Merge pull request #4802 from max-schaefer/js/external-remote-flow-sources

codeql-ci · web-flow · commit 9ae8880bd000 · 2020-12-16T00:34:40.000-08:00
Approved by asgerf, jf205
diff --git a/docs/codeql/codeql-language-guides/codeql-for-javascript.rst b/docs/codeql/codeql-language-guides/codeql-for-javascript.rst
@@ -13,6 +13,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
    codeql-library-for-typescript
    analyzing-data-flow-in-javascript-and-typescript
    using-flow-labels-for-precise-data-flow-analysis
+   specifying-additional-remote-flow-sources-for-javascript
    using-type-tracking-for-api-modeling
    abstract-syntax-tree-classes-for-working-with-javascript-and-typescript-programs
    data-flow-cheat-sheet-for-javascript
@@ -27,6 +28,8 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
 
 -  :doc:`Using flow labels for precise data flow analysis <using-flow-labels-for-precise-data-flow-analysis>`: You can associate flow labels with each value tracked by the flow analysis to determine whether the flow contains potential vulnerabilities.
 
+-  :doc:`Specifying remote flow sources for JavaScript <specifying-additional-remote-flow-sources-for-javascript>`: You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
+
 -  :doc:`Using type tracking for API modeling <using-type-tracking-for-api-modeling>`: You can track data through an API by creating a model using the CodeQL type-tracking library for JavaScript.
 
 -  :doc:`Abstract syntax tree classes for working with JavaScript and TypeScript programs <abstract-syntax-tree-classes-for-working-with-javascript-and-typescript-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of JavaScript and TypeScript programs.
diff --git a/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst b/docs/codeql/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript.rst
@@ -0,0 +1,51 @@
+.. _specifying-additional-remote-flow-sources-for-javascript:
+
+Specifying additional remote flow sources for JavaScript
+========================================================
+
+You can model potential sources of untrusted user input in your code without making changes to the CodeQL standard library by specifying extra remote flow sources in an external file.
+
+.. pull-quote::
+
+   Note
+
+   Specifying remote flow sources in external files is currently in beta and subject to change.
+
+As mentioned in the :doc:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript>`, the CodeQL libraries for JavaScript
+provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as remote flow
+sources.
+
+To model a new source of untrusted input, such as a previously unmodelled library API, you can
+define a subclass of ``RemoteFlowSource`` that covers all uses of that API. All standard analyses
+will then automatically pick up this new source of remote flow.
+
+However, this approach requires writing QL code and adding it to the standard library, which is not
+always easy to do. Instead, you can also add a JSON file describing custom sources of untrusted
+input to your code base and have it picked up without needing to modify the standard library. This
+JSON file can be hand-written or generated by another tool. The custom remote flow sources are only available to the code base containing the JSON file. This means that you need to copy the JSON file into each code base that requires the customizations.
+
+Specification format
+--------------------
+
+The JSON file must be called ``codeql-javascript-remote-flow-sources.json`` and
+can be located anywhere in your code base. It should consist of a single JSON object. The property
+names of this object are interpreted as `source types`. The values they map to should be arrays of
+strings. Each string should be of the form ``window.props``, where ``props`` is a sequence of one
+or more property names separated by dots. This notation specifies that any value reachable from the global window
+object by this sequence of property names should be considered as untrusted user input of the
+associated source type.
+
+Example
+-------
+
+Consider the following specification:
+
+.. code-block:: json
+
+  {
+    "user input": [ "window.user.name", "window.user.address", "window.dob" ]
+  }
+
+It declares that the contents of global variable ``dob``, as well as the contents of properties
+``name`` and ``address`` of global variable ``user``, should be considered as remote flow sources,
+with source type "user input".
diff --git a/javascript/change-notes/2020-12-09-external-flow-sources.md b/javascript/change-notes/2020-12-09-external-flow-sources.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Custom remote flow sources can now be specified by including a file named `codeql-javascript-remote-flow-sources.json` in your code base. See documentation for more details.
diff --git a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
@@ -146,7 +146,8 @@
  *       FileType#HTML} (currently ".htm", ".html", ".xhtm", ".xhtml", ".vue").
  *   <li>All YAML files, that is, files with one of the extensions supported by {@link
  *       FileType#YAML} (currently ".raml", ".yaml", ".yml").
- *   <li>Files with base name "package.json".
+ *   <li>Files with base name "package.json" or "tsconfig.json", and files whose base name
+ *       is of the form "codeql-javascript-*.json".
  *   <li>JavaScript, JSON or YAML files whose base name starts with ".eslintrc".
  *   <li>All extension-less files.
  * </ul>
@@ -402,10 +403,12 @@ private void setupFilters() {
     for (FileType filetype : defaultExtract)
       for (String extension : filetype.getExtensions()) patterns.add("**/*" + extension);
 
-    // include .eslintrc files, package.json files, and tsconfig.json files
+    // include .eslintrc files, package.json files, tsconfig.json files, and
+    // codeql-javascript-*.json files
     patterns.add("**/.eslintrc*");
     patterns.add("**/package.json");
     patterns.add("**/tsconfig.json");
+    patterns.add("**/codeql-javascript-*.json");
 
     // include any explicitly specified extensions
     for (String extension : fileTypes.keySet()) patterns.add("**/*" + extension);
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll b/javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll
@@ -16,3 +16,98 @@ abstract class RemoteFlowSource extends DataFlow::Node {
    */
   predicate isUserControlledObject() { none() }
 }
+
+/**
+ * A specification of a remote flow source in a JSON file included in the database.
+ *
+ * The JSON file must be named `codeql-javascript-remote-flow-sources.json` and consist of a JSON
+ * object. The object's keys are source types (in the sense of `RemoteFlowSource.getSourceType()`),
+ * each mapping to a list of strings. Each string in that list must be of the form `window.f.props`
+ * where `f` is the name of a global variable, and `props` is a possibly empty sequence of property
+ * names separated by dots. It declares any value stored in the given property sequece of `f` to be
+ * a remote flow source of the type specified by the key.
+ *
+ * For example, consider the following specification:
+ *
+ * ```json
+ * {
+ *  "user input": [ "window.user.name", "window.user.address", "window.dob" ]
+ * }
+ * ```
+ *
+ * It declares that the contents of global variable `dob`, as well as the contents of properties
+ * `name` and `address` of global variable `user` should be considered as remote flow sources with
+ * source type "user input".
+ */
+private class RemoteFlowSourceAccessPath extends JSONString {
+  string sourceType;
+
+  RemoteFlowSourceAccessPath() {
+    exists(JSONObject specs |
+      specs.isTopLevel() and
+      this.getFile().getBaseName() = "codeql-javascript-remote-flow-sources.json" and
+      this = specs.getPropValue(sourceType).(JSONArray).getElementValue(_) and
+      this.getValue().regexpMatch("window(\\.\\w+)+")
+    )
+  }
+
+  /** Gets the source type of this remote flow source. */
+  string getSourceType() { result = sourceType }
+
+  /** Gets the `i`th component of the access path specifying this remote flow source. */
+  string getComponent(int i) {
+    exists(string raw | raw = this.getValue().splitAt(".", i + 1) |
+      i = 0 and
+      result = "ExternalRemoteFlowSourceSpec " + raw
+      or
+      i > 0 and
+      result = API::EdgeLabel::member(raw)
+    )
+  }
+
+  /** Gets the index of the last component of this access path. */
+  int getMaxComponentIndex() { result = max(int i | exists(getComponent(i))) }
+
+  /**
+   * Gets the API node to which the prefix of the access path up to and including `i` resolves.
+   *
+   * As a special base case, resolving up to -1 gives the root API node.
+   */
+  private API::Node resolveUpTo(int i) {
+    i = -1 and
+    result = API::root()
+    or
+    result = resolveUpTo(i - 1).getASuccessor(getComponent(i))
+  }
+
+  /** Gets the API node to which this access path resolves. */
+  API::Use resolve() { result = resolveUpTo(getMaxComponentIndex()) }
+}
+
+/**
+ * The global variable referenced by a `RemoteFlowSourceAccessPath`, declared as an API
+ * entry point.
+ */
+private class ExternalRemoteFlowSourceSpecEntryPoint extends API::EntryPoint {
+  string name;
+
+  ExternalRemoteFlowSourceSpecEntryPoint() {
+    this = any(RemoteFlowSourceAccessPath s).getComponent(0) and
+    this = "ExternalRemoteFlowSourceSpec " + name
+  }
+
+  override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef(name) }
+
+  override DataFlow::Node getARhs() { none() }
+}
+
+/**
+ * A remote flow source induced by a `RemoteFlowSourceAccessPath`.
+ */
+private class ExternalRemoteFlowSource extends RemoteFlowSource {
+  RemoteFlowSourceAccessPath ap;
+
+  ExternalRemoteFlowSource() { this = ap.resolve().getAnImmediateUse() }
+
+  override string getSourceType() { result = ap.getSourceType() }
+}
diff --git a/javascript/ql/test/library-tests/RemoteFlowSources/RemoteFlowSources.expected b/javascript/ql/test/library-tests/RemoteFlowSources/RemoteFlowSources.expected
@@ -0,0 +1,2 @@
+missing
+spurious
diff --git a/javascript/ql/test/library-tests/RemoteFlowSources/RemoteFlowSources.ql b/javascript/ql/test/library-tests/RemoteFlowSources/RemoteFlowSources.ql
@@ -0,0 +1,25 @@
+import javascript
+
+predicate remoteFlowSourceSpec(Comment c, string path, int line, string sourceType) {
+  c.getLocation().hasLocationInfo(path, line, _, _, _) and
+  sourceType = c.getText().regexpCapture("\\s*RemoteFlowSource\\s*:\\s*(.+)", 1)
+}
+
+predicate remoteFlowSource(RemoteFlowSource rfs, string path, int line, string sourceType) {
+  rfs.hasLocationInfo(path, line, _, _, _) and
+  sourceType = rfs.getSourceType()
+}
+
+query predicate missing(Comment c, string sourceType) {
+  exists(string path, int line |
+    remoteFlowSourceSpec(c, path, line, sourceType) and
+    not remoteFlowSource(_, path, line, sourceType)
+  )
+}
+
+query predicate spurious(RemoteFlowSource rfs, string sourceType) {
+  exists(string path, int line |
+    not remoteFlowSourceSpec(_, path, line, sourceType) and
+    remoteFlowSource(rfs, path, line, sourceType)
+  )
+}
diff --git a/javascript/ql/test/library-tests/RemoteFlowSources/codeql-javascript-remote-flow-sources.json b/javascript/ql/test/library-tests/RemoteFlowSources/codeql-javascript-remote-flow-sources.json
@@ -0,0 +1,10 @@
+{
+    "user input": [
+        "window.user.name",
+        "window.user.address",
+        "window.dob"
+    ],
+    "uncontrolled path": [
+        "window.upload"
+    ]
+}
diff --git a/javascript/ql/test/library-tests/RemoteFlowSources/tst.js b/javascript/ql/test/library-tests/RemoteFlowSources/tst.js
@@ -0,0 +1,21 @@
+window.user.name;        // RemoteFlowSource: user input
+window.user.address;     // RemoteFlowSource: user input
+window.dob;              // RemoteFlowSource: user input
+window.upload;           // RemoteFlowSource: uncontrolled path
+
+this.user.name;          // RemoteFlowSource: user input
+this.user.address;       // RemoteFlowSource: user input
+this.dob;                // RemoteFlowSource: user input
+this.upload;             // RemoteFlowSource: uncontrolled path
+
+user.name;               // RemoteFlowSource: user input
+user.address;            // RemoteFlowSource: user input
+dob;                     // RemoteFlowSource: user input
+upload;                  // RemoteFlowSource: uncontrolled path
+
+(function (global) {
+    global.user.name;    // RemoteFlowSource: user input
+    global.user.address; // RemoteFlowSource: user input
+    global.dob;          // RemoteFlowSource: user input
+    global.upload;       // RemoteFlowSource: uncontrolled path
+})(this);

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Custom remote flow sources can now be specified by including a file named `codeql-javascript-remote-flow-sources.json` in your code base. See documentation for more details.