JS: add query js/cleartext-logging

2026-03-22 07:26:45 +01:00 · 2018-08-08 13:20:31 +02:00
parent b4952e7bfd
commit 0c4fb15651
19 changed files with 469 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-312/CleartextLogging.qhelp
+++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.qhelp
@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="CleartextStorage.qhelp" /></qhelp>
--- a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -0,0 +1,55 @@
+/**
+ * @name Clear text logging of sensitive information
+ * @description Sensitive information logged without encryption or hashing can expose it to an
+ *              attacker.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/cleartext-logging
+ * @tags security
+ *       external/cwe/cwe-312
+ *       external/cwe/cwe-315
+ *       external/cwe/cwe-359
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.CleartextLogging::CleartextLogging
+
+/**
+ * Holds if `tl` is used in a browser environment.
+ */
+predicate inBrowserEnvironment(TopLevel tl) {
+  tl instanceof InlineScript or
+  tl instanceof CodeInAttribute or
+  exists (GlobalVarAccess e |
+    e.getTopLevel() = tl |
+    e.getName() = "window"
+  ) or
+  exists (Module m | inBrowserEnvironment(m) |
+    tl = m.getAnImportedModule() or
+    m = tl.(Module).getAnImportedModule()
+  )
+}
+
+/**
+ * Holds if `sink` only is reachable in a "test" environment.
+ */
+predicate inTestEnvironment(Sink sink) {
+  exists (IfStmt guard, Identifier id |
+    // heuristic: a deliberate environment choice by the programmer related to passwords implies a test environment
+    id.getName().regexpMatch("(?i).*(test|develop|production).*") and
+    id.(Expr).getParentExpr*() = guard.getCondition() and
+    (
+      guard.getAControlledStmt() = sink.asExpr().getEnclosingStmt() or
+      guard.getAControlledStmt().(BlockStmt).getAChildStmt() = sink.asExpr().getEnclosingStmt()
+    )
+  )
+}
+
+from Configuration cfg, Source source, DataFlow::Node sink
+where cfg.hasFlow(source, sink) and
+      // ignore logging to the browser console (even though it is not a good practice)
+      not inBrowserEnvironment(sink.asExpr().getTopLevel()) and
+      // ignore logging when testing
+      not inTestEnvironment(sink)
+select sink, "Sensitive data returned by $@ is logged here.", source, source.describe()
--- a/javascript/ql/src/Security/CWE-312/CleartextStorage.qhelp
+++ b/javascript/ql/src/Security/CWE-312/CleartextStorage.qhelp
@@ -22,6 +22,15 @@ sensitive information.
 In general, decrypt sensitive information only at the point where it is
 necessary for it to be used in cleartext.
 </p>
+
+<p>
+
+Be aware that external processes often store the <code>standard
+out</code> and <code>standard error</code> streams of the application,
+causing logged sensitive information to be stored as well.
+
+</p>
+
 </recommendation>

 <example>