Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 547a8a9

Browse files
asgerfasgerf
committed
JS: Port SqlInjection
1 parent 65e9706 commit 547a8a9

5 files changed

Lines changed: 497 additions & 736 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll

Lines changed: 54 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,57 @@ import NosqlInjectionCustomizations::NosqlInjection
1414
/**
1515
* A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
1616
*/
17-
class Configuration extends TaintTracking::Configuration {
17+
module NosqlInjectionConfig implements DataFlow::StateConfigSig {
18+
class FlowState = DataFlow::FlowLabel;
19+
20+
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel state) {
21+
source instanceof Source and state.isTaint()
22+
or
23+
TaintedObject::isSource(source, state)
24+
}
25+
26+
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel state) {
27+
sink.(Sink).getAFlowLabel() = state
28+
}
29+
30+
predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel state) {
31+
node instanceof Sanitizer and state.isTaint()
32+
or
33+
TaintTracking::defaultSanitizer(node) and state.isTaint()
34+
or
35+
node = TaintedObject::SanitizerGuard::getABarrierNode(state)
36+
}
37+
38+
predicate isAdditionalFlowStep(
39+
DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
40+
DataFlow::FlowLabel state2
41+
) {
42+
TaintedObject::step(node1, node2, state1, state2)
43+
or
44+
// additional flow step to track taint through NoSQL query objects
45+
state1 = TaintedObject::label() and
46+
state2 = TaintedObject::label() and
47+
exists(NoSql::Query query, DataFlow::SourceNode queryObj |
48+
queryObj.flowsTo(query) and
49+
queryObj.flowsTo(node2) and
50+
node1 = queryObj.getAPropertyWrite().getRhs()
51+
)
52+
or
53+
TaintTracking::defaultTaintStep(node1, node2) and
54+
state1.isTaint() and
55+
state2 = state1
56+
}
57+
}
58+
59+
/**
60+
* Taint-tracking for reasoning about SQL-injection vulnerabilities.
61+
*/
62+
module NosqlInjectionFlow = DataFlow::GlobalWithState<NosqlInjectionConfig>;
63+
64+
/**
65+
* DEPRECATED. Use the `NosqlInjectionFlow` module instead.
66+
*/
67+
deprecated class Configuration extends TaintTracking::Configuration {
1868
Configuration() { this = "NosqlInjection" }
1969

2070
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -37,17 +87,9 @@ class Configuration extends TaintTracking::Configuration {
3787
}
3888

3989
override predicate isAdditionalFlowStep(
40-
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
90+
DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1,
91+
DataFlow::FlowLabel state2
4192
) {
42-
TaintedObject::step(src, trg, inlbl, outlbl)
43-
or
44-
// additional flow step to track taint through NoSQL query objects
45-
inlbl = TaintedObject::label() and
46-
outlbl = TaintedObject::label() and
47-
exists(NoSql::Query query, DataFlow::SourceNode queryObj |
48-
queryObj.flowsTo(query) and
49-
queryObj.flowsTo(trg) and
50-
src = queryObj.getAPropertyWrite().getRhs()
51-
)
93+
NosqlInjectionConfig::isAdditionalFlowStep(node1, state1, node2, state2)
5294
}
5395
}

javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,19 +13,14 @@ import SqlInjectionCustomizations::SqlInjection
1313
/**
1414
* A taint-tracking configuration for reasoning about string based query injection vulnerabilities.
1515
*/
16-
class Configuration extends TaintTracking::Configuration {
17-
Configuration() { this = "SqlInjection" }
18-
19-
override predicate isSource(DataFlow::Node source) { source instanceof Source }
16+
module SqlInjectionConfig implements DataFlow::ConfigSig {
17+
predicate isSource(DataFlow::Node source) { source instanceof Source }
2018

21-
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
19+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
2220

23-
override predicate isSanitizer(DataFlow::Node node) {
24-
super.isSanitizer(node) or
25-
node instanceof Sanitizer
26-
}
21+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
2722

28-
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
23+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
2924
exists(LdapJS::TaintPreservingLdapFilterStep filter |
3025
pred = filter.getInput() and
3126
succ = filter.getOutput()
@@ -37,3 +32,28 @@ class Configuration extends TaintTracking::Configuration {
3732
)
3833
}
3934
}
35+
36+
/**
37+
* Taint-tracking for reasoning about string based query injection vulnerabilities.
38+
*/
39+
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
40+
41+
/**
42+
* DEPRECATED. Use the `SqlInjectionFlow` module instead.
43+
*/
44+
deprecated class Configuration extends TaintTracking::Configuration {
45+
Configuration() { this = "SqlInjection" }
46+
47+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
48+
49+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
50+
51+
override predicate isSanitizer(DataFlow::Node node) {
52+
super.isSanitizer(node) or
53+
node instanceof Sanitizer
54+
}
55+
56+
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
57+
SqlInjectionConfig::isAdditionalFlowStep(pred, succ)
58+
}
59+
}

javascript/ql/src/Security/CWE-089/SqlInjection.ql

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -14,17 +14,23 @@
1414
*/
1515

1616
import javascript
17-
import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
18-
import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
19-
import DataFlow::PathGraph
17+
import semmle.javascript.security.dataflow.SqlInjectionQuery as Sql
18+
import semmle.javascript.security.dataflow.NosqlInjectionQuery as Nosql
2019

21-
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string type
20+
module Merged =
21+
DataFlow::MergePathGraph<Sql::SqlInjectionFlow::PathNode, Nosql::NosqlInjectionFlow::PathNode,
22+
Sql::SqlInjectionFlow::PathGraph, Nosql::NosqlInjectionFlow::PathGraph>;
23+
24+
import DataFlow::DeduplicatePathGraph<Merged::PathNode, Merged::PathGraph>
25+
26+
from PathNode source, PathNode sink, string type
2227
where
23-
(
24-
cfg instanceof SqlInjection::Configuration and type = "string"
25-
or
26-
cfg instanceof NosqlInjection::Configuration and type = "object"
27-
) and
28-
cfg.hasFlowPath(source, sink)
28+
Sql::SqlInjectionFlow::flowPath(source.getAnOriginalPathNode().asPathNode1(),
29+
sink.getAnOriginalPathNode().asPathNode1()) and
30+
type = "string"
31+
or
32+
Nosql::NosqlInjectionFlow::flowPath(source.getAnOriginalPathNode().asPathNode2(),
33+
sink.getAnOriginalPathNode().asPathNode2()) and
34+
type = "object"
2935
select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),
3036
"user-provided value"

javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected

Lines changed: 15 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,41 +1,32 @@
11
nodes
2-
| typedClient.ts:13:7:13:32 | v |
3-
| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) |
4-
| typedClient.ts:13:22:13:29 | req.body |
5-
| typedClient.ts:13:22:13:29 | req.body |
6-
| typedClient.ts:13:22:13:31 | req.body.x |
7-
| typedClient.ts:14:24:14:32 | { id: v } |
8-
| typedClient.ts:14:24:14:32 | { id: v } |
9-
| typedClient.ts:14:30:14:30 | v |
10-
| typedClient.ts:21:7:21:32 | v |
11-
| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) |
12-
| typedClient.ts:21:22:21:29 | req.body |
13-
| typedClient.ts:21:22:21:29 | req.body |
14-
| typedClient.ts:21:22:21:31 | req.body.x |
15-
| typedClient.ts:22:27:22:35 | { id: v } |
16-
| typedClient.ts:22:27:22:35 | { id: v } |
17-
| typedClient.ts:22:33:22:33 | v |
18-
| typedClient.ts:23:27:23:35 | { id: v } |
19-
| typedClient.ts:23:27:23:35 | { id: v } |
20-
| typedClient.ts:23:33:23:33 | v |
2+
| typedClient.ts:13:7:13:32 | v | semmle.label | v |
3+
| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | semmle.label | JSON.pa ... body.x) |
4+
| typedClient.ts:13:22:13:29 | req.body | semmle.label | req.body |
5+
| typedClient.ts:13:22:13:31 | req.body.x | semmle.label | req.body.x |
6+
| typedClient.ts:14:24:14:32 | { id: v } | semmle.label | { id: v } |
7+
| typedClient.ts:14:30:14:30 | v | semmle.label | v |
8+
| typedClient.ts:21:7:21:32 | v | semmle.label | v |
9+
| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | semmle.label | JSON.pa ... body.x) |
10+
| typedClient.ts:21:22:21:29 | req.body | semmle.label | req.body |
11+
| typedClient.ts:21:22:21:31 | req.body.x | semmle.label | req.body.x |
12+
| typedClient.ts:22:27:22:35 | { id: v } | semmle.label | { id: v } |
13+
| typedClient.ts:22:33:22:33 | v | semmle.label | v |
14+
| typedClient.ts:23:27:23:35 | { id: v } | semmle.label | { id: v } |
15+
| typedClient.ts:23:33:23:33 | v | semmle.label | v |
2116
edges
2217
| typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v |
2318
| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v |
2419
| typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x |
25-
| typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x |
2620
| typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) |
2721
| typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
28-
| typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
2922
| typedClient.ts:21:7:21:32 | v | typedClient.ts:22:33:22:33 | v |
3023
| typedClient.ts:21:7:21:32 | v | typedClient.ts:23:33:23:33 | v |
3124
| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | typedClient.ts:21:7:21:32 | v |
3225
| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x |
33-
| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x |
3426
| typedClient.ts:21:22:21:31 | req.body.x | typedClient.ts:21:11:21:32 | JSON.pa ... body.x) |
3527
| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } |
36-
| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } |
37-
| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
3828
| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
29+
subpaths
3930
#select
4031
| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query object depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value |
4132
| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |

0 commit comments

Comments
 (0)