Merge pull request #2429 from erik-krogh/typeAheadSink

Approved by esbena

Author: semmle-qlci

change-notes/1.24/analysis-javascript.md

@@ -4,6 +4,7 @@
 
 * Support for the following frameworks and libraries has been improved:
   - [react](https://www.npmjs.com/package/react)
+  - [typeahead.js](https://www.npmjs.com/package/typeahead.js)
   - [Handlebars](https://www.npmjs.com/package/handlebars)
 
 - Imports with the `.js` extension can now be resolved to a TypeScript file,
@@ -26,3 +27,4 @@
 ## Changes to libraries
 
 * The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow.
+

javascript/ql/src/javascript.qll

@@ -92,6 +92,7 @@ import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.SocketIO
 import semmle.javascript.frameworks.StringFormatters
 import semmle.javascript.frameworks.TorrentLibraries
+import semmle.javascript.frameworks.Typeahead
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.XmlParsers

javascript/ql/src/semmle/javascript/frameworks/Typeahead.qll

@@ -0,0 +1,135 @@
+/**
+ * Provides classes for working with typeahead.js code (https://www.npmjs.com/package/typeahead.js).
+ */
+
+import javascript
+
+module Typeahead {
+  /**
+   * A reference to the Bloodhound class, which is a utility-class for generating auto-complete suggestions.
+   */
+  private class Bloodhound extends DataFlow::SourceNode {
+    Bloodhound() {
+      this = DataFlow::moduleImport("typeahead.js/dist/bloodhound.js")
+      or
+      this = DataFlow::moduleImport("bloodhound-js")
+      or
+      this.accessesGlobal("Bloodhound")
+    }
+  }
+
+  /**
+   * An instance of the Bloodhound class.
+   */
+  private class BloodhoundInstance extends DataFlow::NewNode {
+    BloodhoundInstance() { this = any(Bloodhound b).getAnInstantiation() }
+  }
+
+  /**
+   * An instance of of the Bloodhound class that is used to fetch data from a remote server.
+   */
+  private class RemoteBloodhoundClientRequest extends ClientRequest::Range, BloodhoundInstance {
+    DataFlow::ValueNode option;
+
+    RemoteBloodhoundClientRequest() {
+      exists(string optionName | optionName = "remote" or optionName = "prefetch" |
+        option = this.getOptionArgument(0, optionName)
+      )
+    }
+
+    /**
+     * Gets the URL for this Bloodhound instance.
+     * The Bloodhound API specifies that the "remote" and "prefetch" options are either strings,
+     * or an object containing an "url" property.
+     */
+    override DataFlow::Node getUrl() {
+      result = option.getALocalSource().getAPropertyWrite("url").getRhs()
+      or
+      result = option
+    }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+
+    /** Gets a Bloodhound instance that fetches remote server data. */
+    private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+      t.start() and result = this
+      or
+      exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
+    }
+
+    /** Gets a Bloodhound instance that fetches remote server data. */
+    private DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+
+    override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
+      responseType = "json" and
+      promise = false and
+      exists(TypeaheadSource source |
+        ref() = source.getALocalSource() or ref().getAMethodCall("ttAdapter") = source
+      |
+        result = source.getASuggestion()
+      )
+    }
+  }
+
+  /**
+   * An invocation of the `typeahead.js` library.
+   */
+  private class TypeaheadCall extends DataFlow::CallNode {
+    TypeaheadCall() {
+      // Matches `$(...).typeahead(..)`
+      this = JQuery::objectRef().getAMethodCall("typeahead")
+    }
+  }
+
+  /**
+   * A function that generates suggestions to typeahead.js.
+   */
+  class TypeaheadSuggestionFunction extends DataFlow::FunctionNode {
+    TypeaheadCall typeaheadCall;
+
+    TypeaheadSuggestionFunction() {
+      // Matches `$(...).typeahead({..}, { templates: { suggestion: <this> } })`.
+      this = typeaheadCall
+            .getOptionArgument(1, "templates")
+            .getALocalSource()
+            .getAPropertyWrite("suggestion")
+            .getRhs()
+            .getAFunctionValue()
+    }
+
+    /**
+     * Gets the call to typeahead.js where this suggestion function is used.
+     */
+    TypeaheadCall getTypeaheadCall() { result = typeaheadCall }
+  }
+
+  /**
+   * A `source` option for a typeahead.js plugin instance.
+   */
+  private class TypeaheadSource extends DataFlow::ValueNode {
+    TypeaheadCall typeaheadCall;
+
+    TypeaheadSource() { this = typeaheadCall.getOptionArgument(1, "source") }
+
+    /** Gets a node for a suggestion that this source motivates. */
+    DataFlow::Node getASuggestion() {
+      exists(TypeaheadSuggestionFunction suggestionCallback |
+        suggestionCallback.getTypeaheadCall() = typeaheadCall and
+        result = suggestionCallback.getParameter(0)
+      )
+    }
+  }
+
+  /**
+   * A taint step that models that a function in the `source` of typeahead.js is used to determine the input to the suggestion function.
+   */
+  private class TypeaheadSourceTaintStep extends TypeaheadSource, TaintTracking::AdditionalTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      // Matches `$(...).typeahead({..}, {source: function(q, cb) {..;cb(<pred>);..}, templates: { suggestion: function(<succ>) {} } })`.
+      pred = this.getAFunctionValue().getParameter([1 .. 2]).getACall().getAnArgument() and
+      succ = this.getASuggestion()
+    }
+  }
+}

javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll

@@ -96,6 +96,8 @@ module DomBasedXss {
         this = mcn.getArgument(1)
       )
       or
+      this = any(Typeahead::TypeaheadSuggestionFunction f).getAReturn()
+      or
       this = any(Handlebars::SafeString s).getAnArgument()
     }
   }

javascript/ql/test/library-tests/frameworks/typeahead/test.expected

@@ -0,0 +1,8 @@
+url
+| tst.js:3:14:5:6 | {\\n\\t     ... \\n\\t    } |
+| tst.js:4:15:4:52 | '/api/d ... %QUERY' |
+| tst.js:8:16:8:29 | searchIndexUrl |
+response
+| json | false | tst.js:15:35:15:46 | taintedParam |
+suggestionFunction
+| tst.js:15:25:17:4 | functio ... \\n\\t\\n\\t\\t\\t} |

javascript/ql/test/library-tests/frameworks/typeahead/test.ql

@@ -0,0 +1,13 @@
+import javascript
+
+query DataFlow::Node url() {
+   result = any(ClientRequest r).getUrl()	
+}
+
+query DataFlow::Node response(string responseType, boolean promise) {
+   result = any(ClientRequest r).getAResponseDataNode(responseType, promise)	
+}
+
+query DataFlow::Node suggestionFunction() {
+  result = any(Typeahead::TypeaheadSuggestionFunction t)	
+}

javascript/ql/test/library-tests/frameworks/typeahead/tst.js

@@ -0,0 +1,20 @@
+(function () {
+	var foo = new Bloodhound({
+	    remote: {
+	        url: '/api/destinations/search?text=%QUERY'
+	    }
+	});
+	var bar = new Bloodhound({
+	    prefetch: searchIndexUrl
+	});
+	
+	$('.typeahead').typeahead({}, {
+        name: 'prefetchedCities',
+        source: bar.ttAdapter(),
+        templates: {
+            suggestion: function (taintedParam) {
+	
+			},
+        }
+    });
+})();

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

@@ -331,6 +331,14 @@ nodes
 | tst.js:313:35:313:42 | location |
 | tst.js:313:35:313:42 | location |
 | tst.js:313:35:313:42 | location |
+| typeahead.js:20:13:20:45 | target |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:38 | document.location |
+| typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:21:12:21:17 | target |
+| typeahead.js:24:30:24:32 | val |
+| typeahead.js:25:18:25:20 | val |
+| typeahead.js:25:18:25:20 | val |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location |
@@ -630,6 +638,13 @@ edges
 | tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
 | tst.js:307:10:307:10 | e | tst.js:308:20:308:20 | e |
 | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location |
+| typeahead.js:20:13:20:45 | target | typeahead.js:21:12:21:17 | target |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:38 | document.location | typeahead.js:20:22:20:45 | documen ... .search |
+| typeahead.js:20:22:20:45 | documen ... .search | typeahead.js:20:13:20:45 | target |
+| typeahead.js:21:12:21:17 | target | typeahead.js:24:30:24:32 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
+| typeahead.js:24:30:24:32 | val | typeahead.js:25:18:25:20 | val |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
 | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted |
@@ -721,6 +736,7 @@ edges
 | tst.js:300:20:300:20 | e | tst.js:298:9:298:16 | location | tst.js:300:20:300:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:298:9:298:16 | location | user-provided value |
 | tst.js:308:20:308:20 | e | tst.js:305:10:305:17 | location | tst.js:308:20:308:20 | e | Cross-site scripting vulnerability due to $@. | tst.js:305:10:305:17 | location | user-provided value |
 | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | tst.js:313:35:313:42 | location | Cross-site scripting vulnerability due to $@. | tst.js:313:35:313:42 | location | user-provided value |
+| typeahead.js:25:18:25:20 | val | typeahead.js:20:22:20:38 | document.location | typeahead.js:25:18:25:20 | val | Cross-site scripting vulnerability due to $@. | typeahead.js:20:22:20:38 | document.location | user-provided value |
 | v-html.vue:2:8:2:23 | v-html=tainted | v-html.vue:6:42:6:58 | document.location | v-html.vue:2:8:2:23 | v-html=tainted | Cross-site scripting vulnerability due to $@. | v-html.vue:6:42:6:58 | document.location | user-provided value |
 | winjs.js:3:43:3:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:3:43:3:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |
 | winjs.js:4:43:4:49 | tainted | winjs.js:2:17:2:33 | document.location | winjs.js:4:43:4:49 | tainted | Cross-site scripting vulnerability due to $@. | winjs.js:2:17:2:33 | document.location | user-provided value |