JS: introduce models of three cookie libraries

Author: Esben Sparre Andreasen

javascript/ql/src/javascript.qll

@@ -60,6 +60,7 @@ import semmle.javascript.frameworks.Azure
 import semmle.javascript.frameworks.Babel
 import semmle.javascript.frameworks.ComposedFunctions
 import semmle.javascript.frameworks.ClientRequests
+import semmle.javascript.frameworks.CookieLibraries
 import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries
 import semmle.javascript.frameworks.DigitalOcean

javascript/ql/src/semmle/javascript/frameworks/CookieLibraries.qll

@@ -0,0 +1,93 @@
+
+/**
+ * Provides classes for reasoning about cookies.
+ */
+
+import javascript
+
+/**
+ * A model of the `js-cookie` library (https://github.com/js-cookie/js-cookie).
+ */
+private module JsCookie {
+  /**
+   * Gets a function call that invokes method `name` of the `js-cookie` library.
+   */
+  DataFlow::CallNode libMemberCall(string name) {
+    result = DataFlow::globalVarRef("Cookie").getAMemberCall(name) or
+    result = DataFlow::globalVarRef("Cookie").getAMemberCall("noConflict").getAMemberCall(name) or
+    result = DataFlow::moduleMember("js-cookie", name).getACall()
+  }
+
+  class ReadAccess extends PersistentReadAccess, DataFlow::CallNode {
+    ReadAccess() { this = libMemberCall("get") }
+
+    override PersistentWriteAccess getAWrite() {
+      getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey())
+    }
+  }
+
+  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    WriteAccess() { this = libMemberCall("set") }
+
+    string getKey() { getArgument(0).mayHaveStringValue(result) }
+
+    override DataFlow::Node getValue() { result = getArgument(1) }
+  }
+}
+
+/**
+ * A model of the `browser-cookies` library (https://github.com/voltace/browser-cookies).
+ */
+private module BrowserCookies {
+  /**
+   * Gets a function call that invokes method `name` of the `browser-cookies` library.
+   */
+  DataFlow::CallNode libMemberCall(string name) {
+    result = DataFlow::moduleMember("browser-cookies", name).getACall()
+  }
+
+  class ReadAccess extends PersistentReadAccess, DataFlow::CallNode {
+    ReadAccess() { this = libMemberCall("get") }
+
+    override PersistentWriteAccess getAWrite() {
+      getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey())
+    }
+  }
+
+  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    WriteAccess() { this = libMemberCall("set") }
+
+    string getKey() { getArgument(0).mayHaveStringValue(result) }
+
+    override DataFlow::Node getValue() { result = getArgument(1) }
+  }
+}
+
+/**
+ * A model of the `cookie` library (https://github.com/jshttp/cookie).
+ */
+private module LibCookie {
+  /**
+   * Gets a function call that invokes method `name` of the `cookie` library.
+   */
+  DataFlow::CallNode libMemberCall(string name) {
+    result = DataFlow::moduleMember("cookie", name).getACall()
+  }
+
+  class ReadAccess extends PersistentReadAccess {
+    string key;
+    ReadAccess() { this = libMemberCall("parse").getAPropertyRead(key) }
+
+    override PersistentWriteAccess getAWrite() {
+      key = result.(WriteAccess).getKey()
+    }
+  }
+
+  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    WriteAccess() { this = libMemberCall("serialize") }
+
+    string getKey() { getArgument(0).mayHaveStringValue(result) }
+
+    override DataFlow::Node getValue() { result = getArgument(1) }
+  }
+}

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess.expected

@@ -0,0 +1,3 @@
+| tst.js:7:2:7:21 | js_cookie.get('key') |
+| tst.js:12:2:12:27 | browser ... ('key') |
+| tst.js:18:2:18:22 | cookie. ... ['key'] |

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentReadAccess read
+select read

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess_getAWrite.expected

@@ -0,0 +1,3 @@
+| tst.js:7:2:7:21 | js_cookie.get('key') | tst.js:6:2:6:30 | js_cook ... value') |
+| tst.js:12:2:12:27 | browser ... ('key') | tst.js:11:2:11:36 | browser ... value') |
+| tst.js:18:2:18:22 | cookie. ... ['key'] | tst.js:17:2:17:33 | cookie. ... value') |

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess_getAWrite.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentReadAccess read
+select read, read.getAWrite()

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieWriteAccess.expected

@@ -0,0 +1,3 @@
+| tst.js:6:2:6:30 | js_cook ... value') | tst.js:6:23:6:29 | 'value' |
+| tst.js:11:2:11:36 | browser ... value') | tst.js:11:29:11:35 | 'value' |
+| tst.js:17:2:17:33 | cookie. ... value') | tst.js:17:26:17:32 | 'value' |

javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieWriteAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from PersistentWriteAccess write
+select write, write.getValue()

javascript/ql/test/library-tests/frameworks/CookieLibraries/tst.js

@@ -0,0 +1,19 @@
+const js_cookie = require('js-cookie'),
+      browser_cookies = require('browser-cookies'),
+      cookie = require('cookie');
+
+(function() {
+	js_cookie.set('key', 'value');
+	js_cookie.get('key');
+});
+
+(function() {
+	browser_cookies.set('key', 'value');
+	browser_cookies.get('key');
+});
+
+
+(function() {
+	cookie.serialize('key', 'value');
+	cookie.parse()['key'];
+});