changed the exceptional taint-steps to step through each call-site

erik-krogh · erik-krogh · commit 3edd65f9ab52 · 2019-11-15T16:05:15.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
@@ -14,6 +14,14 @@ module ExceptionXss {
   import Xss::StoredXss as StoredXss
   import Xss as XSS
 
+  DataFlow::ExceptionalInvocationReturnNode getCallerExceptionalReturn(DataFlow::FunctionNode func) {
+    exists(DataFlow::InvokeNode call |
+      not call.isImprecise() and
+      func.getFunction() = call.(DataFlow::InvokeNode).getACallee() and
+      result = call.getExceptionalReturn()
+    )
+  }
+
   DataFlow::Node getExceptionalSuccssor(DataFlow::Node pred) {
     exists(DataFlow::FunctionNode func |
       pred.getContainer() = func.getFunction() and
@@ -22,14 +30,12 @@ module ExceptionXss {
         result.(DataFlow::ParameterNode).getParameter() = getEnclosingTryStmt(pred
                 .asExpr()
                 .getEnclosingStmt()).getACatchClause().getAParameter()
-      else result = getExceptionalSuccssor(func.getExceptionalReturn())
-      or
-      pred = func.getExceptionalReturn() and
-      exists(DataFlow::InvokeNode call |
-        not call.isImprecise() and
-        func.getFunction() = call.(DataFlow::InvokeNode).getACallee() and
-        result = getExceptionalSuccssor(call)
-      )
+      else result = getCallerExceptionalReturn(func)
+    )
+    or
+    exists(DataFlow::InvokeNode call |
+      pred = call.getExceptionalReturn() and 
+      result = getExceptionalSuccssor(call)
     )
   }
 
@@ -53,7 +59,9 @@ module ExceptionXss {
   }
 
   /**
-   * A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
+   * A taint-tracking configuration for reasoning about XSS with possible exceptional flow. 
+   * Flow labels are used to ensure that we only report taint-flow that has been thrown in 
+   * an exception.  
    */
   class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "ExceptionXss"}
@@ -63,21 +71,23 @@ module ExceptionXss {
     }
     
     override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-   	  sink instanceof XSS::Shared::Sink and label.isDataOrTaint()
-   	}
+      sink instanceof XSS::Shared::Sink and not label instanceof NotYetThrown
+    }
 
     override predicate isSanitizer(DataFlow::Node node) {
       super.isSanitizer(node) or
       node instanceof XSS::Shared::Sanitizer
     }
 
     override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl) {
+      inlbl instanceof NotYetThrown and (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
+      succ = getExceptionalSuccssor(pred) and
+      (canThrowSensitiveInformation(pred) or pred = any(DataFlow::InvokeNode c).getExceptionalReturn())
+      or
+      // All the usual taint-flow steps applies on data-flow before it has been thrown in an exception.
       this.isAdditionalFlowStep(pred, succ) and inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown 
       or
-      inlbl instanceof NotYetThrown and outlbl.isTaint() and
-      succ = getExceptionalSuccssor(pred) and
-      canThrowSensitiveInformation(pred)
-      or  
+      // We taint an object deep if it happens before an exception has been thrown. 
       inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown and
       exists(DataFlow::PropWrite write | write.getRhs() = pred and write.getBase() = succ)
     }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
@@ -8,6 +8,8 @@ nodes
 | exception-xss.js:10:10:10:10 | e |
 | exception-xss.js:11:18:11:18 | e |
 | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
 | exception-xss.js:15:9:15:11 | foo |
 | exception-xss.js:16:10:16:10 | e |
 | exception-xss.js:17:18:17:18 | e |
@@ -28,16 +30,23 @@ nodes
 | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:38:16:38:16 | x |
+| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) |
 | exception-xss.js:39:9:39:9 | x |
 | exception-xss.js:41:17:41:17 | x |
+| exception-xss.js:42:3:42:10 | exceptional return of inner(x) |
 | exception-xss.js:42:9:42:9 | x |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
 | exception-xss.js:46:8:46:18 | "bar" + foo |
 | exception-xss.js:46:16:46:18 | foo |
 | exception-xss.js:47:10:47:10 | e |
 | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:74:28:74:28 | x |
+| exception-xss.js:75:4:75:11 | exceptional return of inner(x) |
 | exception-xss.js:75:10:75:10 | x |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
 | exception-xss.js:81:16:81:18 | foo |
 | exception-xss.js:82:10:82:10 | e |
 | exception-xss.js:83:18:83:18 | e |
@@ -71,12 +80,15 @@ edges
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:4:20:4:20 | x | exception-xss.js:5:14:5:14 | x |
-| exception-xss.js:5:14:5:14 | x | exception-xss.js:16:10:16:10 | e |
-| exception-xss.js:5:14:5:14 | x | exception-xss.js:47:10:47:10 | e |
-| exception-xss.js:5:14:5:14 | x | exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:5:14:5:14 | x | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:5:14:5:14 | x | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
+| exception-xss.js:5:14:5:14 | x | exception-xss.js:42:3:42:10 | exceptional return of inner(x) |
+| exception-xss.js:5:14:5:14 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) |
 | exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
 | exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
 | exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
+| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
 | exception-xss.js:15:9:15:11 | foo | exception-xss.js:4:20:4:20 | x |
 | exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
 | exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
@@ -93,15 +105,24 @@ edges
 | exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:38:16:38:16 | x | exception-xss.js:39:9:39:9 | x |
+| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
+| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
 | exception-xss.js:39:9:39:9 | x | exception-xss.js:41:17:41:17 | x |
 | exception-xss.js:41:17:41:17 | x | exception-xss.js:42:9:42:9 | x |
+| exception-xss.js:42:3:42:10 | exceptional return of inner(x) | exception-xss.js:39:3:39:10 | exceptional return of deep2(x) |
 | exception-xss.js:42:9:42:9 | x | exception-xss.js:4:20:4:20 | x |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
+| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
 | exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:38:16:38:16 | x |
 | exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo |
 | exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:74:28:74:28 | x | exception-xss.js:75:10:75:10 | x |
+| exception-xss.js:75:4:75:11 | exceptional return of inner(x) | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
+| exception-xss.js:75:4:75:11 | exceptional return of inner(x) | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
 | exception-xss.js:75:10:75:10 | x | exception-xss.js:4:20:4:20 | x |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
+| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
 | exception-xss.js:81:16:81:18 | foo | exception-xss.js:74:28:74:28 | x |
 | exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
 | exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
@@ -128,3 +149,4 @@ edges
 | exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
 | exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
+| exception-xss.js:109:14:109:30 | "Exception: " + e | exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:109:14:109:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:107:13:107:25 | req.params.id | user-provided value |
