JS: Port CleartextLogging

asgerf · asgerf · commit b8a6f8166925 · 2023-10-13T13:15:04.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -16,14 +16,20 @@ module CleartextLogging {
     /** Gets a string that describes the type of this data flow source. */
     abstract string describe();
 
-    abstract DataFlow::FlowLabel getLabel();
+    /**
+     * DEPRECATED. Overriding this predicate no longer has any effect.
+     */
+    deprecated DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /**
    * A data flow sink for clear-text logging of sensitive information.
    */
   abstract class Sink extends DataFlow::Node {
-    DataFlow::FlowLabel getLabel() { result.isTaint() }
+    /**
+     * DEPRECATED. Overriding this predicate no longer has any effect.
+     */
+    deprecated DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /**
@@ -103,29 +109,28 @@ module CleartextLogging {
   abstract private class NonCleartextPassword extends DataFlow::Node { }
 
   /**
-   * An object with a property that may contain password information
-   *
-   * This is a source since `console.log(obj)` will show the properties of `obj`.
+   * A value stored in a property that may contain password information
    */
   private class ObjectPasswordPropertySource extends DataFlow::ValueNode, Source {
     string name;
 
     ObjectPasswordPropertySource() {
       exists(DataFlow::PropWrite write |
+        write.getPropertyName() = name and
         name.regexpMatch(maybePassword()) and
         not name.regexpMatch(notSensitiveRegexp()) and
-        write = this.(DataFlow::SourceNode).getAPropertyWrite(name) and
+        this = write.getRhs() and
         // avoid safe values assigned to presumably unsafe names
-        not write.getRhs() instanceof NonCleartextPassword
+        not this instanceof NonCleartextPassword
       )
     }
 
     override string describe() { result = "an access to " + name }
-
-    override DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
-  /** An access to a variable or property that might contain a password. */
+  /**
+   * An access to a variable or property that might contain a password.
+   */
   private class ReadPasswordSource extends DataFlow::ValueNode, Source {
     string name;
 
@@ -147,8 +152,6 @@ module CleartextLogging {
     }
 
     override string describe() { result = "an access to " + name }
-
-    override DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /** A call that might return a password. */
@@ -161,17 +164,35 @@ module CleartextLogging {
     }
 
     override string describe() { result = "a call to " + name }
-
-    override DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /** An access to the sensitive object `process.env`. */
   class ProcessEnvSource extends Source {
     ProcessEnvSource() { this = NodeJSLib::process().getAPropertyRead("env") }
 
     override string describe() { result = "process environment" }
+  }
 
-    override DataFlow::FlowLabel getLabel() { result.isTaint() }
+  /** Gets a data flow node referring to `process.env`. */
+  private DataFlow::SourceNode processEnv(DataFlow::TypeTracker t) {
+    t.start() and
+    result instanceof ProcessEnvSource
+    or
+    exists(DataFlow::TypeTracker t2 | result = processEnv(t2).track(t2, t))
+  }
+
+  /** Gets a data flow node referring to `process.env`. */
+  DataFlow::SourceNode processEnv() { result = processEnv(DataFlow::TypeTracker::end()) }
+
+  /**
+   * A property access on `process.env`, seen as a barrier.
+   */
+  private class SafeEnvironmentVariableBarrier extends Barrier instanceof DataFlow::PropRead {
+    SafeEnvironmentVariableBarrier() {
+      this = processEnv().getAPropertyRead() and
+      // If the name is known, it should not be sensitive
+      not nameIndicatesSensitiveData(this.getPropertyName(), _)
+    }
   }
 
   /**
@@ -183,26 +204,10 @@ module CleartextLogging {
     succ.(DataFlow::PropRead).getBase() = pred
   }
 
-  private class PropReadAsBarrier extends Barrier {
-    PropReadAsBarrier() {
-      this = any(DataFlow::PropRead read).getBase() and
-      // the 'foo' in 'foo.bar()' may have flow, we only want to suppress plain property reads
-      not this = any(DataFlow::MethodCallNode call).getReceiver() and
-      // do not block custom taint steps from this node
-      not isAdditionalTaintStep(this, _)
-    }
-  }
-
   /**
    * Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information.
    */
   predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
-    // A taint propagating data flow edge through objects: a tainted write taints the entire object.
-    exists(DataFlow::PropWrite write |
-      write.getRhs() = src and
-      trg.(DataFlow::SourceNode).flowsTo(write.getBase())
-    )
-    or
     // A property-copy step,
     // dst[x] = src[x]
     // dst[x] = JSON.stringify(src[x])
@@ -218,7 +223,7 @@ module CleartextLogging {
       not exists(read.getPropertyName()) and
       not isFilteredPropertyName(read.getPropertyNameExpr().flow().getALocalSource()) and
       src = read.getBase() and
-      trg = write.getBase().getALocalSource()
+      trg = write.getBase().getPostUpdateNode()
     )
     or
     // Taint through the arguments object.
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
@@ -20,7 +20,38 @@ private import CleartextLoggingCustomizations::CleartextLogging as CleartextLogg
  * added either by extending the relevant class, or by subclassing this configuration itself,
  * and amending the sources and sinks.
  */
-class Configuration extends TaintTracking::Configuration {
+module CleartextLoggingConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // We rely on heuristic sources, which tends to cause sources to overlap
+    isSource(node)
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
+    CleartextLogging::isAdditionalTaintStep(src, trg)
+  }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
+    // Assume all properties of a logged object are themselves logged.
+    contents = DataFlow::ContentSet::anyProperty() and
+    isSink(node)
+  }
+}
+
+/**
+ * Taint tracking flow for clear-text logging of sensitive information.
+ */
+module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
+
+/**
+ * DEPRECATED. Use the `CleartextLoggingFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CleartextLogging" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -15,7 +15,7 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CleartextLoggingQuery
-import DataFlow::PathGraph
+import CleartextLoggingFlow::PathGraph
 
 /**
  * Holds if `tl` is used in a browser environment.
@@ -33,9 +33,9 @@ predicate inBrowserEnvironment(TopLevel tl) {
   )
 }
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from CleartextLoggingFlow::PathNode source, CleartextLoggingFlow::PathNode sink
 where
-  cfg.hasFlowPath(source, sink) and
+  CleartextLoggingFlow::flowPath(source, sink) and
   // ignore logging to the browser console (even though it is not a good practice)
   not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
 select sink.getNode(), source, sink, "This logs sensitive data returned by $@ as clear text.",
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
