JS: Port PrototypePollutingAssignment

asgerf · asgerf · commit f1f45927b121 · 2023-10-13T13:15:04.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentCustomizations.qll
@@ -38,6 +38,30 @@ module PrototypePollutingAssignment {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
+  /**
+   * A barrier guard for prototype-polluting assignments.
+   */
+  abstract class BarrierGuard extends DataFlow::Node {
+    /**
+     * Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e) { none() }
+
+    /**
+     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+  }
+
+  /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
+  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
+    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
+  }
+
   /** A flow label representing the `Object.prototype` value. */
   abstract class ObjectPrototype extends DataFlow::FlowLabel {
     ObjectPrototype() { this = "Object.prototype" }
@@ -46,7 +70,9 @@ module PrototypePollutingAssignment {
   /** The base of an assignment or extend call, as a sink for `Object.prototype` references. */
   private class DefaultSink extends Sink {
     DefaultSink() {
-      this = any(DataFlow::PropWrite write).getBase()
+      // Avoid using PropWrite here as we only want assignments that can mutate a pre-existing object,
+      // so not object literals or array literals.
+      this = any(AssignExpr assign).getTarget().(PropAccess).getBase().flow()
       or
       this = any(ExtendCall c).getDestinationOperand()
       or
@@ -67,7 +93,9 @@ module PrototypePollutingAssignment {
    * A parameter of an exported function, seen as a source prototype-polluting assignment.
    */
   class ExternalInputSource extends Source {
-    ExternalInputSource() { this = Exports::getALibraryInputParameter() }
+    ExternalInputSource() {
+      this = Exports::getALibraryInputParameter() and not this instanceof RemoteFlowSource
+    }
 
     override string describe() { result = "library input" }
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
@@ -19,16 +19,18 @@ private class ConcreteObjectPrototype extends ObjectPrototype {
 }
 
 /** A taint-tracking configuration for reasoning about prototype-polluting assignments. */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PrototypePollutingAssignment" }
+module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
 
-  override predicate isSource(DataFlow::Node node) { node instanceof Source }
+  predicate isSource(DataFlow::Node node, DataFlow::FlowLabel label) {
+    node instanceof Source and label.isTaint()
+  }
 
-  override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+  predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) {
     node.(Sink).getAFlowLabel() = lbl
   }
 
-  override predicate isSanitizer(DataFlow::Node node) {
+  predicate isBarrier(DataFlow::Node node) {
     node instanceof Sanitizer
     or
     // Concatenating with a string will in practice prevent the string `__proto__` from arising.
@@ -53,17 +55,24 @@ class Configuration extends TaintTracking::Configuration {
         not replace.getRawReplacement().getStringValue() = ""
       )
     )
+    or
+    node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
   }
 
-  override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+  predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowLabel lbl) {
     // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving
     // step because it preserves all properties, but the destination is not actually Object.prototype.
     node = any(ExtendCall call).getASourceOperand() and
     lbl instanceof ObjectPrototype
   }
 
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+  predicate isBarrierIn(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+    // FIXME: This should only be an in-barrier for the corresponding flow state, but flow-state specific in-barriers are not supported right now.
+    isSource(node, lbl)
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::FlowLabel inlbl, DataFlow::Node succ, DataFlow::FlowLabel outlbl
   ) {
     // Step from x -> obj[x] while switching to the ObjectPrototype label
     // (If `x` can have the value `__proto__` then the result can be Object.prototype)
@@ -91,7 +100,80 @@ class Configuration extends TaintTracking::Configuration {
       outlbl instanceof ObjectPrototype
     )
     or
-    DataFlow::localFieldStep(pred, succ) and inlbl = outlbl
+    // TODO: local field step becomes a jump step, resulting in FPs (closure-lib)
+    // TODO: localFieldStep is too expensive with dataflow2
+    // DataFlow::localFieldStep(pred, succ)
+    none()
+    or
+    inlbl.isTaint() and
+    TaintTracking::defaultTaintStep(pred, succ) and
+    inlbl = outlbl
+  }
+
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+    lbl.isTaint() and
+    TaintTracking::defaultSanitizer(node)
+    or
+    // Don't propagate into the receiver, as the method lookups will generally fail on Object.prototype.
+    node instanceof DataFlow::ThisNode and
+    lbl instanceof ObjectPrototype
+    or
+    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(lbl)
+  }
+}
+
+/** Taint-tracking for reasoning about prototype-polluting assignments. */
+module PrototypePollutingAssignmentFlow =
+  DataFlow::GlobalWithState<PrototypePollutingAssignmentConfig>;
+
+/**
+ * Holds if the given `source, sink` pair should not be reported, as we don't have enough
+ * confidence in the alert given that source is a library input.
+ */
+bindingset[source, sink]
+predicate isIgnoredLibraryFlow(ExternalInputSource source, Sink sink) {
+  exists(source) and
+  // filter away paths that start with library inputs and end with a write to a fixed property.
+  exists(DataFlow::PropWrite write | sink = write.getBase() |
+    // fixed property name
+    exists(write.getPropertyName())
+    or
+    // non-string property name (likely number)
+    exists(Expr prop | prop = write.getPropertyNameExpr() |
+      not prop.analyze().getAType() = TTString()
+    )
+  )
+}
+
+/**
+ * DEPRECATED. Use the `PrototypePollutingAssignmentFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "PrototypePollutingAssignment" }
+
+  override predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+    node.(Sink).getAFlowLabel() = lbl
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    PrototypePollutingAssignmentConfig::isBarrier(node)
+  }
+
+  override predicate isSanitizerOut(DataFlow::Node node, DataFlow::FlowLabel lbl) {
+    // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving
+    // step because it preserves all properties, but the destination is not actually Object.prototype.
+    node = any(ExtendCall call).getASourceOperand() and
+    lbl instanceof ObjectPrototype
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+  ) {
+    PrototypePollutingAssignmentConfig::isAdditionalFlowStep(pred, inlbl, succ, outlbl)
   }
 
   override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
@@ -174,51 +256,49 @@ private predicate isPropertyPresentOnObjectPrototype(string prop) {
 }
 
 /** A check of form `e.prop` where `prop` is not present on `Object.prototype`. */
-private class PropertyPresenceCheck extends TaintTracking::LabeledSanitizerGuardNode,
-  DataFlow::ValueNode
-{
+private class PropertyPresenceCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
   override PropAccess astNode;
 
   PropertyPresenceCheck() {
     astNode = any(ConditionGuardNode c).getTest() and // restrict size of charpred
     not isPropertyPresentOnObjectPrototype(astNode.getPropertyName())
   }
 
-  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+  override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
     e = astNode.getBase() and
     outcome = true and
     label instanceof ObjectPrototype
   }
 }
 
 /** A check of form `"prop" in e` where `prop` is not present on `Object.prototype`. */
-private class InExprCheck extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+private class InExprCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
   override InExpr astNode;
 
   InExprCheck() {
     not isPropertyPresentOnObjectPrototype(astNode.getLeftOperand().getStringValue())
   }
 
-  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+  override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
     e = astNode.getRightOperand() and
     outcome = true and
     label instanceof ObjectPrototype
   }
 }
 
 /** A check of form `e instanceof X`, which is always false for `Object.prototype`. */
-private class InstanceofCheck extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+private class InstanceofCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
   override InstanceofExpr astNode;
 
-  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+  override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
     e = astNode.getLeftOperand() and
     outcome = true and
     label instanceof ObjectPrototype
   }
 }
 
 /** A check of form `typeof e === "string"`. */
-private class TypeofCheck extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+private class TypeofCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
   override EqualityTest astNode;
   Expr operand;
   boolean polarity;
@@ -231,28 +311,28 @@ private class TypeofCheck extends TaintTracking::LabeledSanitizerGuardNode, Data
     )
   }
 
-  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+  override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
     polarity = outcome and
     e = operand and
     label instanceof ObjectPrototype
   }
 }
 
 /** A guard that checks whether `x` is a number. */
-class NumberGuard extends TaintTracking::SanitizerGuardNode instanceof DataFlow::CallNode {
+class NumberGuard extends BarrierGuardLegacy instanceof DataFlow::CallNode {
   Expr x;
   boolean polarity;
 
   NumberGuard() { TaintTracking::isNumberGuard(this, x, polarity) }
 
-  override predicate sanitizes(boolean outcome, Expr e) { e = x and outcome = polarity }
+  override predicate blocksExpr(boolean outcome, Expr e) { e = x and outcome = polarity }
 }
 
 /** A call to `Array.isArray`, which is false for `Object.prototype`. */
-private class IsArrayCheck extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::CallNode {
+private class IsArrayCheck extends BarrierGuardLegacy, DataFlow::CallNode {
   IsArrayCheck() { this = DataFlow::globalVarRef("Array").getAMemberCall("isArray") }
 
-  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+  override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
     e = this.getArgument(0).asExpr() and
     outcome = true and
     label instanceof ObjectPrototype
@@ -262,12 +342,12 @@ private class IsArrayCheck extends TaintTracking::LabeledSanitizerGuardNode, Dat
 /**
  * Sanitizer guard of form `x !== "__proto__"`.
  */
-private class EqualityCheck extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+private class EqualityCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
   override EqualityTest astNode;
 
   EqualityCheck() { astNode.getAnOperand().getStringValue() = "__proto__" }
 
-  override predicate sanitizes(boolean outcome, Expr e) {
+  override predicate blocksExpr(boolean outcome, Expr e) {
     e = astNode.getAnOperand() and
     outcome = astNode.getPolarity().booleanNot()
   }
@@ -276,10 +356,10 @@ private class EqualityCheck extends TaintTracking::SanitizerGuardNode, DataFlow:
 /**
  * Sanitizer guard of the form `x.includes("__proto__")`.
  */
-private class IncludesCheck extends TaintTracking::LabeledSanitizerGuardNode, InclusionTest {
+private class IncludesCheck extends BarrierGuardLegacy, InclusionTest {
   IncludesCheck() { this.getContainedNode().mayHaveStringValue("__proto__") }
 
-  override predicate sanitizes(boolean outcome, Expr e) {
+  override predicate blocksExpr(boolean outcome, Expr e) {
     e = this.getContainerNode().asExpr() and
     outcome = this.getPolarity().booleanNot()
   }
@@ -288,7 +368,7 @@ private class IncludesCheck extends TaintTracking::LabeledSanitizerGuardNode, In
 /**
  * A sanitizer guard that checks tests whether `x` is included in a list like `["__proto__"].includes(x)`.
  */
-private class DenyListInclusionGuard extends TaintTracking::SanitizerGuardNode, InclusionTest {
+private class DenyListInclusionGuard extends BarrierGuardLegacy, InclusionTest {
   DenyListInclusionGuard() {
     this.getContainerNode()
         .getALocalSource()
@@ -297,7 +377,7 @@ private class DenyListInclusionGuard extends TaintTracking::SanitizerGuardNode,
         .mayHaveStringValue("__proto__")
   }
 
-  override predicate sanitizes(boolean outcome, Expr e) {
+  override predicate blocksExpr(boolean outcome, Expr e) {
     e = this.getContainedNode().asExpr() and
     outcome = super.getPolarity().booleanNot()
   }
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
@@ -19,10 +19,13 @@
 
 import javascript
 import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery
-import DataFlow::PathGraph
+import PrototypePollutingAssignmentFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from
+  PrototypePollutingAssignmentFlow::PathNode source, PrototypePollutingAssignmentFlow::PathNode sink
+where
+  PrototypePollutingAssignmentFlow::flowPath(source, sink) and
+  not isIgnoredLibraryFlow(source.getNode(), sink.getNode())
 select sink, source, sink,
   "This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@.",
   source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.expected
@@ -0,0 +1 @@
+| query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js:70 | expected an alert, but found none | NOT OK | Config |
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/Consistency.ql
@@ -2,6 +2,15 @@ import javascript
 import testUtilities.ConsistencyChecking
 import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery
 
-class Config extends ConsistencyConfiguration, Configuration {
+class Config extends ConsistencyConfiguration {
+  Config() { this = "Config" }
+
   override File getAFile() { any() }
+
+  override DataFlow::Node getAnAlert() {
+    exists(DataFlow::Node source |
+      PrototypePollutingAssignmentFlow::flow(source, result) and
+      not isIgnoredLibraryFlow(source, result)
+    )
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js:70 \| expected an alert, but found none \| NOT OK \| Config \|`