JS: Port InsecureDownload

asgerf · asgerf · commit 99f63b1cfa6d · 2023-10-13T13:15:05.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -12,19 +12,41 @@ import InsecureDownloadCustomizations::InsecureDownload
 /**
  * A taint tracking configuration for download of sensitive file through insecure connection.
  */
-class Configuration extends DataFlow::Configuration {
+module InsecureDownloadConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source.(Source).getALabel() = label
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink.(Sink).getALabel() = label
+  }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint tracking for download of sensitive file through insecure connection.
+ */
+module InsecureDownload = DataFlow::GlobalWithState<InsecureDownloadConfig>;
+
+/**
+ * DEPRECATED. Use the `InsecureDownload` module instead.
+ */
+deprecated class Configuration extends DataFlow::Configuration {
   Configuration() { this = "InsecureDownload" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Source).getALabel() = label
+    InsecureDownloadConfig::isSource(source, label)
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink.(Sink).getALabel() = label
+    InsecureDownloadConfig::isSink(sink, label)
   }
 
   override predicate isBarrier(DataFlow::Node node) {
     super.isBarrier(node) or
-    node instanceof Sanitizer
+    InsecureDownloadConfig::isBarrier(node)
   }
 }
diff --git a/javascript/ql/src/Security/CWE-829/InsecureDownload.ql b/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
@@ -13,9 +13,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.InsecureDownloadQuery
-import DataFlow::PathGraph
+import DataFlow::DeduplicatePathGraph<InsecureDownload::PathNode, InsecureDownload::PathGraph>
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from PathNode source, PathNode sink
+where InsecureDownload::flowPath(source.getAnOriginalPathNode(), sink.getAnOriginalPathNode())
 select sink.getNode(), source, sink, "$@ of sensitive file from $@.",
   sink.getNode().(Sink).getDownloadCall(), "Download", source.getNode(), "HTTP source"
diff --git a/javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected b/javascript/ql/test/query-tests/Security/CWE-829/InsecureDownload.expected
@@ -1,43 +1,44 @@
 nodes
-| insecure-download.js:5:16:5:28 | installer.url |
-| insecure-download.js:5:16:5:28 | installer.url |
-| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' |
-| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' |
-| insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
-| insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
-| insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
-| insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
-| insecure-download.js:36:9:36:45 | url |
-| insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" |
-| insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" |
-| insecure-download.js:37:23:37:25 | url |
-| insecure-download.js:37:23:37:25 | url |
-| insecure-download.js:39:26:39:28 | url |
-| insecure-download.js:39:26:39:28 | url |
-| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
-| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
-| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
-| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
-| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
-| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
-| insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
-| insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
-| insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
+| insecure-download.js:4:28:4:36 | installer [url] | semmle.label | installer [url] |
+| insecure-download.js:5:16:5:24 | installer [url] | semmle.label | installer [url] |
+| insecure-download.js:5:16:5:28 | installer.url | semmle.label | installer.url |
+| insecure-download.js:7:9:11:5 | constants [buildTools, installerUrl] | semmle.label | constants [buildTools, installerUrl] |
+| insecure-download.js:7:21:11:5 | {\\n      ... }\\n    } [buildTools, installerUrl] | semmle.label | {\\n      ... }\\n    } [buildTools, installerUrl] |
+| insecure-download.js:8:21:10:9 | {\\n      ...       } [installerUrl] | semmle.label | {\\n      ...       } [installerUrl] |
+| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | semmle.label | 'http:/ ... ll.exe' |
+| insecure-download.js:13:15:13:47 | buildTools [installerUrl] | semmle.label | buildTools [installerUrl] |
+| insecure-download.js:13:28:13:36 | constants [buildTools, installerUrl] | semmle.label | constants [buildTools, installerUrl] |
+| insecure-download.js:13:28:13:47 | constants.buildTools [installerUrl] | semmle.label | constants.buildTools [installerUrl] |
+| insecure-download.js:14:16:16:9 | {\\n      ...       } [url] | semmle.label | {\\n      ...       } [url] |
+| insecure-download.js:15:18:15:27 | buildTools [installerUrl] | semmle.label | buildTools [installerUrl] |
+| insecure-download.js:15:18:15:40 | buildTo ... llerUrl | semmle.label | buildTo ... llerUrl |
+| insecure-download.js:19:19:19:46 | getBuil ... rPath() [url] | semmle.label | getBuil ... rPath() [url] |
+| insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | semmle.label | "http:/ ... fe.APK" |
+| insecure-download.js:36:9:36:45 | url | semmle.label | url |
+| insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | semmle.label | "http:/ ... fe.APK" |
+| insecure-download.js:37:23:37:25 | url | semmle.label | url |
+| insecure-download.js:39:26:39:28 | url | semmle.label | url |
+| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | semmle.label | "ftp:// ... fe.APK" |
+| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | semmle.label | "http:/ ... unsafe" |
+| insecure-download.js:52:11:52:45 | "http:/ ... nknown" | semmle.label | "http:/ ... nknown" |
 edges
-| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
-| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
-| insecure-download.js:15:18:15:40 | buildTo ... llerUrl | insecure-download.js:5:16:5:28 | installer.url |
-| insecure-download.js:15:18:15:40 | buildTo ... llerUrl | insecure-download.js:5:16:5:28 | installer.url |
-| insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" |
+| insecure-download.js:4:28:4:36 | installer [url] | insecure-download.js:5:16:5:24 | installer [url] |
+| insecure-download.js:5:16:5:24 | installer [url] | insecure-download.js:5:16:5:28 | installer.url |
+| insecure-download.js:7:9:11:5 | constants [buildTools, installerUrl] | insecure-download.js:13:28:13:36 | constants [buildTools, installerUrl] |
+| insecure-download.js:7:21:11:5 | {\\n      ... }\\n    } [buildTools, installerUrl] | insecure-download.js:7:9:11:5 | constants [buildTools, installerUrl] |
+| insecure-download.js:8:21:10:9 | {\\n      ...       } [installerUrl] | insecure-download.js:7:21:11:5 | {\\n      ... }\\n    } [buildTools, installerUrl] |
+| insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:8:21:10:9 | {\\n      ...       } [installerUrl] |
+| insecure-download.js:13:15:13:47 | buildTools [installerUrl] | insecure-download.js:15:18:15:27 | buildTools [installerUrl] |
+| insecure-download.js:13:28:13:36 | constants [buildTools, installerUrl] | insecure-download.js:13:28:13:47 | constants.buildTools [installerUrl] |
+| insecure-download.js:13:28:13:47 | constants.buildTools [installerUrl] | insecure-download.js:13:15:13:47 | buildTools [installerUrl] |
+| insecure-download.js:14:16:16:9 | {\\n      ...       } [url] | insecure-download.js:19:19:19:46 | getBuil ... rPath() [url] |
+| insecure-download.js:15:18:15:27 | buildTools [installerUrl] | insecure-download.js:15:18:15:40 | buildTo ... llerUrl |
+| insecure-download.js:15:18:15:40 | buildTo ... llerUrl | insecure-download.js:14:16:16:9 | {\\n      ...       } [url] |
+| insecure-download.js:19:19:19:46 | getBuil ... rPath() [url] | insecure-download.js:4:28:4:36 | installer [url] |
 | insecure-download.js:36:9:36:45 | url | insecure-download.js:37:23:37:25 | url |
-| insecure-download.js:36:9:36:45 | url | insecure-download.js:37:23:37:25 | url |
-| insecure-download.js:36:9:36:45 | url | insecure-download.js:39:26:39:28 | url |
 | insecure-download.js:36:9:36:45 | url | insecure-download.js:39:26:39:28 | url |
 | insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
-| insecure-download.js:36:15:36:45 | "http:/ ... fe.APK" | insecure-download.js:36:9:36:45 | url |
-| insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" | insecure-download.js:41:12:41:41 | "ftp:// ... fe.APK" |
-| insecure-download.js:48:12:48:38 | "http:/ ... unsafe" | insecure-download.js:48:12:48:38 | "http:/ ... unsafe" |
-| insecure-download.js:52:11:52:45 | "http:/ ... nknown" | insecure-download.js:52:11:52:45 | "http:/ ... nknown" |
+subpaths
 #select
 | insecure-download.js:5:16:5:28 | installer.url | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | insecure-download.js:5:16:5:28 | installer.url | $@ of sensitive file from $@. | insecure-download.js:5:9:5:44 | nugget( ... => { }) | Download | insecure-download.js:9:27:9:138 | 'http:/ ... ll.exe' | HTTP source |
 | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | $@ of sensitive file from $@. | insecure-download.js:30:5:30:43 | nugget( ... e.APK") | Download | insecure-download.js:30:12:30:42 | "http:/ ... fe.APK" | HTTP source |
