Merge pull request #1916 from erik-krogh/taintedLength

Approved by asger-semmle, xiemaisi

Author: semmle-qlci

change-notes/1.23/analysis-javascript.md

@@ -14,8 +14,8 @@
 
 | **Query**                                                                 | **Tags**                                                          | **Purpose**                                                                                                                                                                            |
 |---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. |
-
+| Unused index variable (`js/unused-index-variable`)                        | correctness                                                       | Highlights loops that iterate over an array, but do not use the index variable to access array elements, indicating a possible typo or logic error. Results are shown on LGTM by default. |
+| Loop bound injection (`js/loop-bound-injection`)                          | security, external/cwe/cwe-834                                      | Highlights loops where a user-controlled object with an arbitrary .length value can trick the server to loop indefinitely. Results are not shown on LGTM by default. |
 
 ## Changes to existing queries
 

javascript/config/suites/javascript/security

@@ -42,6 +42,7 @@
 + semmlecode-javascript-queries/Security/CWE-798/HardcodedCredentials.ql: /Security/CWE/CWE-798
 + semmlecode-javascript-queries/Security/CWE-807/ConditionalBypass.ql: /Security/CWE/CWE-807
 + semmlecode-javascript-queries/Security/CWE-807/DifferentKindsComparisonBypass.ql: /Security/CWE/CWE-807
++ semmlecode-javascript-queries/Security/CWE-834/LoopBoundInjection.ql: /Security/CWE/CWE-834
 + semmlecode-javascript-queries/Security/CWE-843/TypeConfusionThroughParameterTampering.ql: /Security/CWE/CWE-834
 + semmlecode-javascript-queries/Security/CWE-916/InsufficientPasswordHash.ql: /Security/CWE/CWE-916
 + semmlecode-javascript-queries/Security/CWE-918/RequestForgery.ql: /Security/CWE/CWE-918

javascript/ql/src/Security/CWE-834/LoopBoundInjection.qhelp

@@ -0,0 +1,46 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+	<p>
+		Using the <code>.length</code> property of an untrusted object as a loop bound may
+		cause indefinite looping since a malicious attacker can set the
+		<code>.length</code> property to a very large number. For example, 
+		when a program that expects an array is passed a JSON object such as
+		<code>{length: 1e100}</code>, the loop will be run for 10<sup>100</sup>
+		iterations. This may cause the program to hang or run out of memory, 
+		which can be used to mount a denial-of-service (DoS) attack.
+	</p>
+</overview>
+
+<recommendation>
+	<p>
+		Either check that the object is indeed an array or limit the
+		size of the <code>.length</code> property.
+	</p>
+</recommendation>
+
+<example>
+	<p>
+		In the example below, an HTTP request handler iterates over a 
+		user-controlled object <code>obj</code> using the
+		<code>obj.length</code> property in order to copy the elements from
+		<code>obj</code> to an array.
+	</p>
+
+	<sample src="examples/LoopBoundInjection.js" />
+
+	<p>
+		This is not secure since an attacker can control the value of
+		<code>obj.length</code>, and thereby cause the loop to iterate
+		indefinitely. Here the potential DoS is fixed by enforcing that
+		the user-controlled object is an array.
+	</p>
+
+	<sample src="examples/LoopBoundInjection_fixed.js" />
+</example>
+
+<references></references>
+</qhelp>

javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Loop bound injection
+ * @description Iterating over an object with a user-controlled .length
+ *              property can cause indefinite looping.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id js/loop-bound-injection
+ * @tags security
+ *       external/cwe/cwe-834
+ * @precision medium
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.LoopBoundInjection::LoopBoundInjection
+import DataFlow::PathGraph
+
+from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
+where dataflow.hasFlowPath(source, sink)
+select sink, source, sink,
+  "Iterating over user-controlled object with a potentially unbounded .length property from $@.",
+  source, "here"

javascript/ql/src/Security/CWE-834/examples/LoopBoundInjection.js

@@ -0,0 +1,13 @@
+var express = require('express');
+var app = express();
+
+app.post("/foo", (req, res) => {
+    var obj = req.body;
+
+    var ret = [];
+
+    // Potential DoS if obj.length is large.
+    for (var i = 0; i < obj.length; i++) {
+        ret.push(obj[i]);
+    }
+});

javascript/ql/src/Security/CWE-834/examples/LoopBoundInjection_fixed.js

@@ -0,0 +1,16 @@
+var express = require('express');
+var app = express();
+
+app.post("/foo", (req, res) => {
+    var obj = req.body;
+    
+    if (!(obj instanceof Array)) { // Prevents DoS.
+        return [];
+    }
+
+    var ret = [];
+
+    for (var i = 0; i < obj.length; i++) {
+        ret.push(obj[i]);
+    }
+});

javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjection.qll

@@ -0,0 +1,43 @@
+/**
+ * Provides a taint tracking configuration for reasoning about DoS attacks
+ * using a user-controlled object with an unbounded .length property.
+ *
+ * Note, for performance reasons: only import this file if
+ * `LoopBoundInjection::Configuration` is needed, otherwise
+ * `LoopBoundInjectionCustomizations` should be imported instead.
+ */
+
+import javascript
+import semmle.javascript.security.TaintedObject
+
+module LoopBoundInjection {
+  import LoopBoundInjectionCustomizations::LoopBoundInjection
+
+  /**
+   * A taint tracking configuration for reasoning about looping on tainted objects with unbounded length.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "LoopBoundInjection" }
+
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+      source instanceof Source and label = TaintedObject::label()
+    }
+
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+      sink instanceof Sink and label = TaintedObject::label()
+    }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof TaintedObject::SanitizerGuard or
+      guard instanceof IsArraySanitizerGuard or
+      guard instanceof InstanceofArraySanitizerGuard or
+      guard instanceof LengthCheckSanitizerGuard
+    }
+
+    override predicate isAdditionalFlowStep(
+      DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+    ) {
+      TaintedObject::step(src, trg, inlbl, outlbl)
+    }
+  }
+}