|
| 1 | +/** |
| 2 | + * Provides a taint tracking configuration for reasoning about |
| 3 | + * resource exhaustion vulnerabilities (CWE-770). |
| 4 | + * |
| 5 | + * Note, for performance reasons: only import this file if |
| 6 | + * `ResourceExhaustion::Configuration` is needed, otherwise |
| 7 | + * `ResourceExhaustionCustomizations` should be imported instead. |
| 8 | + */ |
| 9 | + |
| 10 | +import javascript |
| 11 | +import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations |
| 12 | +import ResourceExhaustionCustomizations::ResourceExhaustion |
| 13 | + |
| 14 | +/** |
| 15 | + * A data flow configuration for resource exhaustion vulnerabilities. |
| 16 | + */ |
| 17 | +class Configuration extends TaintTracking::Configuration { |
| 18 | + Configuration() { this = "ResourceExhaustion" } |
| 19 | + |
| 20 | + override predicate isSource(DataFlow::Node source) { source instanceof Source } |
| 21 | + |
| 22 | + override predicate isSink(DataFlow::Node sink) { sink instanceof Sink } |
| 23 | + |
| 24 | + override predicate isSanitizer(DataFlow::Node node) { |
| 25 | + super.isSanitizer(node) or |
| 26 | + node instanceof Sanitizer |
| 27 | + } |
| 28 | + |
| 29 | + override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { |
| 30 | + isNumericFlowStep(src, dst) |
| 31 | + or |
| 32 | + // reuse most existing taint steps |
| 33 | + isRestrictedAdditionalTaintStep(src, dst) |
| 34 | + } |
| 35 | + |
| 36 | + override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) { |
| 37 | + guard instanceof LoopBoundInjection::LengthCheckSanitizerGuard or |
| 38 | + guard instanceof UpperBoundsCheckSanitizerGuard |
| 39 | + } |
| 40 | +} |
| 41 | + |
| 42 | +predicate isRestrictedAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) { |
| 43 | + TaintTracking::sharedTaintStep(src, dst) and |
| 44 | + not dst.asExpr() instanceof AddExpr and |
| 45 | + not dst.(DataFlow::MethodCallNode).calls(src, "toString") |
| 46 | +} |
| 47 | + |
| 48 | +/** |
| 49 | + * Holds if data may flow from `src` to `dst` as a number. |
| 50 | + */ |
| 51 | +predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) { |
| 52 | + // steps that introduce or preserve a number |
| 53 | + dst.(DataFlow::PropRead).accesses(src, ["length", "size"]) |
| 54 | + or |
| 55 | + exists(DataFlow::CallNode c | |
| 56 | + c = dst and |
| 57 | + src = c.getAnArgument() |
| 58 | + | |
| 59 | + c = DataFlow::globalVarRef("Math").getAMemberCall(_) or |
| 60 | + c = DataFlow::globalVarRef(["Number", "parseInt", "parseFloat"]).getACall() |
| 61 | + ) |
| 62 | + or |
| 63 | + exists(Expr dstExpr, Expr srcExpr | |
| 64 | + dstExpr = dst.asExpr() and |
| 65 | + srcExpr = src.asExpr() |
| 66 | + | |
| 67 | + dstExpr.(BinaryExpr).getAnOperand() = srcExpr and |
| 68 | + not dstExpr instanceof AddExpr |
| 69 | + or |
| 70 | + dstExpr.(PlusExpr).getOperand() = srcExpr |
| 71 | + ) |
| 72 | +} |
0 commit comments