JS: add a taint step for property projection

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 90b390224459 · 2018-08-30T09:39:02.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll b/javascript/ql/src/semmle/javascript/frameworks/PropertyProjection.qll
@@ -134,4 +134,22 @@ private class SimplePropertyProjection extends CustomPropertyProjection {
 
   override predicate isSingletonProjection() { singleton = true }
 
+}
+
+/**
+ * A taint step for a property projection.
+ */
+private class PropertyProjectionTaintStep extends TaintTracking::AdditionalTaintStep {
+
+  PropertyProjection projection;
+
+  PropertyProjectionTaintStep() {
+    projection = this
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    // reading from a tainted object yields a tainted result
+    this = succ and
+    pred = projection.getObject()
+  }
 }
diff --git a/javascript/ql/test/library-tests/frameworks/PropertyProjection/PropertyInjectionTaint.expected b/javascript/ql/test/library-tests/frameworks/PropertyProjection/PropertyInjectionTaint.expected
@@ -0,0 +1,3 @@
+| tst.js:25:10:25:15 | source |
+| tst.js:32:10:32:27 | _.pick(tainted, s) |
+| tst.js:33:10:33:26 | _.get(tainted, s) |
diff --git a/javascript/ql/test/library-tests/frameworks/PropertyProjection/PropertyInjectionTaint.ql b/javascript/ql/test/library-tests/frameworks/PropertyProjection/PropertyInjectionTaint.ql
@@ -0,0 +1,22 @@
+import javascript
+
+class ExampleConfiguration extends TaintTracking::Configuration {
+
+  ExampleConfiguration() { this = "ExampleConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr().(CallExpr).getCalleeName() = "SOURCE"
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists (CallExpr callExpr |
+      callExpr.getCalleeName() = "SINK" and
+      DataFlow::valueNode(callExpr.getArgument(0)) = sink
+    )
+  }
+
+}
+
+from ExampleConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
+where cfg.hasFlow(source, sink)
+select sink
diff --git a/javascript/ql/test/library-tests/frameworks/PropertyProjection/PropertyProjection.expected b/javascript/ql/test/library-tests/frameworks/PropertyProjection/PropertyProjection.expected
@@ -9,3 +9,7 @@
 | tst.js:17:1:17:16 | dottie.get(o, s) | tst.js:17:12:17:12 | o | tst.js:17:15:17:15 | s | true |
 | tst.js:19:1:19:15 | dotty.get(o, s) | tst.js:19:11:19:11 | o | tst.js:19:14:19:14 | s | true |
 | tst.js:20:1:20:18 | dotty.search(o, s) | tst.js:20:14:20:14 | o | tst.js:20:17:20:17 | s | false |
+| tst.js:27:10:27:30 | _.pick( ... ted, s) | tst.js:27:17:27:26 | notTainted | tst.js:27:29:27:29 | s | false |
+| tst.js:28:10:28:29 | _.get(notTainted, s) | tst.js:28:16:28:25 | notTainted | tst.js:28:28:28:28 | s | true |
+| tst.js:32:10:32:27 | _.pick(tainted, s) | tst.js:32:17:32:23 | tainted | tst.js:32:26:32:26 | s | false |
+| tst.js:33:10:33:26 | _.get(tainted, s) | tst.js:33:16:33:22 | tainted | tst.js:33:25:33:25 | s | true |
diff --git a/javascript/ql/test/library-tests/frameworks/PropertyProjection/tst.js b/javascript/ql/test/library-tests/frameworks/PropertyProjection/tst.js
@@ -18,3 +18,17 @@ dottie.get(o, s);
 
 dotty.get(o, s);
 dotty.search(o, s);
+
+(function(){
+    var source = SOURCE();
+
+    SINK(source);
+
+    SINK(_.pick(notTainted, s));
+    SINK(_.get(notTainted, s));
+
+    var tainted = {};
+    tainted[x] = source;
+    SINK(_.pick(tainted, s));
+    SINK(_.get(tainted, s));
+});

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| tst.js:25:10:25:15 \| source \|`
	`2`	`+\| tst.js:32:10:32:27 \| _.pick(tainted, s) \|`
	`3`	`+\| tst.js:33:10:33:26 \| _.get(tainted, s) \|`