fix FP in js/path-injection by recognizing more prefix checks

erik-krogh · erik-krogh · commit 279c584bb85f · 2020-01-31T11:03:11.000+01:00
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -47,25 +47,13 @@ abstract class EnumeratedPropName extends DataFlow::Node {
    */
   abstract DataFlow::Node getSourceObject();
 
-  /**
-   * Gets a local reference of the source object.
-   */
-  SourceNode getASourceObjectRef() {
-    exists(SourceNode root, string path |
-      getSourceObject() = AccessPath::getAReferenceTo(root, path) and
-      result = AccessPath::getAReferenceTo(root, path)
-    )
-    or
-    result = getSourceObject().getALocalSource()
-  }
-
   /**
    * Gets a property read that accesses the corresponding property value in the source object.
    *
    * For example, gets `src[key]` in `for (var key in src) { src[key]; }`.
    */
   PropRead getASourceProp() {
-    result = getASourceObjectRef().getAPropertyRead() and
+    result = AccessPath::getASourceAccess(getSourceObject()).getAPropertyRead() and
     result.getPropertyNameExpr().flow().getImmediatePredecessor*() = this
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll b/javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll
@@ -412,4 +412,16 @@ module AccessPath {
       isAssignedInUniqueFile(name)
     )
   }
+
+  /**
+   * Gets a SourceNode that is accessed using the same access path as the input. 
+   */
+  DataFlow::SourceNode getASourceAccess(DataFlow::Node node) {
+    exists(DataFlow::SourceNode root, string accessPath | 
+      node = AccessPath::getAReferenceTo(root, accessPath) and 
+      result = AccessPath::getAReferenceTo(root, accessPath)
+    )
+    or
+    result = node.getALocalSource()
+  }
 }
diff --git a/javascript/ql/src/semmle/javascript/StringOps.qll b/javascript/ql/src/semmle/javascript/StringOps.qll
@@ -165,10 +165,10 @@ module StringOps {
 
       StartsWith_Substring() {
         astNode.hasOperands(call.asExpr(), substring.asExpr()) and
-        (call.getMethodName() = "substring" or call.getMethodName() = "substr") and
+        (call.getMethodName() = "substring" or call.getMethodName() = "substr" or call.getMethodName() = "slice") and
         call.getNumArgument() = 2 and
         (
-          substring.getALocalSource().getAPropertyRead("length").flowsTo(call.getArgument(1))
+          AccessPath::getASourceAccess(substring).getAPropertyRead("length").flowsTo(call.getArgument(1))
           or
           substring.getStringValue().length() = call.getArgument(1).asExpr().getIntValue()
         )
diff --git a/javascript/ql/test/library-tests/StringOps/StartsWith/StartsWith.expected b/javascript/ql/test/library-tests/StringOps/StartsWith/StartsWith.expected
@@ -14,3 +14,5 @@
 | tst.js:19:9:19:36 | A.subst ...  "web/" | tst.js:19:9:19:9 | A | tst.js:19:31:19:36 | "web/" | true |
 | tst.js:32:9:32:32 | strings ... h(A, B) | tst.js:32:28:32:28 | A | tst.js:32:31:32:31 | B | true |
 | tst.js:33:9:33:47 | strings ... h(A, B) | tst.js:33:43:33:43 | A | tst.js:33:46:33:46 | B | true |
+| tst.js:34:9:34:34 | A.slice ... ) !== B | tst.js:34:9:34:9 | A | tst.js:34:34:34:34 | B | false |
+| tst.js:35:9:35:42 | A.slice ... = B.foo | tst.js:35:9:35:9 | A | tst.js:35:38:35:42 | B.foo | false |
diff --git a/javascript/ql/test/library-tests/StringOps/StartsWith/tst.js b/javascript/ql/test/library-tests/StringOps/StartsWith/tst.js
@@ -31,4 +31,6 @@ function f(A, B) {
 
     if (strings.startsWith(A, B)) {}
     if (strings.caseInsensitiveStartsWith(A, B)) {}
+    if (A.slice(0, B.length) !== B) {}
+    if (A.slice(0, B.foo.length) !== B.foo) {}
 }

Original file line number	Diff line number	Diff line change
`@@ -412,4 +412,16 @@ module AccessPath {`
`412`	`412`	`isAssignedInUniqueFile(name)`
`413`	`413`	`)`
`414`	`414`	`}`
	`415`	`+`
	`416`	`+ /**`
	`417`	`+ * Gets a SourceNode that is accessed using the same access path as the input.`
	`418`	`+ */`
	`419`	`+ DataFlow::SourceNode getASourceAccess(DataFlow::Node node) {`
	`420`	`+ exists(DataFlow::SourceNode root, string accessPath \|`
	`421`	`+ node = AccessPath::getAReferenceTo(root, accessPath) and`
	`422`	`+ result = AccessPath::getAReferenceTo(root, accessPath)`
	`423`	`+ )`
	`424`	`+ or`
	`425`	`+ result = node.getALocalSource()`
	`426`	`+ }`
`415`	`427`	`}`
Original file line number	Diff line number	Diff line change
`@@ -165,10 +165,10 @@ module StringOps {`
`165`	`165`
`166`	`166`	`StartsWith_Substring() {`
`167`	`167`	`astNode.hasOperands(call.asExpr(), substring.asExpr()) and`
`168`		`- (call.getMethodName() = "substring" or call.getMethodName() = "substr") and`
	`168`	`+ (call.getMethodName() = "substring" or call.getMethodName() = "substr" or call.getMethodName() = "slice") and`
`169`	`169`	`call.getNumArgument() = 2 and`
`170`	`170`	`(`
`171`		`- substring.getALocalSource().getAPropertyRead("length").flowsTo(call.getArgument(1))`
	`171`	`+ AccessPath::getASourceAccess(substring).getAPropertyRead("length").flowsTo(call.getArgument(1))`
`172`	`172`	`or`
`173`	`173`	`substring.getStringValue().length() = call.getArgument(1).asExpr().getIntValue()`
`174`	`174`	`)`
Original file line number	Diff line number	Diff line change
`@@ -31,4 +31,6 @@ function f(A, B) {`
`31`	`31`
`32`	`32`	`if (strings.startsWith(A, B)) {}`
`33`	`33`	`if (strings.caseInsensitiveStartsWith(A, B)) {}`
	`34`	`+ if (A.slice(0, B.length) !== B) {}`
	`35`	`+ if (A.slice(0, B.foo.length) !== B.foo) {}`
`34`	`36`	`}`