select invoke, "Call to $@", f, f.describe()
diff --git a/javascript/ql/src/meta/alerts/TaintSinks.ql b/javascript/ql/src/meta/alerts/TaintSinks.ql
@@ -0,0 +1,15 @@
+/**
+ * @name Taint sinks
+ * @description Sinks that are sensitive to untrusted data.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/taint-sinks
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+from string kind
+select relevantTaintSink(kind), kind + " sink"
diff --git a/javascript/ql/src/meta/alerts/TaintSources.ql b/javascript/ql/src/meta/alerts/TaintSources.ql
@@ -0,0 +1,23 @@
+/**
+ * @name Taint sources
+ * @description Sources of untrusted input.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/taint-sources
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+string getName(DataFlow::Node node) {
+  result = node.(RemoteFlowSource).getSourceType()
+  or
+  not node instanceof RemoteFlowSource and
+  result = "Taint source"
+}
+
+from DataFlow::Node node
+where node = relevantTaintSource()
+select node, getName(node)
diff --git a/javascript/ql/src/meta/alerts/TaintedNodes.ql b/javascript/ql/src/meta/alerts/TaintedNodes.ql
@@ -0,0 +1,31 @@
+/**
+ * @name Tainted expressions
+ * @description The number of expressions reachable from a remote flow source
+ *              via default taint-tracking steps.
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags meta
+ * @id js/meta/alerts/tainted-nodes
+ * @precision very-low
+ */
+
+import javascript
+import meta.internal.TaintMetrics
+
+class BasicTaintConfiguration extends TaintTracking::Configuration {
+  BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node = relevantTaintSource() }
+
+  override predicate isSink(DataFlow::Node node) {
+    // To reduce noise from synthetic nodes, only count value nodes
+    node instanceof DataFlow::ValueNode and
+    not node.getFile() instanceof IgnoredFile
+  }
+}
+
+// Avoid linking to the source as this would upset the statistics: nodes reachable
+// from multiple sources would be counted multilpe times, and that's not what we intend to measure.
+from DataFlow::Node node
+where any(BasicTaintConfiguration cfg).hasFlow(_, node)
+select node, "Tainted node"
diff --git a/javascript/ql/src/meta/analysis-quality/SanitizersReachableFromSource.ql b/javascript/ql/src/meta/analysis-quality/SanitizersReachableFromSource.ql
@@ -9,7 +9,7 @@
  */
 
 import javascript
-import TaintMetrics
+import meta.internal.TaintMetrics
 
 class BasicTaintConfiguration extends TaintTracking::Configuration {
   BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
diff --git a/javascript/ql/src/meta/analysis-quality/SinksReachableFromSanitizer.ql b/javascript/ql/src/meta/analysis-quality/SinksReachableFromSanitizer.ql
@@ -9,7 +9,7 @@
  */
 
 import javascript
-import TaintMetrics
+import meta.internal.TaintMetrics
 
 class BasicTaintConfiguration extends TaintTracking::Configuration {
   BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
diff --git a/javascript/ql/src/meta/analysis-quality/TaintSinks.ql b/javascript/ql/src/meta/analysis-quality/TaintSinks.ql
@@ -9,6 +9,6 @@
  */
 
 import javascript
-import TaintMetrics
+import meta.internal.TaintMetrics
 
 select projectRoot(), count(relevantTaintSink())
diff --git a/javascript/ql/src/meta/analysis-quality/TaintSources.ql b/javascript/ql/src/meta/analysis-quality/TaintSources.ql
@@ -9,6 +9,6 @@
  */
 
 import javascript
-import TaintMetrics
+import meta.internal.TaintMetrics
 
 select projectRoot(), count(relevantTaintSource())
diff --git a/javascript/ql/src/meta/analysis-quality/TaintedNodes.ql b/javascript/ql/src/meta/analysis-quality/TaintedNodes.ql
@@ -10,7 +10,7 @@
  */
 
 import javascript
-import TaintMetrics
+import meta.internal.TaintMetrics
 
 class BasicTaintConfiguration extends TaintTracking::Configuration {
   BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
diff --git a/javascript/ql/src/meta/internal/TaintMetrics.qll b/javascript/ql/src/meta/internal/TaintMetrics.qll
@@ -31,29 +31,49 @@ private import semmle.javascript.security.dataflow.ZipSlipCustomizations
  * Examples of excluded queries:
  * - UnsafeDynamicMethodAccess: high severity (RCE) but has way too many sinks (every callee).
  * - ClearTextLogging: not severe enough relative to number of sinks.
+ *
+ * `kind` is bound to the name of the module containing the query sinks.
  */
-DataFlow::Node relevantTaintSink() {
+DataFlow::Node relevantTaintSink(string kind) {
   not result.getFile() instanceof IgnoredFile and
   (
-    result instanceof ClientSideUrlRedirect::Sink or
-    result instanceof CodeInjection::Sink or
-    result instanceof CommandInjection::Sink or
-    result instanceof Xss::Shared::Sink or
-    result instanceof NosqlInjection::Sink or
-    result instanceof PrototypePollution::Sink or
-    result instanceof RegExpInjection::Sink or
-    result instanceof RequestForgery::Sink or
-    result instanceof ServerSideUrlRedirect::Sink or
-    result instanceof SqlInjection::Sink or
-    result instanceof TaintedPath::Sink or
-    result instanceof UnsafeDeserialization::Sink or
-    result instanceof XmlBomb::Sink or
-    result instanceof XpathInjection::Sink or
-    result instanceof Xxe::Sink or
-    result instanceof ZipSlip::Sink
+    kind = "ClientSideUrlRedirect" and result instanceof ClientSideUrlRedirect::Sink
+    or
+    kind = "CodeInjection" and result instanceof CodeInjection::Sink
+    or
+    kind = "CommandInjection" and result instanceof CommandInjection::Sink
+    or
+    kind = "Xss" and result instanceof Xss::Shared::Sink
+    or
+    kind = "NosqlInjection" and result instanceof NosqlInjection::Sink
+    or
+    kind = "PrototypePollution" and result instanceof PrototypePollution::Sink
+    or
+    kind = "RegExpInjection" and result instanceof RegExpInjection::Sink
+    or
+    kind = "RequestForgery" and result instanceof RequestForgery::Sink
+    or
+    kind = "ServerSideUrlRedirect" and result instanceof ServerSideUrlRedirect::Sink
+    or
+    kind = "SqlInjection" and result instanceof SqlInjection::Sink
+    or
+    kind = "TaintedPath" and result instanceof TaintedPath::Sink
+    or
+    kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
+    or
+    kind = "XmlBomb" and result instanceof XmlBomb::Sink
+    or
+    kind = "XpathInjection" and result instanceof XpathInjection::Sink
+    or
+    kind = "Xxe" and result instanceof Xxe::Sink
+    or
+    kind = "ZipSlip" and result instanceof ZipSlip::Sink
   )
 }
 
+/** Gets a relevant taint sink. See `relevantTaintSink/1` for more information. */
+DataFlow::Node relevantTaintSink() { result = relevantTaintSink(_) }
+
 /**
  * Gets a remote flow source or `document.location` source.
  */
