refactor into customizations module - and move curl download to a ClientRequest

erik-krogh · erik-krogh · commit 056a7e87ff03 · 2020-06-12T10:51:09.000+02:00
diff --git a/javascript/ql/src/Security/CWE-829/UnsecureDownload.ql b/javascript/ql/src/Security/CWE-829/UnsecureDownload.ql
@@ -11,47 +11,9 @@
  */
 
 import javascript
+import semmle.javascript.security.dataflow.UnsecureDownload::UnsecureDownload
 import DataFlow::PathGraph
 
-class Configuration extends DataFlow::Configuration {
-  Configuration() { this = "HTTP/HTTPS" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(string str | str = source.getStringValue() |
-      str.regexpMatch("http://.*|ftp://.'") and
-      exists(string suffix | suffix = unsafeSuffix() |
-        str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
-      )
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(ClientRequest request | sink = request.getUrl())
-    or
-    exists(SystemCommandExecution cmd |
-      cmd.getACommandArgument().getStringValue() = "curl" or
-      cmd
-          .getACommandArgument()
-          .(StringOps::ConcatenationRoot)
-          .getConstantStringParts()
-          .regexpMatch("curl .*")
-    |
-      sink = cmd.getArgumentList().getALocalSource().getAPropertyWrite().getRhs() or
-      sink = cmd.getACommandArgument().(StringOps::ConcatenationRoot).getALeaf()
-    )
-  }
-}
-
-/**
- * Gets a file-suffix
- */
-string unsafeSuffix() {
-  // including arcives, because they often contain source-code.
-  result =
-    ["exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg", "tar.gz",
-        "zip"]
-}
-
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "Download of file from $@.", source.getNode(), "HTTP source"
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -633,4 +633,32 @@ module ClientRequest {
 
     override DataFlow::Node getADataNode() { none() }
   }
+
+  /**
+   * A shell execution of `curl` that downloads some file.
+   */
+  class CurlDownload extends ClientRequest::Range {
+    SystemCommandExecution cmd;
+
+    CurlDownload() {
+      this = cmd and
+      (
+        cmd.getACommandArgument().getStringValue() = "curl" or
+        cmd
+            .getACommandArgument()
+            .(StringOps::ConcatenationRoot)
+            .getConstantStringParts()
+            .regexpMatch("curl .*")
+      )
+    }
+
+    override DataFlow::Node getUrl() {
+      result = cmd.getArgumentList().getALocalSource().getAPropertyWrite().getRhs() or
+      result = cmd.getACommandArgument().(StringOps::ConcatenationRoot).getALeaf()
+    }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsecureDownload.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsecureDownload.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides a taint tracking configuration for reasoning about download of sensitive file through unsecure connection.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsecureDownload::Configuration` is needed, otherwise
+ * `UnsecureDownloadCustomizations` should be imported instead.
+ */
+
+import javascript
+
+module UnsecureDownload {
+  import UnsecureDownloadCustomizations::UnsecureDownload
+
+  /**
+   * A taint tracking configuration for download of sensitive file through unsecure connection.
+   */
+  class Configuration extends DataFlow::Configuration {
+    Configuration() { this = "HTTP/HTTPS" }
+
+    override predicate isSource(DataFlow::Node source) {
+      source instanceof Source
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+      sink instanceof Sink
+    }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsecureDownloadCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsecureDownloadCustomizations.qll
@@ -0,0 +1,70 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * download of sensitive file through unsecure connection, as well as
+ * extension points for adding your own.
+ */
+
+import javascript
+
+module UnsecureDownload {
+  /**
+   * A data flow source for download of sensitive file through unsecure connection.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for download of sensitive file through unsecure connection.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the call that downloads the sensitive file.
+     */
+    abstract DataFlow::Node getDownloadCall();
+  }
+
+  /**
+   * A sanitizer for download of sensitive file through unsecure connection.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A HTTP or FTP URL that refers to a file with a sensitive file extension,
+   * seen as a source for download of sensitive file through unsecure connection.
+   */
+  class SensitiveFileUrl extends Source {
+    SensitiveFileUrl() {
+      exists(string str | str = this.getStringValue() |
+        str.regexpMatch("http://.*|ftp://.'") and
+        exists(string suffix | suffix = unsafeExtension() |
+          str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
+        )
+      )
+    }
+  }
+
+  /**
+   * Gets a file-extension that can potentially be dangerous.
+   *
+   * Archives are included, because they often contain source-code.
+   */
+  string unsafeExtension() {
+    result =
+      ["exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg",
+          "tar.gz", "zip"]
+  }
+
+  /**
+   * A url downloaded by a client-request, seen as a sink for download of
+   * sensitive file through unsecure connection.a
+   */
+  class ClientRequestURL extends Sink {
+    ClientRequest request;
+    ClientRequestURL() {
+        this = request.getUrl()
+    }
+
+    override DataFlow::Node getDownloadCall() {
+      result = request
+    }
+  }
+}
