JS: Port UnsafeHtmlConstruction

asgerf · asgerf · commit 6e3f4bd7d864 · 2023-10-13T13:15:06.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -61,6 +61,30 @@ module UnsafeHtmlConstruction {
     abstract string describe();
   }
 
+  /**
+   * A barrier guard for unsafe HTML constructed from library input vulnerabilities.
+   */
+  abstract class BarrierGuard extends DataFlow::Node {
+    /**
+     * Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e) { none() }
+
+    /**
+     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+  }
+
+  /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
+  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
+    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
+  }
+
   /**
    * A sink for `js/html-constructed-from-input` that constructs some HTML where
    * that HTML is later used in `xssSink`.
@@ -176,14 +200,14 @@ module UnsafeHtmlConstruction {
   }
 
   /** A test for the value of `typeof x`, restricting the potential types of `x`. */
-  class TypeTestGuard extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+  class TypeTestGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
     override EqualityTest astNode;
     Expr operand;
     boolean polarity;
 
     TypeTestGuard() { TaintTracking::isStringTypeGuard(astNode, operand, polarity) }
 
-    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
+    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
       polarity = outcome and
       e = operand and
       lbl.isTaint()
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -12,7 +12,66 @@ import semmle.javascript.security.TaintedObject
 /**
  * A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities.
  */
-class Configration extends TaintTracking::Configuration {
+module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source instanceof Source and
+    label = [TaintedObject::label(), DataFlow::FlowLabel::taint(), DataFlow::FlowLabel::data()]
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink instanceof Sink and
+    label = DataFlow::FlowLabel::taint()
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof DomBasedXss::Sanitizer
+    or
+    node instanceof UnsafeJQueryPlugin::Sanitizer
+    or
+    DomBasedXss::isOptionallySanitizedNode(node)
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
+    TaintTracking::defaultSanitizer(node) and label.isTaint()
+    or
+    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label)
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::FlowLabel inlbl, DataFlow::Node succ, DataFlow::FlowLabel outlbl
+  ) {
+    // TODO: localFieldStep is too expensive with dataflow2
+    // DataFlow::localFieldStep(pred, succ) and
+    // inlbl.isTaint() and
+    // outlbl.isTaint()
+    none()
+    or
+    TaintedObject::step(pred, succ, inlbl, outlbl)
+    or
+    // property read from a tainted object is considered tainted
+    succ.(DataFlow::PropRead).getBase() = pred and
+    inlbl = TaintedObject::label() and
+    outlbl = DataFlow::FlowLabel::taint()
+    or
+    TaintTracking::defaultTaintStep(pred, succ) and
+    inlbl.isTaint() and
+    outlbl = inlbl
+  }
+
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+/**
+ * Taint-tracking for reasoning about unsafe HTML constructed from library input vulnerabilities.
+ */
+module UnsafeHtmlConstructionFlow = DataFlow::GlobalWithState<UnsafeHtmlConstructionConfig>;
+
+/**
+ * DEPRECATED. Use the `UnsafeHtmlConstructionFlow` module instead.
+ */
+deprecated class Configration extends TaintTracking::Configuration {
   Configration() { this = "UnsafeHtmlConstruction" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
@@ -65,11 +124,10 @@ class Configration extends TaintTracking::Configuration {
 
 private import semmle.javascript.security.dataflow.Xss::Shared as Shared
 
-private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+private class QuoteGuard extends Shared::QuoteGuard {
   QuoteGuard() { this = this }
 }
 
-private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
-{
+private class ContainsHtmlGuard extends Shared::ContainsHtmlGuard {
   ContainsHtmlGuard() { this = this }
 }
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
@@ -13,11 +13,13 @@
  */
 
 import javascript
-import DataFlow::PathGraph
 import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery
+import DataFlow::DeduplicatePathGraph<UnsafeHtmlConstructionFlow::PathNode, UnsafeHtmlConstructionFlow::PathGraph>
 
-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
-where cfg.hasFlowPath(source, sink) and sink.getNode() = sinkNode
+from PathNode source, PathNode sink, Sink sinkNode
+where
+  UnsafeHtmlConstructionFlow::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode()) and
+  sink.getNode() = sinkNode
 select sinkNode, source, sink,
   "This " + sinkNode.describe() + " which depends on $@ might later allow $@.", source.getNode(),
   "library input", sinkNode.getSink(), sinkNode.getVulnerabilityKind().toLowerCase()
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-079/UnsafeHtmlConstruction/UnsafeHtmlConstruction.expected
