add tests for js/build-artifact-leak

erik-krogh · erik-krogh · commit 02c4a0477d82 · 2020-06-12T10:21:37.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -208,8 +208,8 @@ module CleartextLogging {
         stringify.getArgument(0) = read
       )
     |
-      exists(write.getPropertyNameExpr()) and
-      exists(read.getPropertyNameExpr()) and
+      not exists(write.getPropertyName()) and
+      not exists(read.getPropertyName()) and
       src = read.getBase() and
       trg = write.getBase().getALocalSource()
     )
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected b/javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected
@@ -0,0 +1,57 @@
+nodes
+| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
+| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
+| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) |
+| build-leaks.js:5:35:5:45 | process.env |
+| build-leaks.js:5:35:5:45 | process.env |
+| build-leaks.js:13:11:19:10 | raw |
+| build-leaks.js:13:17:19:10 | Object. ...      }) |
+| build-leaks.js:14:18:14:20 | env |
+| build-leaks.js:15:24:15:34 | process.env |
+| build-leaks.js:15:24:15:34 | process.env |
+| build-leaks.js:16:20:16:22 | env |
+| build-leaks.js:21:11:26:5 | stringifed |
+| build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } |
+| build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
+| build-leaks.js:22:49:22:51 | env |
+| build-leaks.js:23:39:23:41 | raw |
+| build-leaks.js:24:20:24:22 | env |
+| build-leaks.js:30:22:30:31 | stringifed |
+| build-leaks.js:34:26:34:57 | getEnv( ... ngified |
+| build-leaks.js:34:26:34:57 | getEnv( ... ngified |
+| build-leaks.js:40:9:40:60 | pw |
+| build-leaks.js:40:14:40:60 | url.par ... assword |
+| build-leaks.js:40:14:40:60 | url.par ... assword |
+| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
+| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
+| build-leaks.js:41:67:41:84 | JSON.stringify(pw) |
+| build-leaks.js:41:82:41:83 | pw |
+edges
+| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
+| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
+| build-leaks.js:5:35:5:45 | process.env | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) |
+| build-leaks.js:5:35:5:45 | process.env | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) |
+| build-leaks.js:13:11:19:10 | raw | build-leaks.js:23:39:23:41 | raw |
+| build-leaks.js:13:17:19:10 | Object. ...      }) | build-leaks.js:13:11:19:10 | raw |
+| build-leaks.js:14:18:14:20 | env | build-leaks.js:16:20:16:22 | env |
+| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
+| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
+| build-leaks.js:16:20:16:22 | env | build-leaks.js:13:17:19:10 | Object. ...      }) |
+| build-leaks.js:21:11:26:5 | stringifed | build-leaks.js:30:22:30:31 | stringifed |
+| build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } | build-leaks.js:21:11:26:5 | stringifed |
+| build-leaks.js:22:24:25:14 | Object. ...  }, {}) | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } |
+| build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env |
+| build-leaks.js:23:39:23:41 | raw | build-leaks.js:22:49:22:51 | env |
+| build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
+| build-leaks.js:30:22:30:31 | stringifed | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
+| build-leaks.js:30:22:30:31 | stringifed | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
+| build-leaks.js:40:9:40:60 | pw | build-leaks.js:41:82:41:83 | pw |
+| build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:40:9:40:60 | pw |
+| build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:40:9:40:60 | pw |
+| build-leaks.js:41:67:41:84 | JSON.stringify(pw) | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
+| build-leaks.js:41:67:41:84 | JSON.stringify(pw) | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
+| build-leaks.js:41:82:41:83 | pw | build-leaks.js:41:67:41:84 | JSON.stringify(pw) |
+#select
+| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} | build-leaks.js:5:35:5:45 | process.env | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} | Sensitive data returned by $@ is stored in a build artifact here. | build-leaks.js:5:35:5:45 | process.env | process environment |
+| build-leaks.js:34:26:34:57 | getEnv( ... ngified | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:34:26:34:57 | getEnv( ... ngified | Sensitive data returned by $@ is stored in a build artifact here. | build-leaks.js:15:24:15:34 | process.env | process environment |
+| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | Sensitive data returned by $@ is stored in a build artifact here. | build-leaks.js:40:14:40:60 | url.par ... assword | an access to current_password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.qlref b/javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.qlref
@@ -0,0 +1 @@
+Security/CWE-312/BuildArtifactLeak.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js b/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js
@@ -0,0 +1,42 @@
+const webpack = require("webpack");
+
+
+var plugin = new webpack.DefinePlugin({ // NOT OK
+    "process.env": JSON.stringify(process.env)
+});
+
+// OK
+new webpack.DefinePlugin({ 'process.env': JSON.stringify({ DEBUG: process.env.DEBUG }) })
+
+
+function getEnv(env) {
+    const raw = Object.keys(process.env)
+        .reduce((env, key) => {
+            env[key] = process.env[key]
+            return env
+        }, {
+            NODE_ENV: process.env.NODE_ENV || env || 'development'
+        })
+
+    const stringifed = {
+        'process.env': Object.keys(raw).reduce((env, key) => {
+            env[key] = JSON.stringify(raw[key])
+            return env
+        }, {})
+    }
+
+    return {
+        raw: raw,
+        stringified: stringifed
+    }
+}
+
+new webpack.DefinePlugin(getEnv('production').stringified); // NOT OK
+
+var https = require('https');
+var url = require('url');
+
+var server = https.createServer(function (req, res) {
+    let pw = url.parse(req.url, true).query.current_password;
+    var plugin = new webpack.DefinePlugin({ "process.env.secret": JSON.stringify(pw) }); // NOT OK
+});

Original file line number	Diff line number	Diff line change
`@@ -208,8 +208,8 @@ module CleartextLogging {`
`208`	`208`	`stringify.getArgument(0) = read`
`209`	`209`	`)`
`210`	`210`	`\|`
`211`		`- exists(write.getPropertyNameExpr()) and`
`212`		`- exists(read.getPropertyNameExpr()) and`
	`211`	`+ not exists(write.getPropertyName()) and`
	`212`	`+ not exists(read.getPropertyName()) and`
`213`	`213`	`src = read.getBase() and`
`214`	`214`	`trg = write.getBase().getALocalSource()`
`215`	`215`	`)`