Added modeling of client-s3 v2 and v3

Napalys · Napalys · commit 1af289cd7d44 · 2025-07-29T09:52:49.000+02:00
diff --git a/javascript/ql/lib/ext/client-s3.model.yml b/javascript/ql/lib/ext/client-s3.model.yml
@@ -0,0 +1,20 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["S3ClientV3", "ReturnValue.Member[send].Argument[0]", "sql-injection"]
+      - ["S3ClientV2", "ReturnValue.Member[selectObjectContent].Argument[0].Member[Expression]", "sql-injection"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: summaryModel
+    data:
+      - ["@aws-sdk/client-s3", "Member[SelectObjectContentCommand]", "Argument[0].Member[Expression]", "ReturnValue", "taint"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["S3ClientV3", "@aws-sdk/client-s3", "Member[S3Client]"]
+      - ["S3ClientV2", "aws-sdk", "Member[S3]"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -1,4 +1,7 @@
 #select
+| clients3.js:18:23:18:60 | new Sel ... params) | clients3.js:10:26:10:33 | req.body | clients3.js:18:23:18:60 | new Sel ... params) | This query string depends on a $@. | clients3.js:10:26:10:33 | req.body | user-provided value |
+| clients3.js:29:21:29:68 | "SELECT ... usInput | clients3.js:23:26:23:33 | req.body | clients3.js:29:21:29:68 | "SELECT ... usInput | This query string depends on a $@. | clients3.js:23:26:23:33 | req.body | user-provided value |
+| clients3.js:38:21:38:68 | "SELECT ... usInput | clients3.js:23:26:23:33 | req.body | clients3.js:38:21:38:68 | "SELECT ... usInput | This query string depends on a $@. | clients3.js:23:26:23:33 | req.body | user-provided value |
 | dynamodb.js:15:23:15:29 | command | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:15:23:15:29 | command | This query string depends on a $@. | dynamodb.js:9:26:9:33 | req.body | user-provided value |
 | dynamodb.js:21:23:21:35 | updateCommand | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:21:23:21:35 | updateCommand | This query string depends on a $@. | dynamodb.js:9:26:9:33 | req.body | user-provided value |
 | dynamodb.js:47:24:47:30 | command | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:47:24:47:30 | command | This query string depends on a $@. | dynamodb.js:9:26:9:33 | req.body | user-provided value |
@@ -143,6 +146,18 @@
 | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query string depends on a $@. | tst4.js:8:46:8:60 | $routeParams.id | user-provided value |
 | tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query string depends on a $@. | tst.js:10:46:10:58 | req.params.id | user-provided value |
 edges
+| clients3.js:10:9:10:40 | maliciousInput | clients3.js:16:55:16:68 | maliciousInput | provenance |  |
+| clients3.js:10:26:10:33 | req.body | clients3.js:10:9:10:40 | maliciousInput | provenance |  |
+| clients3.js:12:11:17:5 | params [Expression] | clients3.js:18:54:18:59 | params [Expression] | provenance |  |
+| clients3.js:12:20:17:5 | {\\n      ... ,\\n    } [Expression] | clients3.js:12:11:17:5 | params [Expression] | provenance |  |
+| clients3.js:16:21:16:68 | "SELECT ... usInput | clients3.js:12:20:17:5 | {\\n      ... ,\\n    } [Expression] | provenance |  |
+| clients3.js:16:55:16:68 | maliciousInput | clients3.js:16:21:16:68 | "SELECT ... usInput | provenance |  |
+| clients3.js:18:54:18:59 | params [Expression] | clients3.js:18:23:18:60 | new Sel ... params) | provenance |  |
+| clients3.js:23:9:23:40 | maliciousInput | clients3.js:29:55:29:68 | maliciousInput | provenance |  |
+| clients3.js:23:9:23:40 | maliciousInput | clients3.js:38:55:38:68 | maliciousInput | provenance |  |
+| clients3.js:23:26:23:33 | req.body | clients3.js:23:9:23:40 | maliciousInput | provenance |  |
+| clients3.js:29:55:29:68 | maliciousInput | clients3.js:29:21:29:68 | "SELECT ... usInput | provenance |  |
+| clients3.js:38:55:38:68 | maliciousInput | clients3.js:38:21:38:68 | "SELECT ... usInput | provenance |  |
 | dynamodb.js:9:9:9:38 | maliciousInput | dynamodb.js:11:64:11:77 | maliciousInput | provenance |  |
 | dynamodb.js:9:9:9:38 | maliciousInput | dynamodb.js:17:80:17:93 | maliciousInput | provenance |  |
 | dynamodb.js:9:26:9:33 | req.body | dynamodb.js:9:9:9:38 | maliciousInput | provenance |  |
@@ -547,6 +562,20 @@ edges
 | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | provenance |  |
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | provenance |  |
 nodes
+| clients3.js:10:9:10:40 | maliciousInput | semmle.label | maliciousInput |
+| clients3.js:10:26:10:33 | req.body | semmle.label | req.body |
+| clients3.js:12:11:17:5 | params [Expression] | semmle.label | params [Expression] |
+| clients3.js:12:20:17:5 | {\\n      ... ,\\n    } [Expression] | semmle.label | {\\n      ... ,\\n    } [Expression] |
+| clients3.js:16:21:16:68 | "SELECT ... usInput | semmle.label | "SELECT ... usInput |
+| clients3.js:16:55:16:68 | maliciousInput | semmle.label | maliciousInput |
+| clients3.js:18:23:18:60 | new Sel ... params) | semmle.label | new Sel ... params) |
+| clients3.js:18:54:18:59 | params [Expression] | semmle.label | params [Expression] |
+| clients3.js:23:9:23:40 | maliciousInput | semmle.label | maliciousInput |
+| clients3.js:23:26:23:33 | req.body | semmle.label | req.body |
+| clients3.js:29:21:29:68 | "SELECT ... usInput | semmle.label | "SELECT ... usInput |
+| clients3.js:29:55:29:68 | maliciousInput | semmle.label | maliciousInput |
+| clients3.js:38:21:38:68 | "SELECT ... usInput | semmle.label | "SELECT ... usInput |
+| clients3.js:38:55:38:68 | maliciousInput | semmle.label | maliciousInput |
 | dynamodb.js:9:9:9:38 | maliciousInput | semmle.label | maliciousInput |
 | dynamodb.js:9:26:9:33 | req.body | semmle.label | req.body |
 | dynamodb.js:11:11:11:80 | statement | semmle.label | statement |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/clients3.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/clients3.js
@@ -7,26 +7,26 @@ const app = express();
 app.use(bodyParser.json());
 
 app.post('/client/v3/execute', async (req, res) => {
-    let maliciousInput = req.body.filter; // $ MISSING: Source
+    let maliciousInput = req.body.filter; // $ Source
     const client = new S3Client({ region: "us-east-1" });
     const params = {
         Bucket: "my-bucket",
         Key: "data.csv",
         ExpressionType: "SQL",
         Expression: "SELECT * FROM S3Object WHERE " + maliciousInput,
     };
-    await client.send(new SelectObjectContentCommand(params)); // $ MISSING: Alert
+    await client.send(new SelectObjectContentCommand(params)); // $ Alert
     res.end();
 });
 
 app.post('/client/v2/execute', async (req, res) => {
-    let maliciousInput = req.body.filter; // $ MISSING: Source
+    let maliciousInput = req.body.filter; // $ Source
     const s3 = new AWS.S3({ region: "us-east-1" });
     const params = {
         Bucket: "my-bucket",
         Key: "data.csv",
         ExpressionType: "SQL",
-        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput, // $ MISSING: Alert
+        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput, // $ Alert
     };
     await s3.selectObjectContent(params).promise();
     res.end();
@@ -35,7 +35,7 @@ app.post('/client/v2/execute', async (req, res) => {
         Bucket: "my-bucket",
         Key: "data.csv",
         ExpressionType: "SQL",
-        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput, // $ MISSING: Alert
+        Expression: "SELECT * FROM S3Object WHERE " + maliciousInput, // $ Alert
     };
 
     s3.selectObjectContent(params1, (err, data) => {
