Skip to content

JS: add dataflow barrier for if(!x) #2778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Feb 20, 2020
Merged

JS: add dataflow barrier for if(!x) #2778

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1f7dda7
add dataflow barrier for if(xrandr)
erik-krogh Feb 6, 2020
ade93e6
move the if(!x) from DataFLow to TaintTracking
erik-krogh Feb 6, 2020
2865723
add test for new barrier
erik-krogh Feb 6, 2020
75f23a1
update docstring
erik-krogh Feb 6, 2020
1ece6b9
update expected output of tests
erik-krogh Feb 7, 2020
06e13cb
Merge branch 'master' of git.semmle.com:Semmle/ql into FalsySanitizer
erik-krogh Feb 7, 2020
0f511c9
Merge remote-tracking branch 'upstream/master' into FalsySanitizer
erik-krogh Feb 10, 2020
d913654
Merge remote-tracking branch 'upstream/master' into FalsySanitizer
erik-krogh Feb 12, 2020
e359e1a
use a barrier directly instead of a barrier guard
erik-krogh Feb 18, 2020
2d437ef
corrections on qldoc
erik-krogh Feb 20, 2020
8096280
update doc for VarAccessBarrier, and make the class private
erik-krogh Feb 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,12 +188,7 @@ class PropNameTracking extends DataFlow::Configuration {
override predicate isBarrier(DataFlow::Node node) {
super.isBarrier(node)
or
exists(ConditionGuardNode guard, SsaRefinementNode refinement |
node = DataFlow::ssaDefinitionNode(refinement) and
refinement.getGuard() = guard and
guard.getTest() instanceof VarAccess and
guard.getOutcome() = false
)
node instanceof DataFlow::VarAccessBarrier
}

override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
Expand Down
15 changes: 15 additions & 0 deletions javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1480,3 +1480,18 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat

override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
}

/**
* A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
* Can be added to a `isBarrier` in a data-flow configuration to block flow through such checks.
*/
class VarAccessBarrier extends DataFlow::Node {
VarAccessBarrier() {
exists(ConditionGuardNode guard, SsaRefinementNode refinement |
this = DataFlow::ssaDefinitionNode(refinement) and
refinement.getGuard() = guard and
guard.getTest() instanceof VarAccess and
guard.getOutcome() = false
)
}
}
3 changes: 2 additions & 1 deletion javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,8 @@ module TaintTracking {

final override predicate isBarrier(DataFlow::Node node) {
super.isBarrier(node) or
isSanitizer(node)
isSanitizer(node) or
node instanceof DataFlow::VarAccessBarrier
}

final override predicate isBarrierEdge(DataFlow::Node source, DataFlow::Node sink) {
Expand Down
5 changes: 5 additions & 0 deletions javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,11 @@ module TaintedPath {
}
}

/**
* A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
*/
private class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }

/**
* A source of remote user input, considered as a flow source for
* tainted-path vulnerabilities.
Expand Down
2 changes: 2 additions & 0 deletions javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ typeInferenceMismatch
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:45:8:45:8 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
| sanitizer-guards.js:68:11:68:18 | source() | sanitizer-guards.js:75:8:75:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:81:8:81:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:84:10:84:10 | x |
| spread.js:2:15:2:22 | source() | spread.js:4:8:4:19 | { ...taint } |
| spread.js:2:15:2:22 | source() | spread.js:5:8:5:43 | { f: 'h ... orld' } |
| spread.js:2:15:2:22 | source() | spread.js:7:8:7:19 | [ ...taint ] |
Expand Down
3 changes: 3 additions & 0 deletions javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:48:10:48:10 | x |
| sanitizer-guards.js:43:11:43:18 | source() | sanitizer-guards.js:52:10:52:10 | x |
| sanitizer-guards.js:68:11:68:18 | source() | sanitizer-guards.js:75:8:75:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:81:8:81:8 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:84:10:84:10 | x |
| sanitizer-guards.js:79:11:79:18 | source() | sanitizer-guards.js:86:7:86:7 | x |
| thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
| thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
| tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
12 changes: 12 additions & 0 deletions javascript/ql/test/library-tests/TaintTracking/sanitizer-guards.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,3 +74,15 @@ function phi2() {
}
sink(x); // NOT OK
}

function falsy() {
let x = source();

sink(x); // NOT OK

if (x) {
sink(x); // OK (for taint-tracking)
} else {
sink(x); // NOT OK
}
}
398 changes: 199 additions & 199 deletions javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
View file
Open in desktop

Large diffs are not rendered by default.

25 changes: 24 additions & 1 deletion javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,32 @@ var server = http.createServer(function(req, res) {

});

var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;

if (path) { // sanitization
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
path = path.replace(/\.\./g, ''); // remove all ".."
}

res.write(fs.readFileSync(path)); // OK. Is sanitized above.
});

var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;

if (!path) {

} else { // sanitization
path = path.replace(/[\]\[*,;'"`<>\\?\/]/g, ''); // remove all invalid characters from states plus slashes
path = path.replace(/\.\./g, ''); // remove all ".."
}

res.write(fs.readFileSync(path)); // OK. Is sanitized above.
});

var server = http.createServer(function(req, res) {
let path = url.parse(req.url, true).query.path;

require('send')(req, path); // NOT OK

});