Merge pull request #273 from asger-semmle/csrf-sources

JS: add RemoteFlowSource.isThirdPartyControllable()

Author: Max Schaefer

javascript/ql/src/semmle/javascript/frameworks/HTTP.qll

@@ -404,6 +404,29 @@ module HTTP {
      * Note that this predicate is functional.
      */
     abstract string getKind();
+
+    /**
+     * Holds if this part of the request may be controlled by a third party,
+     * that is, an agent other than the one who sent the request.
+     *
+     * This is true for the URL, query parameters, and request body.
+     * These can be controlled by a malicious third party in the following scenarios:
+     *
+     * - The user clicks a malicious link or is otherwise redirected to a malicious URL.
+     * - The user visits a web site that initiates a form submission or AJAX request on their behalf.
+     *
+     * In these cases, the request is technically sent from the user's browser, but
+     * the user is not in direct control of the URL or POST body.
+     *
+     * Headers are never considered third-party controllable by this predicate, although the
+     * third party does have some control over the the Referer and Origin headers.
+     */
+    predicate isThirdPartyControllable() {
+      exists (string kind | kind = getKind() |
+        kind = "parameter" or
+        kind = "url" or
+        kind = "body")
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll

@@ -43,13 +43,12 @@ module ReflectedXss {
     }
   }
 
-  /** A source of remote user input, considered as a flow source for reflected XSS. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() {
-      this instanceof RemoteFlowSource and
-      // cookies cannot be controlled by a third-party attacker, and hence are
-      // not relevant for reflected XSS
-      not this.(RemoteFlowSource).getSourceType() = "Server request cookie"
+  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+      or
+      this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
     }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll

@@ -12,7 +12,6 @@ abstract class RemoteFlowSource extends DataFlow::Node {
   abstract string getSourceType();
 }
 
-
 /**
  * An access to `document.cookie`, viewed as a source of remote user input.
  */

javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll

@@ -90,9 +90,11 @@ module ServerSideUrlRedirect {
 
   }
 
-  /** A source of remote user input, considered as a flow source for URL redirects. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  /** A source of third-party user input, considered as a flow source for URL redirects. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
+    }
   }
 
   /**