Merge pull request #462 from xiemaisi/js/security-paths

Approved by esben-semmle

Author: semmle-qlci

change-notes/1.19/analysis-javascript.md

@@ -13,6 +13,8 @@
 
 * Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.
 
+* Where applicable, path explanations have been added to the security queries.
+
 ## New queries
 
 | **Query**                                     | **Tags**                                             | **Purpose**                                                                                                                                                                 |

javascript/ql/src/Security/CWE-022/TaintedPath.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled data used in path expression
  * @description Accessing paths influenced by users can allow an attacker to access
  *              unexpected resources.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id js/path-injection
@@ -15,9 +15,10 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources
 import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
+import DataFlow::PathGraph
 
-from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
-where cfg.hasFlow(source, sink)
-select sink, "This path depends on $@.", source, "a user-provided value"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "This path depends on $@.",
+       source.getNode(), "a user-provided value"

javascript/ql/src/Security/CWE-078/CommandInjection.ql

@@ -2,7 +2,7 @@
  * @name Uncontrolled command line
  * @description Using externally controlled strings in a command line may allow a malicious
  *              user to change the meaning of the command.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id js/command-line-injection
@@ -14,11 +14,13 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
+import DataFlow::PathGraph
 
-from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node highlight
-where cfg.hasFlow(source, sink) and
-      if cfg.isSinkWithHighlight(sink, _) then
-        cfg.isSinkWithHighlight(sink, highlight)
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight
+where cfg.hasPathFlow(source, sink) and
+      if cfg.isSinkWithHighlight(sink.getNode(), _) then
+        cfg.isSinkWithHighlight(sink.getNode(), highlight)
       else
-        highlight = sink
-select highlight, "This command depends on $@.", source, "a user-provided value"
+        highlight = sink.getNode()
+select highlight, source, sink, "This command depends on $@.",
+       source.getNode(), "a user-provided value"

javascript/ql/src/Security/CWE-079/ReflectedXss.ql

@@ -2,7 +2,7 @@
  * @name Reflected cross-site scripting
  * @description Writing user input directly to an HTTP response allows for
  *              a cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id js/reflected-xss
@@ -13,8 +13,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss
+import DataFlow::PathGraph
 
-from Configuration xss, DataFlow::Node source, DataFlow::Node sink
-where xss.hasFlow(source, sink)
-select sink, "Cross-site scripting vulnerability due to $@.",
-       source, "user-provided value"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
+       source.getNode(), "user-provided value"

javascript/ql/src/Security/CWE-079/StoredXss.ql

@@ -2,7 +2,7 @@
  * @name Stored cross-site scripting
  * @description Using uncontrolled stored values in HTML allows for
  *              a stored cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id js/stored-xss
@@ -13,8 +13,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.StoredXss::StoredXss
+import DataFlow::PathGraph
 
-from Configuration xss, DataFlow::Node source, DataFlow::Node sink
-where xss.hasFlow(source, sink)
-select sink, "Stored cross-site scripting vulnerability due to $@.",
-       source, "stored value"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.",
+       source.getNode(), "stored value"

javascript/ql/src/Security/CWE-079/Xss.ql

@@ -2,7 +2,7 @@
  * @name Client side cross-site scripting
  * @description Writing user input directly to the DOM allows for
  *              a cross-site scripting vulnerability.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id js/xss
@@ -13,8 +13,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
+import DataFlow::PathGraph
 
-from Configuration xss, DataFlow::Node source, Sink sink
-where xss.hasFlow(source, sink)
-select sink, sink.getVulnerabilityKind() + " vulnerability due to $@.",
-       source, "user-provided value"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
+       source.getNode(), "user-provided value"

javascript/ql/src/Security/CWE-089/SqlInjection.ql

@@ -2,7 +2,7 @@
 * @name Database query built from user-controlled sources
 * @description Building a database query from user-controlled sources is vulnerable to insertion of
 *              malicious code by the user.
-* @kind problem
+* @kind path-problem
 * @problem.severity error
 * @precision high
 * @id js/sql-injection
@@ -13,16 +13,11 @@
 import javascript
 import semmle.javascript.security.dataflow.SqlInjection
 import semmle.javascript.security.dataflow.NosqlInjection
+import DataFlow::PathGraph
 
-predicate sqlInjection(DataFlow::Node source, DataFlow::Node sink) {
-  any(SqlInjection::Configuration cfg).hasFlow(source, sink)
-}
-
-predicate nosqlInjection(DataFlow::Node source, DataFlow::Node sink) {
-  any(NosqlInjection::Configuration cfg).hasFlow(source, sink)
-}
-
-from DataFlow::Node source, DataFlow::Node sink
-where sqlInjection(source, sink) or
-      nosqlInjection(source, sink)
-select sink, "This query depends on $@.", source, "a user-provided value"
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where (cfg instanceof SqlInjection::Configuration or
+       cfg instanceof NosqlInjection::Configuration) and
+      cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "This query depends on $@.",
+       source.getNode(), "a user-provided value"

javascript/ql/src/Security/CWE-094/CodeInjection.ql

@@ -2,7 +2,7 @@
  * @name Code injection
  * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
  *              code execution.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @id js/code-injection
@@ -14,7 +14,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CodeInjection::CodeInjection
+import DataFlow::PathGraph
 
-from Configuration codeInjection, DataFlow::Node source, DataFlow::Node sink
-where codeInjection.hasFlow(source, sink)
-select sink, "$@ flows to here and is interpreted as code.", source, "User-provided value"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
+       source.getNode(), "User-provided value"

javascript/ql/src/Security/CWE-134/TaintedFormatString.ql

@@ -1,7 +1,7 @@
 /**
  * @name Use of externally-controlled format string
  * @description Using external input in format strings can lead to garbled output.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision high
  * @id js/tainted-format-string
@@ -11,7 +11,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.TaintedFormatString::TaintedFormatString
+import DataFlow::PathGraph
 
-from Configuration c, DataFlow::Node source, DataFlow::Node sink
-where c.hasFlow(source, sink)
-select sink, "$@ flows here and is used in a format string.", source, "User-provided value"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "$@ flows here and is used in a format string.",
+       source.getNode(), "User-provided value"

javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql

@@ -1,16 +1,18 @@
 /**
  * @name File data in outbound network request
  * @description Directly sending file data in an outbound network request can indicate unauthorized information disclosure.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @id js/file-access-to-http
  * @tags security
  *       external/cwe/cwe-200
  */
 
 import javascript
-import semmle.javascript.security.dataflow.FileAccessToHttp
+import semmle.javascript.security.dataflow.FileAccessToHttp::FileAccessToHttp
+import DataFlow::PathGraph
 
-from FileAccessToHttp::Configuration config, DataFlow::Node src, DataFlow::Node sink
-where config.hasFlow (src, sink)
-select sink, "$@ flows directly to outbound network request", src, "File data"
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasPathFlow(source, sink)
+select sink.getNode(), source, sink, "$@ flows directly to outbound network request",
+       source.getNode(), "File data"