Merge pull request #1356 from asger-semmle/tainted-path-cherry-picked

Max Schaefer · web-flow · commit 1bf7bcf010b9 · 2019-05-23T12:26:35.000+01:00
JS: Refactor LabelledBarrierGuard
diff --git a/change-notes/1.21/analysis-javascript.md b/change-notes/1.21/analysis-javascript.md
@@ -48,4 +48,7 @@
 * `RegExpLiteral` is now a `DataFlow::SourceNode`.
 * `JSDocTypeExpr` now has source locations and is a subclass of `Locatable` and `TypeAnnotation`.
 * Various predicates named `getTypeAnnotation()` now return `TypeAnnotation` instead of `TypeExpr`.
-  In rare cases, this may cause compilation errors. Cast the result to `TypeExpr` if this happens.
+  In rare cases, this may cause compilation errors in existing code. Cast the result to `TypeExpr` if this happens.
+* The `getALabel` predicate in `LabeledBarrierGuardNode` and `LabeledSanitizerGuardNode`
+  has been deprecated and overriding it no longer has any effect.
+  Instead use the 3-parameter version of `blocks` or `sanitizes`.
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -147,9 +147,8 @@ abstract class Configuration extends string {
    */
   predicate isBarrier(DataFlow::Node node) {
     exists(BarrierGuardNode guard |
-      not guard instanceof LabeledBarrierGuardNode and
       isBarrierGuard(guard) and
-      guard.blocks(node)
+      guard.internalBlocks(node, "")
     )
   }
 
@@ -167,10 +166,9 @@ abstract class Configuration extends string {
    * Holds if flow with label `lbl` cannot flow into `node`.
    */
   predicate isLabeledBarrier(DataFlow::Node node, FlowLabel lbl) {
-    exists(LabeledBarrierGuardNode guard |
-      lbl = guard.getALabel() and
+    exists(BarrierGuardNode guard |
       isBarrierGuard(guard) and
-      guard.blocks(node)
+      guard.internalBlocks(node, lbl)
     )
     or
     none() // relax type inference to account for overriding
@@ -254,43 +252,81 @@ module FlowLabel {
  */
 abstract class BarrierGuardNode extends DataFlow::Node {
   /**
-   * Holds if data flow node `nd` acts as a barrier for data flow.
+   * Holds if data flow node `nd` acts as a barrier for data flow, possibly due to aliasing
+   * through an access path.
+   *
+   * `label` is bound to the blocked label, or the empty string if all labels should be blocked.
    *
    * INTERNAL: this predicate should only be used from within `blocks(boolean, Expr)`.
    */
-  predicate blocks(DataFlow::Node nd) {
+  predicate internalBlocks(DataFlow::Node nd, string label) {
     // 1) `nd` is a use of a refinement node that blocks its input variable
-    exists(SsaRefinementNode ref |
+    exists(SsaRefinementNode ref, boolean outcome |
       nd = DataFlow::ssaDefinitionNode(ref) and
       forex(SsaVariable input | input = ref.getAnInput() |
         asExpr() = ref.getGuard().getTest() and
-        blocks(ref.getGuard().(ConditionGuardNode).getOutcome(), input.getAUse())
+        outcome = ref.getGuard().(ConditionGuardNode).getOutcome() and
+        internalBlocksExpr(outcome, input.getAUse(), label)
       )
     )
     or
     // 2) `nd` is an instance of an access path `p`, and dominated by a barrier for `p`
-    exists(AccessPath p, BasicBlock bb, ConditionGuardNode cond |
+    exists(AccessPath p, BasicBlock bb, ConditionGuardNode cond, boolean outcome |
       nd = DataFlow::valueNode(p.getAnInstanceIn(bb)) and
       asExpr() = cond.getTest() and
-      blocks(cond.getOutcome(), p.getAnInstance()) and
+      outcome = cond.getOutcome() and
+      internalBlocksAccessPath(outcome, p, label) and
       cond.dominates(bb)
     )
   }
 
+  /**
+   * Holds if data flow node `nd` acts as a barrier for data flow.
+   *
+   * `label` is bound to the blocked label, or the empty string if all labels should be blocked.
+   */
+  private predicate internalBlocksExpr(boolean outcome, Expr test, string label) {
+    blocks(outcome, test) and label = ""
+    or
+    blocks(outcome, test, label)
+  }
+
+  /**
+   * Holds if data flow node `nd` acts as a barrier for data flow due to aliasing through
+   * an access path.
+   *
+   * `label` is bound to the blocked label, or the empty string if all labels should be blocked.
+   */
+  pragma[noinline]
+  private predicate internalBlocksAccessPath(boolean outcome, AccessPath ap, string label) {
+    internalBlocksExpr(outcome, ap.getAnInstance(), label)
+  }
+
   /**
    * Holds if this node blocks expression `e` provided it evaluates to `outcome`.
+   *
+   * This will block all flow labels.
    */
   abstract predicate blocks(boolean outcome, Expr e);
+
+  /**
+   * Holds if this node blocks expression `e` from flow of type `label`, provided it evaluates to `outcome`.
+   */
+  predicate blocks(boolean outcome, Expr e, FlowLabel label) { none() }
 }
 
 /**
  * A guard node that only blocks specific labels.
  */
 abstract class LabeledBarrierGuardNode extends BarrierGuardNode {
+  override predicate blocks(boolean outcome, Expr e) { none() }
+
   /**
-   * Get a flow label blocked by this guard node.
+   * DEPRECATED: Use `blocks(outcome, e, label)` or `sanitizes(outcome, e, label)` instead.
+   *
+   * Overriding this predicate has no effect.
    */
-  abstract FlowLabel getALabel();
+  deprecated FlowLabel getALabel() { none() }
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -129,20 +129,35 @@ module TaintTracking {
    * A node that can act as a sanitizer when appearing in a condition.
    */
   abstract class SanitizerGuardNode extends DataFlow::BarrierGuardNode {
-    final override predicate blocks(boolean outcome, Expr e) { sanitizes(outcome, e) }
+    override predicate blocks(boolean outcome, Expr e) { sanitizes(outcome, e) }
 
     /**
      * Holds if this node sanitizes expression `e`, provided it evaluates
      * to `outcome`.
      */
     abstract predicate sanitizes(boolean outcome, Expr e);
+
+    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      sanitizes(outcome, e, label)
+    }
+
+    /**
+     * Holds if this node sanitizes expression `e`, provided it evaluates
+     * to `outcome`.
+     */
+    predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
   }
 
   /**
    * A sanitizer guard node that only blocks specific flow labels.
    */
-  abstract class LabeledSanitizerGuardNode extends SanitizerGuardNode,
-    DataFlow::LabeledBarrierGuardNode { }
+  abstract class LabeledSanitizerGuardNode extends SanitizerGuardNode, DataFlow::BarrierGuardNode {
+    final override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      sanitizes(outcome, e, label)
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) { none() }
+  }
 
   /**
    * A taint-propagating data flow edge that should be added to all taint tracking
diff --git a/javascript/ql/src/semmle/javascript/security/TaintedObject.qll b/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
@@ -84,7 +84,6 @@ module TaintedObject {
    * Sanitizer guard that blocks deep object taint.
    */
   abstract class SanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode {
-    override FlowLabel getALabel() { result = label() }
   }
 
   /**
@@ -110,9 +109,10 @@ module TaintedObject {
       )
     }
 
-    override predicate sanitizes(boolean outcome, Expr e) {
+    override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
       polarity = outcome and
-      e = typeof.getOperand()
+      e = typeof.getOperand() and
+      label = label()
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll
@@ -142,11 +142,10 @@ module UnvalidatedDynamicMethodCall {
       astNode.getAnOperand().getUnderlyingValue() = t
     }
 
-    override predicate sanitizes(boolean outcome, Expr e) {
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
       outcome = astNode.getPolarity() and
-      e = t.getOperand().getUnderlyingValue()
+      e = t.getOperand().getUnderlyingValue() and
+      label instanceof MaybeNonFunction
     }
-
-    override DataFlow::FlowLabel getALabel() { result instanceof MaybeNonFunction }
   }
 }
diff --git a/javascript/ql/test/library-tests/LabelledBarrierGuards/LabelledBarrierGuards.expected b/javascript/ql/test/library-tests/LabelledBarrierGuards/LabelledBarrierGuards.expected
@@ -0,0 +1,6 @@
+| tst.js:2:11:2:18 | source() | tst.js:8:12:8:12 | x |
+| tst.js:2:11:2:18 | source() | tst.js:12:12:12:12 | x |
+| tst.js:2:11:2:18 | source() | tst.js:14:12:14:12 | x |
+| tst.js:2:11:2:18 | source() | tst.js:18:12:18:12 | x |
+| tst.js:2:11:2:18 | source() | tst.js:20:12:20:12 | x |
+| tst.js:2:11:2:18 | source() | tst.js:26:12:26:12 | x |
diff --git a/javascript/ql/test/library-tests/LabelledBarrierGuards/LabelledBarrierGuards.ql b/javascript/ql/test/library-tests/LabelledBarrierGuards/LabelledBarrierGuards.ql
@@ -0,0 +1,68 @@
+import javascript
+
+class CustomFlowLabel extends DataFlow::FlowLabel {
+  CustomFlowLabel() {
+    this = "A" or this = "B"
+  }
+}
+
+class Config extends TaintTracking::Configuration {
+  Config() { this = "Config" }
+
+  override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+    node.(DataFlow::CallNode).getCalleeName() = "source" and
+    lbl instanceof CustomFlowLabel
+  }
+
+  override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+    exists(DataFlow::CallNode call |
+      call.getCalleeName() = "sink" and
+      node = call.getAnArgument() and
+      lbl instanceof CustomFlowLabel
+    )
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
+    node instanceof IsTypeAGuard or
+    node instanceof IsSanitizedGuard
+  }
+}
+
+/**
+ * A condition that checks what kind of value the input is. Not enough to
+ * sanitize the value, but later sanitizers only need to handle the relevant case.
+ */
+class IsTypeAGuard extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::CallNode {
+  IsTypeAGuard() {
+    getCalleeName() = "isTypeA"
+  }
+
+  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
+    e = getArgument(0).asExpr() and
+    (
+      outcome = true and lbl = "B"
+      or
+      outcome = false and lbl = "A"
+    )
+  }
+}
+
+class IsSanitizedGuard extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::CallNode {
+  IsSanitizedGuard() {
+    getCalleeName() = "sanitizeA" or getCalleeName() = "sanitizeB"
+  }
+
+  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
+    e = getArgument(0).asExpr() and
+    outcome = true and
+    (
+      getCalleeName() = "sanitizeA" and lbl = "A"
+      or
+      getCalleeName() = "sanitizeB" and lbl = "B"
+    )
+  }
+}
+
+from Config cfg, DataFlow::Node source, DataFlow::Node sink
+where cfg.hasFlow(source, sink)
+select source, sink
diff --git a/javascript/ql/test/library-tests/LabelledBarrierGuards/tst.js b/javascript/ql/test/library-tests/LabelledBarrierGuards/tst.js
@@ -0,0 +1,33 @@
+function test() {
+  let x = source();
+
+  if (isTypeA(x)) {
+    if (sanitizeA(x)) {
+      sink(x); // OK
+    } else {
+      sink(x); // NOT OK
+    }
+
+    if (sanitizeB(x)) {
+      sink(x); // NOT OK
+    } else {
+      sink(x); // NOT OK
+    }
+  } else {
+    if (sanitizeA(x)) {
+      sink(x); // NOT OK
+    } else {
+      sink(x); // NOT OK
+    }
+
+    if (sanitizeB(x)) {
+      sink(x); // OK
+    } else {
+      sink(x); // NOT OK
+    }
+  }
+
+  if (sanitizeA(x) && sanitizeB(x)) {
+    sink(x); // OK
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,6 @@ module TaintedObject {`
`84`	`84`	`* Sanitizer guard that blocks deep object taint.`
`85`	`85`	`*/`
`86`	`86`	`abstract class SanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode {`
`87`		`- override FlowLabel getALabel() { result = label() }`
`88`	`87`	`}`
`89`	`88`
`90`	`89`	`/**`
`@@ -110,9 +109,10 @@ module TaintedObject {`
`110`	`109`	`)`
`111`	`110`	`}`
`112`	`111`
`113`		`- override predicate sanitizes(boolean outcome, Expr e) {`
	`112`	`+ override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {`
`114`	`113`	`polarity = outcome and`
`115`		`- e = typeof.getOperand()`
	`114`	`+ e = typeof.getOperand() and`
	`115`	`+ label = label()`
`116`	`116`	`}`
`117`	`117`	`}`
`118`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -142,11 +142,10 @@ module UnvalidatedDynamicMethodCall {`
`142`	`142`	`astNode.getAnOperand().getUnderlyingValue() = t`
`143`	`143`	`}`
`144`	`144`
`145`		`- override predicate sanitizes(boolean outcome, Expr e) {`
	`145`	`+ override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {`
`146`	`146`	`outcome = astNode.getPolarity() and`
`147`		`- e = t.getOperand().getUnderlyingValue()`
	`147`	`+ e = t.getOperand().getUnderlyingValue() and`
	`148`	`+ label instanceof MaybeNonFunction`
`148`	`149`	`}`
`149`		`-`
`150`		`- override DataFlow::FlowLabel getALabel() { result instanceof MaybeNonFunction }`
`151`	`150`	`}`
`152`	`151`	`}`