introduce basic BuildArtifactLeak query

erik-krogh · erik-krogh · commit be71ddf7bb5b · 2020-06-09T15:27:55.000+02:00
diff --git a/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.qhelp b/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="CleartextStorage.qhelp" /></qhelp>
diff --git a/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql b/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
@@ -0,0 +1,23 @@
+/**
+ * @name Storage of sensitive information in build artifact
+ * @description Including sensitive information in a build artifact can
+ *              expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/build-artifact-leak
+ * @tags security
+ *       external/cwe/cwe-312
+ *       external/cwe/cwe-315
+ *       external/cwe/cwe-359
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.BuildArtifactLeak::BuildArtifactLeak
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Sensitive data returned by $@ is stored in build artifact here.", source.getNode(),
+  source.getNode().(CleartextLogging::Source).describe()
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/BuildArtifactLeak.qll b/javascript/ql/src/semmle/javascript/security/dataflow/BuildArtifactLeak.qll
@@ -0,0 +1,40 @@
+/**
+ * Provides a dataflow tracking configuration for reasoning about
+ * storage of sensitive information in build artifact.
+ *
+ * Note, for performance reasons: only import this file if
+ * `CleartextLogging::Configuration` is needed, otherwise
+ * `CleartextLoggingCustomizations` should be imported instead.
+ */
+
+import javascript
+
+module BuildArtifactLeak {
+  import BuildArtifactLeakCustomizations::BuildArtifactLeak
+  import CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
+
+  /**
+   * A taint tracking configuration for storage of sensitive information in build artifact.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "CleartextLogging" }
+
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
+      source.(CleartextLogging::Source).getLabel() = lbl
+    }
+
+    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
+      sink.(Sink).getLabel() = lbl
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }
+
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+      CleartextLogging::isSanitizerEdge(pred, succ)
+    }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
+      CleartextLogging::isAdditionalTaintStep(src, trg)
+    }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/BuildArtifactLeakCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/BuildArtifactLeakCustomizations.qll
@@ -0,0 +1,32 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * storage of sensitive information in build artifact, as well as extension
+ * points for adding your own.
+ */
+
+import javascript
+private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.security.SensitiveActions::HeuristicNames
+
+module BuildArtifactLeak {
+  /**
+   * A data flow sink for clear-text logging of sensitive information.
+   */
+  abstract class Sink extends DataFlow::Node {
+    DataFlow::FlowLabel getLabel() { result.isTaint() }
+  }
+
+  /**
+   * An instantiation of `webpack.DefintePlugin` that stores information in a compiled JavaScript file.
+   */
+  class WebpackDefinePluginSink extends Sink {
+    WebpackDefinePluginSink() {
+      this =
+        DataFlow::moduleMember("webpack", "DefinePlugin")
+            .getAnInstantiation()
+            .getAnArgument()
+            .getALocalSource()
+            .getAPropertySource()
+    }
+  }
+}
