Add dual/restricted-flow-configuration sql injection taint tracking query

2025-12-16 12:03:03 +01:00 · 2023-11-26 19:44:50 -08:00
parent fc09596b45
commit 5496a1c5ae
5 changed files with 189 additions and 16 deletions
--- a/session/session.ql
+++ b/session/session.ql
@@ -32,10 +32,6 @@ class FlowSinkOrigin extends DataFlow::FlowLabel {
  FlowSinkOrigin() { this = "FlowSinkOrigin" }
 }
 class UltimateFlow extends DataFlow::FlowLabel {
  UltimateFlow() { this = "UltimateFlow" }
 }
 class IdentifyFlowSink extends TaintTracking::Configuration {
  IdentifyFlowSink() { this = "IdentifyFlowSink" }
@@ -46,9 +42,6 @@ class IdentifyFlowSink extends TaintTracking::Configuration {
      nd.asExpr() = newdb and
      lbl instanceof FlowSinkOrigin
    )
    or
    nd.asExpr() = uSource(_) and
    lbl instanceof UltimateFlow
  }
  override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
@@ -59,9 +52,6 @@ class IdentifyFlowSink extends TaintTracking::Configuration {
      nd.asExpr() = db and
      lbl instanceof FlowSinkOrigin
    )
    or
    nd.asExpr() = uSink(_) and
    lbl instanceof UltimateFlow
  }
 }
@@ -73,9 +63,14 @@ class UltimateFlowCfg extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node nd) { nd.asExpr() = uSink(_) }
 }
-// from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from
-// where cfg.hasFlowPath(source, sink)
+  UltimateFlowCfg ucfg, DataFlow::PathNode usource, DataFlow::PathNode usink, IdentifyFlowSink cfg,
-// select sink, source, sink, "Database originating $@", source, "here"
+  DataFlow::Node source, DataFlow::Node sink
-from UltimateFlowCfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
-where cfg.hasFlowPath(source, sink)
+  cfg.hasFlow(source, sink) and
-select sink, source, sink, "Sql injected from $@", source, "here"
+  ucfg.hasFlowPath(usource, usink) and
  exists(MethodCallExpr exec |
    sink.asExpr() = exec.getReceiver() and
    usink.getNode().asExpr() = exec.getAnArgument()
  )
 select usink, usource, usink, "Sql injected from $@", usource, "here"
--- a/solutions/RestrictedSqlInjection.ql
+++ b/solutions/RestrictedSqlInjection.ql
@@ -0,0 +1,76 @@
 /**
 * @kind path-problem
 */
 import javascript
 import DataFlow::PathGraph
 // Ultimate source
 // ----------------
 //     var line = stdinBuffer.toString();
 Expr uSource(MethodCallExpr sbts) {
  sbts.getMethodName().matches("%toString%") and
  result = sbts
 }
 // Ultimate sink
 // ----------------
 //     db.exec(query);
 Expr uSink(MethodCallExpr exec) {
  exec.getMethodName() = "exec" and
  result = exec.getArgument(0)
 }
 // Flow sink origin
 // ------------------------
 // Connect
 //     const db = new sqlite3.Database(
 // to its use
 //     db.exec(query);
 //
 class FlowSinkOrigin extends DataFlow::FlowLabel {
  FlowSinkOrigin() { this = "FlowSinkOrigin" }
 }
 class IdentifyFlowSink extends TaintTracking::Configuration {
  IdentifyFlowSink() { this = "IdentifyFlowSink" }
  override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
    //     const db = new sqlite3.Database(
    exists(NewExpr newdb |
      newdb.getCalleeName() = "Database" and
      nd.asExpr() = newdb and
      lbl instanceof FlowSinkOrigin
    )
  }
  override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
    //     db.exec(query);
    exists(Expr db, MethodCallExpr exec |
      exec.getMethodName() = "exec" and
      db = exec.getReceiver() and
      nd.asExpr() = db and
      lbl instanceof FlowSinkOrigin
    )
  }
 }
 class UltimateFlowCfg extends TaintTracking::Configuration {
  UltimateFlowCfg() { this = "UltimateFlowCfg" }
  override predicate isSource(DataFlow::Node nd) { nd.asExpr() = uSource(_) }
  override predicate isSink(DataFlow::Node nd) { nd.asExpr() = uSink(_) }
 }
 from
  UltimateFlowCfg ucfg, DataFlow::PathNode usource, DataFlow::PathNode usink, IdentifyFlowSink cfg,
  DataFlow::Node source, DataFlow::Node sink
 where
  cfg.hasFlow(source, sink) and
  ucfg.hasFlowPath(usource, usink) and
  exists(MethodCallExpr exec |
    sink.asExpr() = exec.getReceiver() and
    usink.getNode().asExpr() = exec.getAnArgument()
  )
 select usink, usource, usink, "Sql injected from $@", usource, "here"
--- a/tests/RestrictedSqlInjection/RestrictedSqlInjection.expected
+++ b/tests/RestrictedSqlInjection/RestrictedSqlInjection.expected
@@ -0,0 +1,54 @@
 nodes
 | add-user.js:4:9:4:37 | line |
 | add-user.js:4:16:4:37 | stdinBu ... tring() |
 | add-user.js:4:16:4:37 | stdinBu ... tring() |
 | add-user.js:6:5:6:45 | line |
 | add-user.js:6:12:6:15 | line |
 | add-user.js:6:12:6:45 | line.re ... gm, "") |
 | add-user.js:7:12:7:15 | line |
 | add-user.js:16:11:26:10 | db |
 | add-user.js:16:16:26:10 | new sql ...      }) |
 | add-user.js:16:16:26:10 | new sql ...      }) |
 | add-user.js:28:12:28:13 | db |
 | add-user.js:31:21:31:22 | db |
 | add-user.js:31:29:31:32 | info |
 | add-user.js:33:11:33:63 | query |
 | add-user.js:33:19:33:63 | `INSERT ... nfo}")` |
 | add-user.js:33:56:33:59 | info |
 | add-user.js:35:5:35:6 | db |
 | add-user.js:35:5:35:6 | db |
 | add-user.js:35:13:35:17 | query |
 | add-user.js:35:13:35:17 | query |
 | add-user.js:41:9:41:30 | info |
 | add-user.js:41:16:41:30 | get_user_info() |
 | add-user.js:43:9:43:25 | db |
 | add-user.js:43:14:43:25 | connect_db() |
 | add-user.js:44:16:44:17 | db |
 | add-user.js:44:24:44:27 | info |
 edges
 | add-user.js:4:9:4:37 | line | add-user.js:6:12:6:15 | line |
 | add-user.js:4:16:4:37 | stdinBu ... tring() | add-user.js:4:9:4:37 | line |
 | add-user.js:4:16:4:37 | stdinBu ... tring() | add-user.js:4:9:4:37 | line |
 | add-user.js:6:5:6:45 | line | add-user.js:7:12:7:15 | line |
 | add-user.js:6:12:6:15 | line | add-user.js:6:12:6:45 | line.re ... gm, "") |
 | add-user.js:6:12:6:45 | line.re ... gm, "") | add-user.js:6:5:6:45 | line |
 | add-user.js:7:12:7:15 | line | add-user.js:41:16:41:30 | get_user_info() |
 | add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
 | add-user.js:16:16:26:10 | new sql ...      }) | add-user.js:16:11:26:10 | db |
 | add-user.js:16:16:26:10 | new sql ...      }) | add-user.js:16:11:26:10 | db |
 | add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
 | add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
 | add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
 | add-user.js:31:29:31:32 | info | add-user.js:33:56:33:59 | info |
 | add-user.js:33:11:33:63 | query | add-user.js:35:13:35:17 | query |
 | add-user.js:33:11:33:63 | query | add-user.js:35:13:35:17 | query |
 | add-user.js:33:19:33:63 | `INSERT ... nfo}")` | add-user.js:33:11:33:63 | query |
 | add-user.js:33:56:33:59 | info | add-user.js:33:19:33:63 | `INSERT ... nfo}")` |
 | add-user.js:41:9:41:30 | info | add-user.js:44:24:44:27 | info |
 | add-user.js:41:16:41:30 | get_user_info() | add-user.js:41:9:41:30 | info |
 | add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
 | add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
 | add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
 | add-user.js:44:24:44:27 | info | add-user.js:31:29:31:32 | info |
 #select
 | add-user.js:35:13:35:17 | query | add-user.js:4:16:4:37 | stdinBu ... tring() | add-user.js:35:13:35:17 | query | Sql injected from $@ | add-user.js:4:16:4:37 | stdinBu ... tring() | here |
--- a/tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref
+++ b/tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref
@@ -0,0 +1 @@
 RestrictedSqlInjection.ql
--- a/tests/RestrictedSqlInjection/add-user.js
+++ b/tests/RestrictedSqlInjection/add-user.js
@@ -0,0 +1,47 @@
 function get_user_info() {
    var fs = require("fs");
    var stdinBuffer = fs.readFileSync(process.stdin.fd);
    var line = stdinBuffer.toString();
    console.log(line);
    line = line.replace(/(\r\n|\n|\r)/gm, "");
    return line
 }
 function get_new_id() {
    return Math.floor(Math.random() * 12345);
 }
 function connect_db() {
    const sqlite3 = require('sqlite3').verbose();
    const db = new sqlite3.Database(
        'users.sqlite',
        sqlite3.OPEN_READWRITE | sqlite3.OPEN_FULLMUTEX, 
        err => {
            if (err){
                console.log(err);
                throw err;
            } else {
                console.log('DB opened');
            }
        });
    return db;
 }
 function write_info(db, id, info) {
    db.serialize();
    const query = `INSERT INTO users VALUES (${id}, "${info}")`;
    console.log(query);
    db.exec(query);
    db.close();
 }
 let add_user = () => {
    console.log("Running add-user");
    var info = get_user_info();
    var id = get_new_id();
    var db = connect_db();
    write_info(db, id, info);
 }
 add_user()