JS: model URI and XHR methods from closure library

asger-semmle · asger-semmle · commit f6e0ccfcf0cf · 2019-02-08T15:18:27.000Z
diff --git a/javascript/ql/src/semmle/javascript/Closure.qll b/javascript/ql/src/semmle/javascript/Closure.qll
@@ -198,7 +198,5 @@ module Closure {
   /**
    * Gets a dataflow node that refers to the given value exported from a Closure module.
    */
-  DataFlow::SourceNode moduleImport(string moduleName) {
-    getLibraryAccessPath(result) = moduleName
-  }
+  DataFlow::SourceNode moduleImport(string moduleName) { getLibraryAccessPath(result) = moduleName }
 }
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -240,11 +240,38 @@ private class SuperAgentUrlRequest extends CustomClientRequest {
  * A model of a URL request made using the `XMLHttpRequest` browser class.
  */
 private class XMLHttpRequest extends CustomClientRequest {
-  XMLHttpRequest() { this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation() }
+  XMLHttpRequest() {
+    this = DataFlow::globalVarRef("XMLHttpRequest").getAnInstantiation()
+    or
+    // closure shim for XMLHttpRequest
+    this = Closure::moduleImport("goog.net.XmlHttp").getAnInstantiation()
+  }
 
   override DataFlow::Node getUrl() { result = getAMethodCall("open").getArgument(1) }
 
   override DataFlow::Node getHost() { none() }
 
   override DataFlow::Node getADataNode() { result = getAMethodCall("send").getArgument(0) }
 }
+
+/**
+ * A model of a URL request made using the `XhrIo` class from the closure library.
+ */
+private class ClosureXhrIoRequest extends CustomClientRequest {
+  ClosureXhrIoRequest() {
+    exists(DataFlow::SourceNode xhrIo | xhrIo = Closure::moduleImport("goog.net.XhrIo") |
+      this = xhrIo.getAMethodCall("send")
+      or
+      this = xhrIo.getAnInstantiation().getAMethodCall("send")
+    )
+  }
+
+  override DataFlow::Node getUrl() { result = getArgument(0) }
+
+  override DataFlow::Node getHost() { none() }
+
+  override DataFlow::Node getADataNode() {
+    result = getArgument(2) or
+    result = getArgument(3)
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll
@@ -309,3 +309,88 @@ module querystring {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) { pred = src and succ = this }
   }
 }
+
+/**
+ * Provides steps for the `goog.Uri` class in the closure library.
+ */
+private module ClosureLibraryUri {
+  /**
+   * Taint step from an argument of a `goog.Uri` call to the return value.
+   */
+  private class ArgumentStep extends UriLibraryStep, DataFlow::InvokeNode {
+    int arg;
+
+    ArgumentStep() {
+      // goog.Uri constructor
+      this = Closure::moduleImport("goog.Uri").getAnInstantiation() and arg = 0
+      or
+      // static methods on goog.Uri
+      exists(string name | this = Closure::moduleImport("goog.Uri." + name).getACall() |
+        name = "parse" and arg = 0
+        or
+        name = "create" and
+        (arg = 0 or arg = 2 or arg = 4)
+        or
+        name = "resolve" and
+        (arg = 0 or arg = 1)
+      )
+      or
+      // static methods in goog.uri.utils
+      arg = 0 and
+      exists(string name | this = Closure::moduleImport("goog.uri.utils." + name).getACall() |
+        name = "appendParam" or // preserve taint from the original URI, but not from the appended param
+        name = "appendParams" or
+        name = "appendParamsFromMap" or
+        name = "appendPath" or
+        name = "getParamValue" or
+        name = "getParamValues" or
+        name = "getPath" or
+        name = "getPathAndAfter" or
+        name = "getQueryData" or
+        name = "parseQueryData" or
+        name = "removeFragment" or
+        name = "removeParam" or
+        name = "setParam" or
+        name = "setParamsFromMap" or
+        name = "setPath" or
+        name = "split"
+      )
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getArgument(arg) and
+      succ = this
+    }
+  }
+
+  /**
+   * Taint steps through chainable setter calls.
+   *
+   * Setters mutate the URI object and return the same instance.
+   */
+  private class SetterCall extends DataFlow::MethodCallNode, UriLibraryStep {
+    DataFlow::NewNode uri;
+    string name;
+
+    SetterCall() {
+      exists(DataFlow::SourceNode base |
+        base = Closure::moduleImport("goog.Uri").getAnInstantiation() and
+        uri = base
+        or
+        base.(SetterCall).getUri() = uri
+      |
+        this = base.getAMethodCall(name) and
+        name.matches("set%")
+      )
+    }
+
+    DataFlow::NewNode getUri() { result = uri }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getReceiver() and succ = this
+      or
+      (name = "setDomain" or name = "setPath" or name = "setScheme") and
+      pred = getArgument(0) and succ = uri
+    }
+  }
+}
diff --git a/javascript/ql/test/library-tests/frameworks/UriLibraries/UriLibraryStep.expected b/javascript/ql/test/library-tests/frameworks/UriLibraries/UriLibraryStep.expected
@@ -1,3 +1,27 @@
+| closureUri.js:5:11:5:20 | new Uri(x) | closureUri.js:5:19:5:19 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:6:1:6:12 | Uri.parse(x) | closureUri.js:6:11:6:11 | x | closureUri.js:6:1:6:12 | Uri.parse(x) |
+| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:13:7:13 | x | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
+| closureUri.js:7:1:7:17 | Uri.resolve(x, y) | closureUri.js:7:16:7:16 | y | closureUri.js:7:1:7:17 | Uri.resolve(x, y) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:12:8:17 | scheme | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:26:8:31 | domain | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:8:1:8:57 | Uri.cre ... , frag) | closureUri.js:8:40:8:43 | path | closureUri.js:8:1:8:57 | Uri.cre ... , frag) |
+| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:1:10:3 | uri | closureUri.js:10:1:10:16 | uri.setScheme(x) |
+| closureUri.js:10:1:10:16 | uri.setScheme(x) | closureUri.js:10:15:10:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:11:1:11:18 | uri.setUserInfo(x) | closureUri.js:11:1:11:3 | uri | closureUri.js:11:1:11:18 | uri.setUserInfo(x) |
+| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:1:12:3 | uri | closureUri.js:12:1:12:16 | uri.setDomain(x) |
+| closureUri.js:12:1:12:16 | uri.setDomain(x) | closureUri.js:12:15:12:15 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:13:1:13:14 | uri.setPort(x) | closureUri.js:13:1:13:3 | uri | closureUri.js:13:1:13:14 | uri.setPort(x) |
+| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:1:14:3 | uri | closureUri.js:14:1:14:14 | uri.setPath(x) |
+| closureUri.js:14:1:14:14 | uri.setPath(x) | closureUri.js:14:13:14:13 | x | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:15:1:15:15 | uri.setQuery(x) | closureUri.js:15:1:15:3 | uri | closureUri.js:15:1:15:15 | uri.setQuery(x) |
+| closureUri.js:16:1:16:18 | uri.setFragment(x) | closureUri.js:16:1:16:3 | uri | closureUri.js:16:1:16:18 | uri.setFragment(x) |
+| closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:3 | uri | closureUri.js:18:1:18:15 | uri.setQuery(x) |
+| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:15 | uri.setQuery(x) | closureUri.js:18:1:18:26 | uri.set ... Path(y) |
+| closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:25:18:25 | y | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:1:18:26 | uri.set ... Path(y) | closureUri.js:18:1:18:39 | uri.set ... heme(z) |
+| closureUri.js:18:1:18:39 | uri.set ... heme(z) | closureUri.js:18:38:18:38 | z | closureUri.js:5:11:5:20 | new Uri(x) |
+| closureUri.js:22:1:22:25 | utils.a ... uri, z) | closureUri.js:22:19:22:21 | uri | closureUri.js:22:1:22:25 | utils.a ... uri, z) |
+| closureUri.js:23:1:23:18 | utils.getPath(uri) | closureUri.js:23:15:23:17 | uri | closureUri.js:23:1:23:18 | utils.getPath(uri) |
 | punycode.js:3:9:3:26 | punycode.decode(x) | punycode.js:3:25:3:25 | x | punycode.js:3:9:3:26 | punycode.decode(x) |
 | punycode.js:5:5:5:22 | punycode.encode(x) | punycode.js:5:21:5:21 | x | punycode.js:5:5:5:22 | punycode.encode(x) |
 | punycode.js:7:5:7:25 | punycod ... code(x) | punycode.js:7:24:7:24 | x | punycode.js:7:5:7:25 | punycod ... code(x) |
diff --git a/javascript/ql/test/library-tests/frameworks/UriLibraries/closureUri.js b/javascript/ql/test/library-tests/frameworks/UriLibraries/closureUri.js
@@ -0,0 +1,23 @@
+goog.module('closureUri');
+
+let Uri = goog.require('goog.Uri');
+
+let uri = new Uri(x);
+Uri.parse(x);
+Uri.resolve(x, y);
+Uri.create(scheme, cred, domain, port, path, query, frag);
+
+uri.setScheme(x);
+uri.setUserInfo(x);
+uri.setDomain(x);
+uri.setPort(x);
+uri.setPath(x);
+uri.setQuery(x);
+uri.setFragment(x);
+
+uri.setQuery(x).setPath(y).setScheme(z);
+
+let utils = goog.require('goog.uri.utils');
+
+utils.appendParam(uri, z);
+utils.getPath(uri);
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -14,6 +14,10 @@ nodes
 | tst.js:30:13:30:43 | "http:/ ... tainted |
 | tst.js:30:37:30:43 | tainted |
 | tst.js:34:34:34:40 | tainted |
+| tst.js:36:16:36:31 | new Uri(tainted) |
+| tst.js:36:24:36:30 | tainted |
+| tst.js:37:22:37:37 | new Uri(tainted) |
+| tst.js:37:30:37:36 | tainted |
 edges
 | tst.js:14:9:14:52 | tainted | tst.js:18:13:18:19 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:20:17:20:23 | tainted |
@@ -22,13 +26,17 @@ edges
 | tst.js:14:9:14:52 | tainted | tst.js:28:36:28:42 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:30:37:30:43 | tainted |
 | tst.js:14:9:14:52 | tainted | tst.js:34:34:34:40 | tainted |
+| tst.js:14:9:14:52 | tainted | tst.js:36:24:36:30 | tainted |
+| tst.js:14:9:14:52 | tainted | tst.js:37:30:37:36 | tainted |
 | tst.js:14:19:14:42 | url.par ... , true) | tst.js:14:19:14:48 | url.par ... ).query |
 | tst.js:14:19:14:48 | url.par ... ).query | tst.js:14:19:14:52 | url.par ... ery.url |
 | tst.js:14:19:14:52 | url.par ... ery.url | tst.js:14:9:14:52 | tainted |
 | tst.js:14:29:14:35 | req.url | tst.js:14:19:14:42 | url.par ... , true) |
 | tst.js:26:25:26:31 | tainted | tst.js:26:13:26:31 | "http://" + tainted |
 | tst.js:28:36:28:42 | tainted | tst.js:28:13:28:42 | "http:/ ... tainted |
 | tst.js:30:37:30:43 | tainted | tst.js:30:13:30:43 | "http:/ ... tainted |
+| tst.js:36:24:36:30 | tainted | tst.js:36:16:36:31 | new Uri(tainted) |
+| tst.js:37:30:37:36 | tainted | tst.js:37:22:37:37 | new Uri(tainted) |
 #select
 | tst.js:18:5:18:20 | request(tainted) | tst.js:14:29:14:35 | req.url | tst.js:18:13:18:19 | tainted | The $@ of this request depends on $@. | tst.js:18:13:18:19 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:20:5:20:24 | request.get(tainted) | tst.js:14:29:14:35 | req.url | tst.js:20:17:20:23 | tainted | The $@ of this request depends on $@. | tst.js:20:17:20:23 | tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
@@ -37,3 +45,5 @@ edges
 | tst.js:28:5:28:43 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:28:13:28:42 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:28:13:28:42 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:30:5:30:44 | request ... ainted) | tst.js:14:29:14:35 | req.url | tst.js:30:13:30:43 | "http:/ ... tainted | The $@ of this request depends on $@. | tst.js:30:13:30:43 | "http:/ ... tainted | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
 | tst.js:34:5:34:42 | http.ge ... inted}) | tst.js:14:29:14:35 | req.url | tst.js:34:34:34:40 | tainted | The $@ of this request depends on $@. | tst.js:34:34:34:40 | tainted | host | tst.js:14:29:14:35 | req.url | a user-provided value |
+| tst.js:36:5:36:32 | XhrIo.s ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:36:16:36:31 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:36:16:36:31 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
+| tst.js:37:5:37:38 | new Xhr ... inted)) | tst.js:14:29:14:35 | req.url | tst.js:37:22:37:37 | new Uri(tainted) | The $@ of this request depends on $@. | tst.js:37:22:37:37 | new Uri(tainted) | URL | tst.js:14:29:14:35 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-918/tst.js b/javascript/ql/test/query-tests/Security/CWE-918/tst.js
@@ -7,8 +7,8 @@ import axios from 'axios';
 import got from 'got';
 import nodeFetch from 'node-fetch';
 import url from 'url';
-
-
+let XhrIo = goog.require('goog.net.XhrIo');
+let Uri = goog.require('goog.Uri');
 
 var server = http.createServer(function(req, res) {
     var tainted = url.parse(req.url, true).query.url;
@@ -32,4 +32,7 @@ var server = http.createServer(function(req, res) {
     request("http://example.com/?" + tainted); // OK
 
     http.get(relativeUrl, {host: tainted}); // NOT OK
+
+    XhrIo.send(new Uri(tainted)); // NOT OK
+    new XhrIo().send(new Uri(tainted)); // NOT OK
 })

Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,5 @@ module Closure {`
`198`	`198`	`/**`
`199`	`199`	`* Gets a dataflow node that refers to the given value exported from a Closure module.`
`200`	`200`	`*/`
`201`		`- DataFlow::SourceNode moduleImport(string moduleName) {`
`202`		`- getLibraryAccessPath(result) = moduleName`
`203`		`- }`
	`201`	`+ DataFlow::SourceNode moduleImport(string moduleName) { getLibraryAccessPath(result) = moduleName }`
`204`	`202`	`}`