add remote flow source for busboy

erik-krogh · erik-krogh · commit a03f4ed3cd10 · 2021-02-11T09:34:02.000+01:00
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
@@ -85,10 +85,11 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
-import semmle.javascript.frameworks.Immutable
+import semmle.javascript.frameworks.FormParsers
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars
+import semmle.javascript.frameworks.Immutable
 import semmle.javascript.frameworks.LazyCache
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
diff --git a/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll b/javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll
@@ -0,0 +1,30 @@
+/**
+ * Provides classes for modelling the server-side form/file parsing libraries.
+ */
+
+import javascript
+
+/**
+ * Classes and predicate modelling the `Busboy` library.
+ */
+module Busboy {
+  /**
+   * A `Busboy` instance that has request data flowing into it.
+   */
+  private DataFlow::NewNode busboy() {
+    result = DataFlow::moduleImport("busboy").getAnInstantiation() and
+    exists(MethodCallExpr pipe |
+      pipe.calls(any(HTTP::RequestExpr req), "pipe") and
+      result.flowsToExpr(pipe.getArgument(0))
+    )
+  }
+
+  /**
+   * A source of remote flow from the `Busboy` library.
+   */
+  class BusBoyRemoteFlow extends RemoteFlowSource {
+    BusBoyRemoteFlow() { this = busboy().getAMemberCall("on").getABoundCallbackParameter(1, _) }
+
+    override string getSourceType() { result = "Busbuy parsed user value" }
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -100,6 +100,11 @@ nodes
 | form-parsers.js:14:10:14:37 | "touch  ... nalname |
 | form-parsers.js:14:21:14:24 | file |
 | form-parsers.js:14:21:14:37 | file.originalname |
+| form-parsers.js:24:48:24:55 | filename |
+| form-parsers.js:24:48:24:55 | filename |
+| form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:25:21:25:28 | filename |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -244,6 +249,10 @@ edges
 | form-parsers.js:14:21:14:24 | file | form-parsers.js:14:21:14:37 | file.originalname |
 | form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
 | form-parsers.js:14:21:14:37 | file.originalname | form-parsers.js:14:10:14:37 | "touch  ... nalname |
+| form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:21:25:28 | filename |
+| form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:21:25:28 | filename |
+| form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename |
+| form-parsers.js:25:21:25:28 | filename | form-parsers.js:25:10:25:28 | "touch " + filename |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -317,6 +326,7 @@ edges
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |
 | form-parsers.js:9:8:9:39 | "touch  ... nalname | form-parsers.js:9:19:9:26 | req.file | form-parsers.js:9:8:9:39 | "touch  ... nalname | This command depends on $@. | form-parsers.js:9:19:9:26 | req.file | a user-provided value |
 | form-parsers.js:14:10:14:37 | "touch  ... nalname | form-parsers.js:13:3:13:11 | req.files | form-parsers.js:14:10:14:37 | "touch  ... nalname | This command depends on $@. | form-parsers.js:13:3:13:11 | req.files | a user-provided value |
+| form-parsers.js:25:10:25:28 | "touch " + filename | form-parsers.js:24:48:24:55 | filename | form-parsers.js:25:10:25:28 | "touch " + filename | This command depends on $@. | form-parsers.js:24:48:24:55 | filename | a user-provided value |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js b/javascript/ql/test/query-tests/Security/CWE-078/form-parsers.js
@@ -14,3 +14,15 @@ app.post('/photos/upload', upload.array('photos', 12), function (req, res, next)
     exec("touch " + file.originalname); // NOT OK
   })
 });
+
+
+var http = require('http');
+var Busboy = require('busboy');
+
+http.createServer(function (req, res) {
+  var busboy = new Busboy({ headers: req.headers });
+  busboy.on('file', function (fieldname, file, filename, encoding, mimetype) {
+    exec("touch " + filename); // NOT OK
+  });
+  req.pipe(busboy);
+}).listen(8000);
