JavaScript: Restrict RemotePropertyInjection query to avoid double-reporting.

Max Schaefer · Max Schaefer · commit f1c538a97b35 · 2018-11-28T08:16:31.000Z
This query now only flags user-controlled property and header writes, method calls are handled by the new unsafe/unvalidated method call queries.
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.qhelp b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.qhelp
@@ -6,89 +6,80 @@
 <overview>
 	<p>
 		Dynamically computing object property names from untrusted input
-		may have multiple undesired consequences. For example, 
-		if the property access is used as part of a write, an 
-		attacker may overwrite vital properties of objects, such as 
-		<code>__proto__</code>. This attack is known as <i>prototype 
-		pollution attack</i> and may serve as a vehicle for denial-of-service 
-		attacks. A similar attack vector, is to replace the 
-		<code>toString</code> property of an object with a primitive. 
-		Whenever <code>toString</code> is then called on that object, either 
-		explicitly or implicitly as part of a type coercion, an exception 
+		may have multiple undesired consequences. For example,
+		if the property access is used as part of a write, an
+		attacker may overwrite vital properties of objects, such as
+		<code>__proto__</code>. This attack is known as <i>prototype
+		pollution attack</i> and may serve as a vehicle for denial-of-service
+		attacks. A similar attack vector, is to replace the
+		<code>toString</code> property of an object with a primitive.
+		Whenever <code>toString</code> is then called on that object, either
+		explicitly or implicitly as part of a type coercion, an exception
 		will be raised.
 	</p>
 
 	<p>
-		Moreover, if the dynamically computed property is 
-		used as part of a method call, the attacker may trigger 
-		the execution of unwanted functions such as the 
-		<code>Function</code> constructor or the 
-		<code>eval</code> method, which can be used 
-		for code injection.  
-	</p>
-	
-	<p>
-		Additionally, if the name of an HTTP header is user-controlled,
-		an attacker may exploit this to overwrite security-critical headers 
-		such as <code>Access-Control-Allow-Origin</code> or 
+		Moreover, if the name of an HTTP header is user-controlled,
+		an attacker may exploit this to overwrite security-critical headers
+		such as <code>Access-Control-Allow-Origin</code> or
 		<code>Content-Security-Policy</code>.
 	</p>
 </overview>
 
 <recommendation>
 	<p>
 		The most common case in which prototype pollution vulnerabilities arise
-		is when JavaScript objects are used for implementing map data 
-		structures. This case should be avoided whenever possible by using the 
-		ECMAScript 2015 <code>Map</code> instead. When this is not possible, an 
-		alternative fix is to prepend untrusted input with a marker character 
-		such as <code>$</code>, before using it in properties accesses. In this way, 
-		the attacker does not	have access to built-in properties which do not 
-		start with the chosen character.   
+		is when JavaScript objects are used for implementing map data
+		structures. This case should be avoided whenever possible by using the
+		ECMAScript 2015 <code>Map</code> instead. When this is not possible, an
+		alternative fix is to prepend untrusted input with a marker character
+		such as <code>$</code>, before using it in properties accesses. In this way,
+		the attacker does not	have access to built-in properties which do not
+		start with the chosen character.
 	</p>
 	<p>
-		When using user input as part of header or method names, a sanitization
-		step should be performed on the input to ensure that the name does not 
-		clash with existing property and header names such as 
-		<code>__proto__</code> or <code>Content-Security-Policy</code>.    
+		When using user input as part of a header name, a sanitization
+		step should be performed on the input to ensure that the name does not
+		clash with existing header names such as
+		<code>Content-Security-Policy</code>.
 	</p>
 </recommendation>
 
 <example>
 	<p>
-		In the example below, the dynamically computed property 
-		<code>prop</code> is accessed on <code>myObj</code> using a 
+		In the example below, the dynamically computed property
+		<code>prop</code> is accessed on <code>myObj</code> using a
 		user-controlled value.
 	</p>
 
 	<sample src="examples/RemotePropertyInjection.js"/>
 
 	<p>
-		This is not secure since an attacker may exploit this code to 
+		This is not secure since an attacker may exploit this code to
 		overwrite the property <code>__proto__</code> with an empty function.
-		If this happens, the concatenation in the <code>console.log</code> 
-		argument will fail with a confusing message such as 
+		If this happens, the concatenation in the <code>console.log</code>
+		argument will fail with a confusing message such as
 		"Function.prototype.toString is not	generic". If the application does
 		not properly handle this error, this scenario may result in a serious
-		denial-of-service attack. The fix is to prepend the user-controlled 
-		string with a marker character such as <code>$</code> which will 
-		prevent arbitrary property names from being overwritten. 
+		denial-of-service attack. The fix is to prepend the user-controlled
+		string with a marker character such as <code>$</code> which will
+		prevent arbitrary property names from being overwritten.
 	</p>
 
 	<sample src="examples/RemotePropertyInjection_fixed.js"/>
 </example>
 
 <references>
-	<li>Prototype pollution attacks: 
+	<li>Prototype pollution attacks:
 		<a href="https://github.com/electron/electron/pull/9287">electron</a>,
 		<a href="https://hackerone.com/reports/310443">lodash</a>,
 		<a href="https://nodesecurity.io/advisories/566">hoek</a>.
 	</li>
-	<li> Penetration testing report: 
+	<li> Penetration testing report:
 		<a href="http://seclists.org/pen-test/2009/Mar/67">
 			header name injection attack</a>
 	</li>
-	<li> npm blog post: 
+	<li> npm blog post:
 		<a href="https://blog.liftsecurity.io/2015/01/14/the-dangers-of-square-bracket-notation#lift-security">
 			dangers of square bracket notation</a>
 	</li>
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
@@ -1,8 +1,7 @@
 /**
  * @name Remote property injection
- * @description Allowing writes to arbitrary properties or calls to arbitrary 
- *       methods of an object may lead to denial-of-service attacks. 
- *   
+ * @description Allowing writes to arbitrary properties of an object may lead to
+ *              denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
  * @precision medium
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
@@ -1,6 +1,6 @@
 /**
- * Provides a taint tracking configuration for reasoning about injections in 
- * property names, used either for writing into a property, into a header or 
+ * Provides a taint tracking configuration for reasoning about injections in
+ * property names, used either for writing into a property, into a header or
  * for calling an object's method.
  */
 
@@ -18,11 +18,11 @@ module RemotePropertyInjection {
    * A data flow sink for remote property injection.
    */
   abstract class Sink extends DataFlow::Node {
-  
+
     /**
      * Gets a string to identify the different types of sinks.
      */
-    abstract string getMessage();   
+    abstract string getMessage();
   }
 
   /**
@@ -52,58 +52,40 @@ module RemotePropertyInjection {
   }
 
   /**
-   * A source of remote user input, considered as a flow source for remote property 
-   * injection. 
+   * A source of remote user input, considered as a flow source for remote property
+   * injection.
    */
   class RemoteFlowSourceAsSource extends Source {
     RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
   }
 
   /**
-   * A sink for property writes with dynamically computed property name.  
+   * A sink for property writes with dynamically computed property name.
    */
   class PropertyWriteSink extends Sink, DataFlow::ValueNode  {
     PropertyWriteSink() {
-      exists (DataFlow::PropWrite pw | astNode = pw.getPropertyNameExpr()) or 
-      exists (DeleteExpr expr | expr.getOperand().(PropAccess).getPropertyNameExpr() = astNode)               
+      exists (DataFlow::PropWrite pw | astNode = pw.getPropertyNameExpr()) or
+      exists (DeleteExpr expr | expr.getOperand().(PropAccess).getPropertyNameExpr() = astNode)
     }
 
     override string getMessage() {
       result = " a property name to write to."
-    }     
-  }
-  
-  /**
-   * A sink for method calls using dynamically computed method names.   
-   */
-  class MethodCallSink extends Sink, DataFlow::ValueNode  {
-    MethodCallSink() {
-      exists (DataFlow::PropRead pr | astNode = pr.getPropertyNameExpr() |
-        exists (pr.getAnInvocation()) and
-
-        // Omit sinks covered by the UnsafeDynamicMethodAccess query
-        not PropertyInjection::hasUnsafeMethods(pr.getBase().getALocalSource())
-      )
-    }
-
-    override string getMessage() {
-      result = " a method name to be called."
     }
   }
-  
-  /** 
-   * A sink for HTTP header writes with dynamically computed header name. 
-   * This sink avoids double-flagging by ignoring `SetMultipleHeaders` since 
-   * the multiple headers use case consists of an objects containing different 
-   * header names as properties. This case is already handled by 
-   * `PropertyWriteSink`. 
+
+  /**
+   * A sink for HTTP header writes with dynamically computed header name.
+   * This sink avoids double-flagging by ignoring `SetMultipleHeaders` since
+   * the multiple headers use case consists of an objects containing different
+   * header names as properties. This case is already handled by
+   * `PropertyWriteSink`.
    */
   class HeaderNameSink extends Sink, DataFlow::ValueNode  {
     HeaderNameSink() {
-      exists (HTTP::ExplicitHeaderDefinition  hd | 
-        not hd instanceof Express::SetMultipleHeaders and 
-        astNode = hd.getNameExpr()        
-      )          
+      exists (HTTP::ExplicitHeaderDefinition  hd |
+        not hd instanceof Express::SetMultipleHeaders and
+        astNode = hd.getNameExpr()
+      )
     }
 
     override string getMessage() {
diff --git a/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected b/javascript/ql/test/query-tests/Security/CWE-400/RemotePropertyInjection.expected
@@ -3,7 +3,6 @@ nodes
 | tst.js:8:13:8:52 | myCoolL ... rolled) |
 | tst.js:8:28:8:51 | req.que ... trolled |
 | tst.js:9:8:9:11 | prop |
-| tst.js:11:16:11:19 | prop |
 | tst.js:13:15:13:18 | prop |
 | tst.js:14:31:14:34 | prop |
 | tst.js:16:10:16:13 | prop |
@@ -12,7 +11,6 @@ nodes
 | tstNonExpr.js:8:17:8:23 | userVal |
 edges
 | tst.js:8:6:8:52 | prop | tst.js:9:8:9:11 | prop |
-| tst.js:8:6:8:52 | prop | tst.js:11:16:11:19 | prop |
 | tst.js:8:6:8:52 | prop | tst.js:13:15:13:18 | prop |
 | tst.js:8:6:8:52 | prop | tst.js:14:31:14:34 | prop |
 | tst.js:8:6:8:52 | prop | tst.js:16:10:16:13 | prop |
@@ -22,7 +20,6 @@ edges
 | tstNonExpr.js:5:17:5:23 | req.url | tstNonExpr.js:5:7:5:23 | userVal |
 #select
 | tst.js:9:8:9:11 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:9:8:9:11 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
-| tst.js:11:16:11:19 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:11:16:11:19 | prop | A $@ is used as a method name to be called. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
 | tst.js:13:15:13:18 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:13:15:13:18 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
 | tst.js:14:31:14:34 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:14:31:14:34 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
 | tst.js:16:10:16:13 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:16:10:16:13 | prop | A $@ is used as a property name to write to. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-400/tst.js b/javascript/ql/test/query-tests/Security/CWE-400/tst.js
@@ -5,14 +5,14 @@ var myObj = {}
 
 app.get('/user/:id', function(req, res) {
 	myCoolLocalFct(req.query.userControlled);
-	var prop = myCoolLocalFct(req.query.userControlled);    
+	var prop = myCoolLocalFct(req.query.userControlled);
 	myObj[prop] = 23; // NOT OK
 	myObj.prop = 23; // OK
-	var x = myObj[prop]; // NOT OK
-	x(23);	
-	delete myObj[prop]; // NOT OK	
+	var x = myObj[prop]; // NOT OK, but flagged by different query
+	x(23);
+	delete myObj[prop]; // NOT OK
 	Object.defineProperty(myObj, prop, {value: 24}); // NOT OK
-	var headers = {};	
+	var headers = {};
 	headers[prop] = 42; // NOT OK
 	res.set(headers);
 	myCoolLocalFct[req.query.x](); // OK - flagged by method name injection
@@ -21,5 +21,5 @@ app.get('/user/:id', function(req, res) {
 function myCoolLocalFct(x) {
 	var result = x;
 	return result.substring(0, result.length);
-	
+
 }
