JS: Port UnvalidatedDynamicMethodCall

asgerf · asgerf · commit 83095535f959 · 2023-10-13T13:15:06.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll
@@ -54,6 +54,30 @@ module UnvalidatedDynamicMethodCall {
     }
   }
 
+  /**
+   * A barrier guard for unvalidated dynamic method calls.
+   */
+  abstract class BarrierGuard extends DataFlow::Node {
+    /**
+     * Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e) { none() }
+
+    /**
+     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+  }
+
+  /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
+  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
+    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
+  }
+
   /**
    * A flow label describing values read from a user-controlled property that
    * may not be functions.
@@ -109,26 +133,26 @@ module UnvalidatedDynamicMethodCall {
    * A check of the form `typeof x === 'function'`, which sanitizes away the `MaybeNonFunction`
    * taint kind.
    */
-  class FunctionCheck extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+  class FunctionCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
     override EqualityTest astNode;
     Expr operand;
 
     FunctionCheck() { TaintTracking::isTypeofGuard(astNode, operand, "function") }
 
-    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
       outcome = astNode.getPolarity() and
       e = operand and
       label instanceof MaybeNonFunction
     }
   }
 
   /** A guard that checks whether `x` is a number. */
-  class NumberGuard extends TaintTracking::SanitizerGuardNode instanceof DataFlow::CallNode {
+  class NumberGuard extends BarrierGuardLegacy instanceof DataFlow::CallNode {
     Expr x;
     boolean polarity;
 
     NumberGuard() { TaintTracking::isNumberGuard(this, x, polarity) }
 
-    override predicate sanitizes(boolean outcome, Expr e) { e = x and outcome = polarity }
+    override predicate blocksExpr(boolean outcome, Expr e) { e = x and outcome = polarity }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallQuery.qll
@@ -27,30 +27,32 @@ private class ConcreteMaybeFromProto extends MaybeFromProto {
 /**
  * A taint-tracking configuration for reasoning about unvalidated dynamic method calls.
  */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "UnvalidatedDynamicMethodCall" }
+module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
 
-  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
     source.(Source).getFlowLabel() = label
   }
 
-  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
     sink.(Sink).getFlowLabel() = label
   }
 
-  override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
-    super.isLabeledBarrier(node, label)
-    or
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
     node.(Sanitizer).getFlowLabel() = label
+    or
+    TaintTracking::defaultSanitizer(node) and
+    label.isTaint()
+    or
+    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label)
   }
 
-  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof NumberGuard or
-    guard instanceof FunctionCheck
+  predicate isBarrier(DataFlow::Node node) {
+    node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
   }
 
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
+  predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::FlowLabel srclabel, DataFlow::Node dst,
     DataFlow::FlowLabel dstlabel
   ) {
     exists(DataFlow::PropRead read |
@@ -74,5 +76,48 @@ class Configuration extends TaintTracking::Configuration {
     ) and
     srclabel.isTaint() and
     dstlabel instanceof MaybeNonFunction
+    or
+    srclabel.isTaint() and
+    TaintTracking::defaultTaintStep(src, dst) and
+    srclabel = dstlabel
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about unvalidated dynamic method calls.
+ */
+module UnvalidatedDynamicMethodCallFlow =
+  DataFlow::GlobalWithState<UnvalidatedDynamicMethodCallConfig>;
+
+/**
+ * DEPRECATED. Use the `UnvalidatedDynamicMethodCallFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "UnvalidatedDynamicMethodCall" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source.(Source).getFlowLabel() = label
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink.(Sink).getFlowLabel() = label
+  }
+
+  override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
+    super.isLabeledBarrier(node, label)
+    or
+    node.(Sanitizer).getFlowLabel() = label
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof NumberGuard or
+    guard instanceof FunctionCheck
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
+    DataFlow::FlowLabel dstlabel
+  ) {
+    UnvalidatedDynamicMethodCallConfig::isAdditionalFlowStep(src, srclabel, dst, dstlabel)
   }
 }
diff --git a/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql b/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
@@ -13,10 +13,12 @@
 
 import javascript
 import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCallQuery
-import DataFlow::PathGraph
+import DataFlow::DeduplicatePathGraph<UnvalidatedDynamicMethodCallFlow::PathNode, UnvalidatedDynamicMethodCallFlow::PathGraph>
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from PathNode source, PathNode sink
+where
+  UnvalidatedDynamicMethodCallFlow::flowPath(source.getAnOriginalPathNode(),
+    sink.getAnOriginalPathNode())
 select sink.getNode(), source, sink,
   "Invocation of method with $@ name may dispatch to unexpected target and cause an exception.",
   source.getNode(), "user-controlled"
diff --git a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected
