JS: add query MethodNameInjection

asger-semmle · asger-semmle · commit 2239f863f745 · 2018-11-20T15:57:18.000Z
diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md
@@ -24,6 +24,7 @@
 | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094  | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. |
 | File data in outbound network request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default. |
 | Host header poisoning in email generation |  security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default.  |
+| Method name injection (`js/method-name-injection` ) | security, external/cwe/cwe-094 | Highlights code that invokes a user-controlled method on an object with unsafe methods. |
 | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. |
 | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
 | Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. |
diff --git a/javascript/ql/src/Security/CWE-094/MethodNameInjection.qhelp b/javascript/ql/src/Security/CWE-094/MethodNameInjection.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Invoking a user-controlled method on certain objects can lead to invocation of unsafe functions,
+such as <code>eval</code> or the <code>Function</code> constructor. In particular, the global object
+contains the <code>eval</code> function, and any function object contains the <code>Function</code> constructor
+in its <code>constructor</code> property.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid invoking user-controlled methods on the global object or on any function object.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the following example, a user-controlled string is used as the method name on a cross-window message handler.
+In this case, a malicious website can embed the page in an iframe, and execute arbitary code in the page by
+sending a message to it with <code>name</code> set to <code>eval</code>.
+</p>
+
+<sample src="examples/MethodNameInjection.js" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
+</li>
+<li>
+MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects#Function_properties">Global functions</a>.
+</li>
+<li>
+MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function">Function constructor</a>.
+</li>
+</references>
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-094/MethodNameInjection.ql b/javascript/ql/src/Security/CWE-094/MethodNameInjection.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Method name injection
+ * @description Invoking user-controlled methods on a arbitrary objects can lead to remote code execution.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/method-name-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+import javascript
+import semmle.javascript.security.dataflow.MethodNameInjection::MethodNameInjection
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink, source, sink, "Invocation of method derived from $@ may lead to remote code execution.", source.getNode(), "user-controlled value"
diff --git a/javascript/ql/src/Security/CWE-094/examples/MethodNameInjection.js b/javascript/ql/src/Security/CWE-094/examples/MethodNameInjection.js
@@ -0,0 +1,4 @@
+window.addEventListener("message", (ev) => {
+    let message = JSON.parse(ev.data);
+    window[message.name](message.payload);
+});
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/MethodNameInjection.qll b/javascript/ql/src/semmle/javascript/security/dataflow/MethodNameInjection.qll
@@ -0,0 +1,148 @@
+/**
+ * Provides a taint tracking configuration for reasoning about method invocations
+ * with a user-controlled method name.
+ */
+
+import javascript
+import semmle.javascript.frameworks.Express
+
+module MethodNameInjection {
+  private import DataFlow::FlowLabel
+  
+  /**
+   * A data flow source for method name injection.
+   */
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Gets the flow label relevant for this source.
+     */
+    DataFlow::FlowLabel getFlowLabel() {
+      result = data()
+    }
+  }
+
+  /**
+   * A data flow sink for method name injection.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the flow label relevant for this sink
+     */
+    abstract DataFlow::FlowLabel getFlowLabel();
+  }
+
+  /**
+   * A sanitizer for method name injection.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * Gets the flow label describing values that may refer to an unsafe
+   * function as a result of an attacker-controlled property name.
+   */
+  UnsafeFunction unsafeFunction() { any() }
+  private class UnsafeFunction extends DataFlow::FlowLabel {
+    UnsafeFunction() { this = "UnsafeFunction" }
+  }
+
+  /**
+   * A taint-tracking configuration for reasoning about method name injection.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "RemotePropertyInjection" }
+
+    override predicate isSource(DataFlow::Node source) {
+      source instanceof Source
+    }
+
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+      sink.(Sink).getFlowLabel() = label
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      super.isSanitizer(node) or
+      node instanceof Sanitizer
+    }
+
+    /**
+     * Holds if a property of the given object is an unsafe function.
+     */
+    predicate isUnsafeBaseObject(DataFlow::SourceNode node) {
+      // eval an friends can be accessed from the global object.
+      node = DataFlow::globalObjectRef()
+      or
+      // 'constructor' property leads to the Function constructor.
+      node.analyze().getAValue() instanceof AbstractCallable
+      or
+      // Assume that a value that is invoked can refer to a function.
+      exists (node.getAnInvocation()) 
+    }
+
+    /**
+     * Holds if the `node` is of form `Object.create(null)` and so it has no prototype.
+     */
+    predicate isPrototypeLessObject(DataFlow::MethodCallNode node) {
+      node = DataFlow::globalVarRef("Object").getAMethodCall("create") and
+      node.getArgument(0).asExpr() instanceof NullLiteral
+    }
+
+    override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel, DataFlow::FlowLabel dstlabel) {
+      // Reading a property of the global object or of a function
+      exists (DataFlow::PropRead read |
+        isUnsafeBaseObject(read.getBase().getALocalSource()) and
+        src = read.getPropertyNameExpr().flow() and
+        dst = read and
+        srclabel = taint() and
+        dstlabel = unsafeFunction())
+      or
+      // Reading a chain of properties from any object with a prototype can lead to Function
+      exists (PropertyProjection proj |
+        not isPrototypeLessObject(proj.getObject().getALocalSource()) and
+        src = proj.getASelector() and
+        dst = proj and
+        srclabel = taint() and
+        dstlabel = unsafeFunction())
+    }
+  }
+
+  /**
+   * A source of remote user input, considered as a source for method name injection. 
+   */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * The page URL considered as a flow source for method name injection. 
+   */
+  class DocumentUrlAsSource extends Source {
+    DocumentUrlAsSource() { isDocumentURL(asExpr()) }
+  }
+
+  /**
+   * A function invocation of an unsafe function, as a sink for remote method name injection.
+   */
+  class CalleeAsSink extends Sink {
+    CalleeAsSink() {
+      this = any(DataFlow::InvokeNode node).getCalleeNode()
+    }
+
+    override DataFlow::FlowLabel getFlowLabel() {
+      result = unsafeFunction()
+    }
+  }
+
+  /** 
+   * A binary expression that sanitzes a value for method name injection. That 
+   * is, if a string is prepended or appended to the remote input, an attacker 
+   * cannot access arbitrary properties.  
+   */
+  class ConcatSanitizer extends Sanitizer, DataFlow::ValueNode {
+
+    override BinaryExpr astNode;
+
+    ConcatSanitizer() {
+      astNode.getAnOperand() instanceof ConstantString      
+    }
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.expected
@@ -0,0 +1,33 @@
+nodes
+| tst.js:3:37:3:38 | ev |
+| tst.js:4:9:4:37 | message |
+| tst.js:4:19:4:37 | JSON.parse(ev.data) |
+| tst.js:4:30:4:31 | ev |
+| tst.js:4:30:4:36 | ev.data |
+| tst.js:5:5:5:24 | window[message.name] |
+| tst.js:5:12:5:18 | message |
+| tst.js:5:12:5:23 | message.name |
+| tst.js:6:9:6:28 | window[message.name] |
+| tst.js:6:16:6:22 | message |
+| tst.js:6:16:6:27 | message.name |
+| tst.js:10:5:10:19 | f[message.name] |
+| tst.js:10:7:10:13 | message |
+| tst.js:10:7:10:18 | message.name |
+edges
+| tst.js:3:37:3:38 | ev | tst.js:4:30:4:31 | ev |
+| tst.js:4:9:4:37 | message | tst.js:5:12:5:18 | message |
+| tst.js:4:9:4:37 | message | tst.js:6:16:6:22 | message |
+| tst.js:4:9:4:37 | message | tst.js:10:7:10:13 | message |
+| tst.js:4:19:4:37 | JSON.parse(ev.data) | tst.js:4:9:4:37 | message |
+| tst.js:4:30:4:31 | ev | tst.js:4:30:4:36 | ev.data |
+| tst.js:4:30:4:36 | ev.data | tst.js:4:19:4:37 | JSON.parse(ev.data) |
+| tst.js:5:12:5:18 | message | tst.js:5:12:5:23 | message.name |
+| tst.js:5:12:5:23 | message.name | tst.js:5:5:5:24 | window[message.name] |
+| tst.js:6:16:6:22 | message | tst.js:6:16:6:27 | message.name |
+| tst.js:6:16:6:27 | message.name | tst.js:6:9:6:28 | window[message.name] |
+| tst.js:10:7:10:13 | message | tst.js:10:7:10:18 | message.name |
+| tst.js:10:7:10:18 | message.name | tst.js:10:5:10:19 | f[message.name] |
+#select
+| tst.js:5:5:5:24 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:5:5:5:24 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
+| tst.js:6:9:6:28 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:6:9:6:28 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
+| tst.js:10:5:10:19 | f[message.name] | tst.js:3:37:3:38 | ev | tst.js:10:5:10:19 | f[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.qlref b/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-094/MethodNameInjection.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/tst.js b/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/tst.js
@@ -0,0 +1,13 @@
+let obj = {};
+
+window.addEventListener('message', (ev) => {
+    let message = JSON.parse(ev.data);
+    window[message.name](message.payload); // NOT OK - may invoke eval
+    new window[message.name](message.payload); // NOT OK - may invoke jQuery $ function or similar
+    window["HTMLElement" + message.name](message.payload); // OK - concatenation restricts choice of methods
+    
+    function f() {}
+    f[message.name](message.payload)(); // NOT OK - may acccess Function constructor
+    
+    obj[message.name](message.payload); // OK - may crash, but no code execution involved
+});

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Security/CWE-094/MethodNameInjection.ql`