add simple query for detecting sensitive files downloaded over unsecure connection

erik-krogh · erik-krogh · commit 5b491313ad52 · 2020-06-11T23:19:28.000+02:00
diff --git a/javascript/ql/src/Security/CWE-829/UnsecureDownload.qhelp b/javascript/ql/src/Security/CWE-829/UnsecureDownload.qhelp
@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			Placeholder
+		</p>
+
+	</overview>
+	<recommendation>
+
+		<p>
+			Placeholder
+		</p>
+
+	</recommendation>
+	<example>
+
+		<p>
+			Placeholder
+		</p>
+
+	</example>
+
+	<references>
+	</references>
+
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-829/UnsecureDownload.ql b/javascript/ql/src/Security/CWE-829/UnsecureDownload.ql
@@ -0,0 +1,62 @@
+/**
+ * @name Download of sensitive file through unsecure connection
+ * @description Downloading executeables and other sensitive files over an unsecure connection
+ *              opens up for potential man-in-the-middle attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/unsecure-download
+ * @tags security
+ *       external/cwe/cwe-829
+ */
+
+// TODO:
+// package.json urls (ALL package.json urls are sensitive.) - put in separate non-path query?
+// Other protocols?
+// Customizations module
+// An integrity-check is a sanitizer (but what does such a check look like?)
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends DataFlow::Configuration {
+  Configuration() { this = "HTTP/HTTPS" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(string str | str = source.getStringValue() |
+      str.regexpMatch("http://.*|ftp://.'") and
+      exists(string suffix | suffix = unsafeSuffix() |
+        str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix
+      )
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(ClientRequest request | sink = request.getUrl())
+    or
+    exists(SystemCommandExecution cmd |
+      cmd.getACommandArgument().getStringValue() = "curl" or
+      cmd
+          .getACommandArgument()
+          .(StringOps::ConcatenationRoot)
+          .getConstantStringParts()
+          .regexpMatch("curl .*")
+    |
+      sink = cmd.getArgumentList().getALocalSource().getAPropertyWrite().getRhs() or
+      sink = cmd.getACommandArgument().(StringOps::ConcatenationRoot).getALeaf()
+    )
+  }
+}
+
+/**
+ * Gets a file-suffix
+ */
+string unsafeSuffix() {
+  // including arcives, because they often contain source-code.
+  result =
+    ["exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg", "tar.gz",
+        "zip"]
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Download of file from $@.", source.getNode(), "HTTP source"
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -620,4 +620,17 @@ module ClientRequest {
 
     override DataFlow::Node getADataNode() { none() }
   }
+
+  /**
+   * A call to `nugget` that downloads one of more files to a destination determined by an options object given as the second argument.
+   */
+  class Nugget extends ClientRequest::Range, DataFlow::CallNode {
+    Nugget() { this = DataFlow::moduleImport("nugget").getACall() }
+
+    override DataFlow::Node getUrl() { result = getArgument(0) }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { none() }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-829/UnsecureDownload.expected b/javascript/ql/test/query-tests/Security/CWE-829/UnsecureDownload.expected
@@ -0,0 +1,33 @@
+nodes
+| unsecure-download.js:5:16:5:28 | installer.url |
+| unsecure-download.js:5:16:5:28 | installer.url |
+| unsecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' |
+| unsecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' |
+| unsecure-download.js:15:18:15:40 | buildTo ... llerUrl |
+| unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
+| unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
+| unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
+| unsecure-download.js:36:9:36:45 | url |
+| unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" |
+| unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" |
+| unsecure-download.js:37:23:37:25 | url |
+| unsecure-download.js:37:23:37:25 | url |
+| unsecure-download.js:39:26:39:28 | url |
+| unsecure-download.js:39:26:39:28 | url |
+edges
+| unsecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | unsecure-download.js:15:18:15:40 | buildTo ... llerUrl |
+| unsecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | unsecure-download.js:15:18:15:40 | buildTo ... llerUrl |
+| unsecure-download.js:15:18:15:40 | buildTo ... llerUrl | unsecure-download.js:5:16:5:28 | installer.url |
+| unsecure-download.js:15:18:15:40 | buildTo ... llerUrl | unsecure-download.js:5:16:5:28 | installer.url |
+| unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
+| unsecure-download.js:36:9:36:45 | url | unsecure-download.js:37:23:37:25 | url |
+| unsecure-download.js:36:9:36:45 | url | unsecure-download.js:37:23:37:25 | url |
+| unsecure-download.js:36:9:36:45 | url | unsecure-download.js:39:26:39:28 | url |
+| unsecure-download.js:36:9:36:45 | url | unsecure-download.js:39:26:39:28 | url |
+| unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | unsecure-download.js:36:9:36:45 | url |
+| unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | unsecure-download.js:36:9:36:45 | url |
+#select
+| unsecure-download.js:5:16:5:28 | installer.url | unsecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | unsecure-download.js:5:16:5:28 | installer.url | Download of file from $@. | unsecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | HTTP source |
+| unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | Download of file from $@. | unsecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | HTTP source |
+| unsecure-download.js:37:23:37:25 | url | unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | unsecure-download.js:37:23:37:25 | url | Download of file from $@. | unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
+| unsecure-download.js:39:26:39:28 | url | unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | unsecure-download.js:39:26:39:28 | url | Download of file from $@. | unsecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | HTTP source |
diff --git a/javascript/ql/test/query-tests/Security/CWE-829/UnsecureDownload.qlref b/javascript/ql/test/query-tests/Security/CWE-829/UnsecureDownload.qlref
@@ -0,0 +1 @@
+Security/CWE-829/UnsecureDownload.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-829/unsecure-download.js b/javascript/ql/test/query-tests/Security/CWE-829/unsecure-download.js
@@ -0,0 +1,40 @@
+const nugget = require('nugget');
+
+function foo() {
+    function downloadTools(installer) {
+        nugget(installer.url, {}, () => { }) // NOT OK
+    }
+    var constants = {
+        buildTools: {
+            installerUrl: 'http://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe'
+        }
+    }
+    function getBuildToolsInstallerPath() {
+        const buildTools = constants.buildTools
+        return {
+            url: buildTools.installerUrl
+        }
+    }
+
+    downloadTools(getBuildToolsInstallerPath())
+}
+
+
+const request = require('request');
+
+function bar() {
+    request('http://www.google.com', function () { }); // OK
+
+    nugget("https://download.microsoft.com/download/5/f/7/5f7acaeb-8363-451f-9425-68a90f98b238/visualcppbuildtools_full.exe") // OK
+
+    nugget("http://example.org/unsafe.APK") // NOT OK
+}
+
+var cp = require("child_process")
+
+function baz() {
+    var url = "http://example.org/unsafe.APK";
+    cp.exec("curl " + url, function () {}); // NOT OK
+
+    cp.execFile("curl", [url], function () {}); // NOT OK
+}
