Merge pull request #162 from asger-semmle/partial-calls

semmle-qlci · web-flow · commit b35f450b0196 · 2018-10-02T11:24:02.000+01:00
Approved by esben-semmle, xiemaisi
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -283,6 +283,18 @@ abstract class AdditionalSink extends DataFlow::Node {
   abstract predicate isSinkFor(Configuration cfg);
 }
 
+/**
+ * An invocation that is modeled as a partial function application.
+ *
+ * This contributes additional argument-passing flow edges that should be added to all data flow configurations.
+ */
+cached abstract class AdditionalPartialInvokeNode extends DataFlow::InvokeNode {
+  /**
+   * Holds if `argument` is passed as argument `index` to the function in `callback`.
+   */
+  cached abstract predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index);
+}
+
 /**
  * Additional flow step to model flow from import specifiers into the SSA variable
  * corresponding to the imported variable.
@@ -299,6 +311,37 @@ private class FlowStepThroughImport extends AdditionalFlowStep, DataFlow::ValueN
   }
 }
 
+/**
+ * A partial call through the built-in `Function.prototype.bind`.
+ */
+private class BindPartialCall extends AdditionalPartialInvokeNode, DataFlow::MethodCallNode {
+  BindPartialCall() {
+    getMethodName() = "bind"
+  }
+
+  override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) {
+    callback = getReceiver() and
+    argument = getArgument(index + 1)
+  }
+}
+
+/**
+ * A partial call through `_.partial` or a function with a similar interface.
+ */
+private class LibraryPartialCall extends AdditionalPartialInvokeNode {
+  LibraryPartialCall() {
+    this = LodashUnderscore::member("partial").getACall() or
+    this = DataFlow::moduleMember("ramda", "partial").getACall()
+  }
+
+  override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) {
+    callback = getArgument(0) and
+    exists (DataFlow::ArrayLiteralNode array |
+      array.flowsTo(getArgument(1)) and
+      argument = array.getElement(index))
+  }
+}
+
 /**
  * Holds if there is a flow step from `pred` to `succ` described by `summary`
  * under configuration `cfg`.
@@ -395,16 +438,18 @@ private predicate isRelevant(DataFlow::Node nd, DataFlow::Configuration cfg) {
  * either `pred` is an argument of `f` and `succ` the corresponding parameter, or
  * `pred` is a variable definition whose value is captured by `f` at `succ`.
  */
+pragma[noopt]
 private predicate callInputStep(Function f, DataFlow::Node invk,
                                 DataFlow::Node pred, DataFlow::Node succ,
                                 DataFlow::Configuration cfg) {
-  isRelevant(pred, cfg) and
   (
+   isRelevant(pred, cfg) and
    exists (Parameter parm |
      argumentPassing(invk, pred, f, parm) and
      succ = DataFlow::parameterNode(parm)
    )
    or
+   isRelevant(pred, cfg) and
    exists (SsaDefinition prevDef, SsaDefinition def |
      pred = DataFlow::ssaDefinitionNode(prevDef) and
      calls(invk, f) and captures(f, prevDef, def) and
@@ -445,6 +490,7 @@ private predicate flowThroughCall(DataFlow::Node input, DataFlow::Node invk,
                                   DataFlow::Configuration cfg, boolean valuePreserving) {
   exists (Function f, DataFlow::ValueNode ret |
     ret.asExpr() = f.getAReturnedExpr() and
+    calls(invk, f) and // Do not consider partial calls
     reachableFromInput(f, invk, input, ret, cfg, PathSummary::level(valuePreserving))
   )
 }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -27,6 +27,21 @@ predicate calls(DataFlow::InvokeNode invk, Function f) {
     f = invk.getACallee()
 }
 
+/**
+ * Holds if `invk` may invoke `f` indirectly through the given `callback` argument.
+ *
+ * This only holds for explicitly modeled partial calls.
+ */
+private predicate partiallyCalls(DataFlow::AdditionalPartialInvokeNode invk, DataFlow::AnalyzedNode callback, Function f) {
+  invk.isPartialArgument(callback, _, _) and
+  exists (AbstractFunction callee | callee = callback.getAValue() |
+    if callback.getAValue().isIndefinite("global") then
+      (f = callee.getFunction() and f.getFile() = invk.getFile())
+    else
+      f = callee.getFunction()
+  )
+}
+
 /**
  * Holds if `f` captures the variable defined by `def` in `cap`.
  */
@@ -69,6 +84,11 @@ predicate argumentPassing(DataFlow::InvokeNode invk, DataFlow::ValueNode arg, Fu
     f.getParameter(i) = parm and not parm.isRestParameter() and
     arg = invk.getArgument(i)
   )
+  or
+  exists (DataFlow::Node callback, int i |
+    invk.(DataFlow::AdditionalPartialInvokeNode).isPartialArgument(callback, arg, i) and
+    partiallyCalls(invk, callback, f) and
+    parm = f.getParameter(i) and not parm.isRestParameter())
 }
 
 
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,3 +1,8 @@
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
 | tst.js:2:13:2:20 | source() | tst.js:5:10:5:22 | "/" + x + "!" |
 | tst.js:2:13:2:20 | source() | tst.js:14:10:14:17 | x.sort() |
diff --git a/javascript/ql/test/library-tests/TaintTracking/partialCalls.js b/javascript/ql/test/library-tests/TaintTracking/partialCalls.js
@@ -0,0 +1,58 @@
+let R = require('ramda');
+
+function test() {
+    let taint = source();
+
+    function safe1(x, y) {
+        sink(x); // OK - x is not tainted
+    }
+    function safe2(x, y) {
+        sink(y); // OK - y is not tainted
+    }
+
+    safe1.bind(null, "hello", taint)();
+    safe2.bind(null, taint, "hello")();
+
+    function unsafe1(x, y) {
+        sink(x); // NOT OK - x is tainted
+    }
+    function unsafe2(x ,y) {
+        sink(y); // NOT OK - y is tainted
+    }
+
+    unsafe1.bind(null, taint, "hello")();
+    unsafe2.bind(null, "hello", taint)();
+
+    function safeprop(x) {
+        sink(x.value); // OK - property `value` is not tainted
+    }
+    function unsafeprop(x) {
+        sink(x.value); // NOT OK - property `value` is tainted
+    }
+
+    safeprop.bind(null, {value: "hello", somethingElse: taint})();
+    unsafeprop.bind(null, {value: taint, somethingElse: "hello"})();
+
+    function id(x) {
+        return x;
+    }
+
+    sink(id("hello")); // OK
+    sink(id(taint));   // NOT OK
+
+    let taintGetter = id.bind(null, taint);
+    sink(taintGetter);   // OK - this is a function object
+    sink(taintGetter()); // NOT OK - but not currently detected
+
+    function safearray(x) {
+        sink(x); // OK
+    }
+    function unsafearray(x) {
+        sink(x); // NOT OK
+    }
+
+    let xs = ["hello"];
+    let ys = [taint];
+    R.partial(safearray, xs)();
+    R.partial(unsafearray, ys)();
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -2,6 +2,10 @@
 | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssPath.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssPath.expected
@@ -11,6 +11,18 @@ edges
 | formatting.js:4:16:4:29 | req.query.evil | formatting.js:4:9:4:29 | evil |
 | formatting.js:6:43:6:46 | evil | formatting.js:6:14:6:47 | util.fo ... , evil) |
 | formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) |
+| partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x |
+| partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
+| partial.js:13:42:13:48 | req.url | partial.js:9:25:9:25 | x |
+| partial.js:18:25:18:25 | x | partial.js:19:14:19:14 | x |
+| partial.js:19:14:19:14 | x | partial.js:19:14:19:18 | x + y |
+| partial.js:22:52:22:58 | req.url | partial.js:18:25:18:25 | x |
+| partial.js:27:25:27:25 | x | partial.js:28:14:28:14 | x |
+| partial.js:28:14:28:14 | x | partial.js:28:14:28:18 | x + y |
+| partial.js:31:48:31:54 | req.url | partial.js:27:25:27:25 | x |
+| partial.js:36:25:36:25 | x | partial.js:37:14:37:14 | x |
+| partial.js:37:14:37:14 | x | partial.js:37:14:37:18 | x + y |
+| partial.js:40:43:40:49 | req.url | partial.js:36:25:36:25 | x |
 | promises.js:5:3:5:59 | new Pro ... .data)) | promises.js:6:11:6:11 | x |
 | promises.js:5:44:5:57 | req.query.data | promises.js:5:3:5:59 | new Pro ... .data)) |
 | promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x |
@@ -25,6 +37,10 @@ edges
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | partial.js:22:52:22:58 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | partial.js:31:48:31:54 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | partial.js:40:43:40:49 | req.url | partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | promises.js:6:25:6:25 | x | promises.js:5:44:5:57 | req.query.data | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer.expected
@@ -1,6 +1,10 @@
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer_old.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssWithCustomSanitizer_old.expected
@@ -5,6 +5,10 @@ WARNING: Predicate flowsFrom has been deprecated and may be removed in future (R
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
+| partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
+| partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:52:22:58 | req.url | user-provided value |
+| partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:48:31:54 | req.url | user-provided value |
+| partial.js:37:14:37:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:40:43:40:49 | req.url | user-provided value |
 | promises.js:6:25:6:25 | x | Cross-site scripting vulnerability due to $@. | promises.js:5:44:5:57 | req.query.data | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
 | tst2.js:8:12:8:12 | r | Cross-site scripting vulnerability due to $@. | tst2.js:6:12:6:15 | q: r | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/partial.js b/javascript/ql/test/query-tests/Security/CWE-079/partial.js
@@ -0,0 +1,55 @@
+let express = require('express');
+let underscore = require('underscore');
+let lodash = require('lodash');
+let R = require('ramda');
+
+let app = express();
+
+app.get("/some/path", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = sendResponse.bind(null, req.url);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/underscore", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = underscore.partial(sendResponse, [req.url]);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/lodash", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = lodash.partial(sendResponse, [req.url]);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/ramda", (req, res) => {
+  function sendResponse(x, y) {
+    res.send(x + y); // NOT OK
+  }
+  
+  let callback = R.partial(sendResponse, [req.url]);
+  [1, 2, 3].forEach(callback);
+});
+
+app.get("/return", (req, res) => {
+  function getFirst(x, y) {
+    return x;
+  }
+
+  let callback = getFirst.bind(null, req.url);
+
+  res.send(callback);   // OK - the callback itself is not tainted
+  res.send(callback()); // NOT OK - but not currently detected
+
+  res.send(getFirst("Hello")); // OK - argument is not tainted from this call site
+});
