Merge remote-tracking branch 'upstream/main' into work

Dave Bartolomeo · Dave Bartolomeo · commit 2eaa4a4ecf97 · 2020-10-19T15:19:03.000-04:00
diff --git a/change-notes/1.26/analysis-javascript.md b/change-notes/1.26/analysis-javascript.md
@@ -8,7 +8,9 @@
   - [@angular/*](https://www.npmjs.com/package/@angular/core)
   - [AWS Serverless](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html)
   - [Alibaba Serverless](https://www.alibabacloud.com/help/doc-detail/156876.htm)
+  - [debounce](https://www.npmjs.com/package/debounce)
   - [bluebird](https://www.npmjs.com/package/bluebird)
+  - [call-limit](https://www.npmjs.com/package/call-limit)
   - [express](https://www.npmjs.com/package/express)
   - [fast-json-stable-stringify](https://www.npmjs.com/package/fast-json-stable-stringify)
   - [fast-safe-stringify](https://www.npmjs.com/package/fast-safe-stringify)
@@ -18,11 +20,15 @@
   - [json-stable-stringify](https://www.npmjs.com/package/json-stable-stringify)
   - [json-stringify-safe](https://www.npmjs.com/package/json-stringify-safe)
   - [json3](https://www.npmjs.com/package/json3)
+  - [jQuery throttle / debounce](https://github.com/cowboy/jquery-throttle-debounce)
   - [lodash](https://www.npmjs.com/package/lodash)
+  - [lodash.debounce](https://www.npmjs.com/package/lodash.debounce)
+  - [lodash.throttle](https://www.npmjs.com/package/lodash.throttle)
   - [needle](https://www.npmjs.com/package/needle)
   - [object-inspect](https://www.npmjs.com/package/object-inspect)
   - [pretty-format](https://www.npmjs.com/package/pretty-format)
   - [stringify-object](https://www.npmjs.com/package/stringify-object)
+  - [throttle-debounce](https://www.npmjs.com/package/throttle-debounce)
   - [underscore](https://www.npmjs.com/package/underscore)
 
 * Analyzing files with the ".cjs" extension is now supported.
@@ -46,6 +52,7 @@
 | Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 | Client-side URL redirect (`js/client-side-unvalidated-url-redirection`) | More results | This query now recognizes some unsafe uses of `importScripts()` inside WebWorkers. |
 | Missing CSRF middleware (`js/missing-token-validation`) | More results | This query now recognizes writes to cookie and session variables as potentially vulnerable to CSRF attacks. |
+| Missing CSRF middleware (`js/missing-token-validation`) | Fewer results | This query now recognizes more ways of protecting against CSRF attacks. |
 
 
 ## Changes to libraries
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.cpp b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.cpp
@@ -4,3 +4,5 @@ long j = i * i; //Wrong: due to overflow on the multiplication between ints,
 
 long k = (long) i * i; //Correct: the multiplication is done on longs instead of ints, 
                        //and will not overflow
+
+long l = static_cast<long>(i) * i; //Correct: modern C++
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -15,7 +15,7 @@ import javascript
 /** Gets a property name of `req` which refers to data usually derived from cookie data. */
 string cookieProperty() { result = "session" or result = "cookies" or result = "user" }
 
-/** Gets a data flow node that flows to the base of an access to `cookies`, `session`, or `user`. */
+/** Gets a data flow node that flows to the base of a reference to `cookies`, `session`, or `user`. */
 private DataFlow::SourceNode nodeLeadingToCookieAccess(DataFlow::TypeBackTracker t) {
   t.start() and
   exists(DataFlow::PropRef value |
@@ -94,14 +94,78 @@ DataFlow::CallNode csrfMiddlewareCreation() {
     exists(result.getOptionArgument(0, "csrf"))
     or
     callee = DataFlow::moduleMember("lusca", "csrf")
+    or
+    callee = DataFlow::moduleMember("express", "csrf")
+  )
+}
+
+/**
+ * Gets a data flow node that flows to the base of a write to `cookies`, `session`, or `user`,
+ * where the written property has `csrf` or `xsrf` in its name.
+ */
+private DataFlow::SourceNode nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker t) {
+  t.start() and
+  result
+      .getAPropertyRead(cookieProperty())
+      .getAPropertyWrite()
+      .getPropertyName()
+      .regexpMatch("(?i).*(csrf|xsrf).*")
+  or
+  exists(DataFlow::TypeBackTracker t2 | result = nodeLeadingToCsrfWrite(t2).backtrack(t2, t))
+}
+
+/**
+ * Gets a route handler that sets an CSRF related cookie.
+ */
+private Express::RouteHandler getAHandlerSettingCsrfCookie() {
+  exists(HTTP::CookieDefinition setCookie |
+    setCookie.getNameArgument().getStringValue().regexpMatch("(?i).*(csrf|xsrf).*") and
+    result = setCookie.getRouteHandler()
+  )
+}
+
+/**
+ * Holds if `handler` is protecting from CSRF.
+ * This is indicated either by the request parameter having a CSRF related write to a session variable.
+ * Or by the response parameter setting a CSRF related cookie.
+ */
+predicate isCsrfProtectionRouteHandler(Express::RouteHandler handler) {
+  DataFlow::parameterNode(handler.getRequestParameter()) =
+    nodeLeadingToCsrfWrite(DataFlow::TypeBackTracker::end())
+  or
+  handler = getAHandlerSettingCsrfCookie()
+}
+
+/** Gets a data flow node refering to a route handler that is protecting against CSRF. */
+private DataFlow::SourceNode getACsrfProtectionRouteHandler(DataFlow::TypeTracker t) {
+  t.start() and
+  isCsrfProtectionRouteHandler(result)
+  or
+  exists(DataFlow::TypeTracker t2, DataFlow::SourceNode pred |
+    pred = getACsrfProtectionRouteHandler(t2)
+  |
+    result = pred.track(t2, t)
+    or
+    t = t2 and
+    HTTP::routeHandlerStep(pred, result)
   )
 }
 
+/**
+ * Gets an express route handler expression that is either a custom CSRF protection middleware,
+ * or a CSRF protecting library.
+ */
+Express::RouteHandlerExpr getACsrfMiddleware() {
+  csrfMiddlewareCreation().flowsToExpr(result)
+  or
+  getACsrfProtectionRouteHandler(DataFlow::TypeTracker::end()).flowsToExpr(result)
+}
+
 /**
  * Holds if the given route handler is protected by CSRF middleware.
  */
 predicate hasCsrfMiddleware(Express::RouteHandlerExpr handler) {
-  csrfMiddlewareCreation().flowsToExpr(handler.getAMatchingAncestor())
+  getACsrfMiddleware() = handler.getAMatchingAncestor()
 }
 
 from
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -1379,6 +1379,46 @@ module PartialInvokeNode {
     }
   }
 
+  /**
+   * A partial call that behaves like a throttle call, like `require("call-limit")(fs, limit)` or `_.memoize`.
+   * Seen as a partial invocation that binds no arguments.
+   */
+  private class ThrottleLikePartialCall extends PartialInvokeNode::Range, DataFlow::CallNode {
+    int callbackIndex;
+
+    ThrottleLikePartialCall() {
+      callbackIndex = 0 and
+      (
+        this = LodashUnderscore::member(["throttle", "debounce", "once", "memoize"]).getACall()
+        or
+        this = DataFlow::moduleImport(["call-limit", "debounce"]).getACall()
+      )
+      or
+      callbackIndex = 1 and
+      (
+        this = LodashUnderscore::member(["after", "before"]).getACall()
+        or
+        // not jQuery: https://github.com/cowboy/jquery-throttle-debounce
+        this = DataFlow::globalVarRef("$").getAMemberCall(["throttle", "debounce"])
+      )
+      or
+      callbackIndex = -1 and
+      this = DataFlow::moduleMember("throttle-debounce", ["debounce", "throttle"]).getACall()
+    }
+
+    override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) {
+      (
+        callbackIndex >= 0 and
+        callback = getArgument(callbackIndex)
+        or
+        callbackIndex = -1 and
+        callback = getLastArgument()
+      ) and
+      boundArgs = 0 and
+      result = this
+    }
+  }
+
   /**
    * A partial call through `ramda.partial`.
    */
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -718,7 +718,7 @@ module Express {
   /**
    * An invocation of the `cookie` method on an HTTP response object.
    */
-  private class SetCookie extends HTTP::CookieDefinition, MethodCallExpr {
+  class SetCookie extends HTTP::CookieDefinition, MethodCallExpr {
     RouteHandler rh;
 
     SetCookie() { calls(rh.getAResponseExpr(), "cookie") }
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/DataFlow.expected b/javascript/ql/test/library-tests/InterProceduralFlow/DataFlow.expected
@@ -32,10 +32,18 @@
 | partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
 | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
 | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
 | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected b/javascript/ql/test/library-tests/InterProceduralFlow/GermanFlow.expected
@@ -33,10 +33,18 @@
 | partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
 | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
 | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
 | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected b/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.expected
@@ -38,10 +38,18 @@
 | partial.js:5:15:5:24 | "tainted1" | partial.js:15:15:15:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:21:15:21:15 | x |
 | partial.js:5:15:5:24 | "tainted1" | partial.js:27:15:27:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:34:15:34:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:41:15:41:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:47:15:47:15 | x |
+| partial.js:5:15:5:24 | "tainted1" | partial.js:53:15:53:15 | x |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:10:15:10:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:16:15:16:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:22:15:22:15 | y |
 | partial.js:6:15:6:24 | "tainted2" | partial.js:28:15:28:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:35:15:35:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:42:15:42:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:48:15:48:15 | y |
+| partial.js:6:15:6:24 | "tainted2" | partial.js:54:15:54:15 | y |
 | promises.js:2:16:2:24 | "tainted" | promises.js:7:16:7:18 | val |
 | promises.js:2:16:2:24 | "tainted" | promises.js:38:32:38:32 | v |
 | promises.js:11:22:11:31 | "resolved" | promises.js:19:20:19:20 | v |
diff --git a/javascript/ql/test/library-tests/InterProceduralFlow/partial.js b/javascript/ql/test/library-tests/InterProceduralFlow/partial.js
@@ -28,3 +28,29 @@ function f4(x, y) {
   let sink2 = y;
 }
 R.partial(f4, [source1])(source2);
+
+const limit = require('call-limit')
+function f5(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+const limited = limit(f5, 5)
+limited(source1, source2);
+
+function f6(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+_.throttle(f6, 100)(source1, source2);
+
+function f7(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+_.after(3, f7)(source1, source2);
+
+function f8(x, y) {
+  let sink1 = x;
+  let sink2 = y;
+}
+require("throttle-debounce").debounce(1000, false, f8)(source1, source2);
diff --git a/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js b/javascript/ql/test/query-tests/Security/CWE-352/MissingCsrfMiddlewareGood2.js
@@ -0,0 +1,92 @@
+var express = require('express');
+var cookieParser = require('cookie-parser');
+var passport = require('passport');
+
+(function () {
+
+    var app = express()
+
+    app.use(cookieParser())
+    app.use(passport.authorize({ session: true }))
+
+    function getCsrfToken(request) {
+        return request.headers['x-xsrf-token'];
+    }
+
+    function setCsrfToken(request, response, next) {
+        response.cookie('XSRF-TOKEN', request.csrfToken());
+        next();
+    }
+
+    const csrf = {
+        getCsrfToken: getCsrfToken,
+        setCsrfToken: setCsrfToken
+    };
+
+    app.use(express.csrf({ value: csrf.getCsrfToken }));
+    app.use(csrf.setCsrfToken);
+
+    app.post('/changeEmail', function (req, res) {
+        let newEmail = req.cookies["newEmail"];
+    })
+});
+
+
+
+(function () {
+    var app = express()
+
+    app.use(cookieParser())
+    app.use(passport.authorize({ session: true }))
+
+    var crypto = require('crypto');
+
+    var generateToken = function (len) {
+        return crypto.randomBytes(Math.ceil(len * 3 / 4))
+            .toString('base64')
+            .slice(0, len);
+    };
+    function defaultValue(req) {
+        return (req.body && req.body._csrf)
+            || (req.query && req.query._csrf)
+            || (req.headers['x-csrf-token']);
+    }
+    var checkToken = function (req, res, next) {
+        var token = req.session._csrf || (req.session._csrf = generateToken(24));
+        if ('GET' == req.method || 'HEAD' == req.method || 'OPTIONS' == req.method) return next();
+        var val = defaultValue(req);
+        if (val != token) return next(function () {
+            res.send({ auth: false });
+        });
+        next();
+    }
+    const csrf = {
+        check: checkToken
+    };
+
+    app.use(express.cookieParser());
+    app.use(express.session({ secret: 'thomasdavislovessalmon' }));
+    app.use(express.bodyParser());
+    app.use(csrf.check);
+
+    app.post('/changeEmail', function (req, res) {
+        let newEmail = req.cookies["newEmail"];
+    })
+});
+
+(function () {
+
+    var app = express()
+
+    app.use(cookieParser())
+    app.use(passport.authorize({ session: true }))
+
+    // Assume token is being set somewhere
+    app.use(express.csrf({ value: function (request) {
+        return request.headers['x-xsrf-token'];
+    }}));
+
+    app.post('/changeEmail', function (req, res) {
+        let newEmail = req.cookies["newEmail"];
+    })
+});
