Add ElectronShellOpenExternalSink class

toufik-airane · toufik-airane · commit e87790b82842 · 2020-10-23T15:41:03.000+02:00
Add ElectronShellOpenExternalSink class to detect untrusted input interpreted by `openExternal` function call in `electron` module. Based on the #14 Electron Security checklist: https://www.electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -138,4 +138,15 @@ module CodeInjection {
         API::moduleImport("module").getInstance().getMember("_compile").getACall().getArgument(0)
     }
   }
+
+  /**
+   * Improper use of openExternal can be leveraged to compromise the user's host.
+   * When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.
+   */
+  class ElectronShellOpenExternalSink extends Sink {
+    ElectronShellOpenExternalSink() {
+      this =
+        DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -138,4 +138,15 @@ module CodeInjection {`
`138`	`138`	`API::moduleImport("module").getInstance().getMember("_compile").getACall().getArgument(0)`
`139`	`139`	`}`
`140`	`140`	`}`
	`141`	`+`
	`142`	`+ /**`
	`143`	`+ * Improper use of openExternal can be leveraged to compromise the user's host.`
	`144`	`+ * When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.`
	`145`	`+ */`
	`146`	`+ class ElectronShellOpenExternalSink extends Sink {`
	`147`	`+ ElectronShellOpenExternalSink() {`
	`148`	`+ this =`
	`149`	`+ DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)`
	`150`	`+ }`
	`151`	`+ }`
`141`	`152`	`}`