Merge pull request #5841 from erik-krogh/libCode

Approved by esbena, ethanpalm

javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+When a library function dynamically constructs code in a potentially unsafe way, then 
+it's important to document to clients of the library that the function should only be
+used with trusted inputs.
+
+If the function is not documented as being potentially unsafe, then a client may
+incorrectly use inputs containing unsafe code fragments, and thereby leave the
+client vulnerable to code-injection attacks.
+</p>
+
+</overview>
+
+<recommendation>
+<p>
+Properly document library functions that construct code from unsanitized 
+inputs, or avoid constructing code in the first place.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows two methods implemented using `eval`: a simple
+deserialization routine and a getter method.
+If untrusted inputs are used with these methods,
+then an attacker might be able to execute arbitrary code on the system. 
+</p>
+
+<sample src="examples/UnsafeCodeConstruction.js" />
+
+<p>
+To avoid this problem, either properly document that the function is potentially
+unsafe, or use an alternative solution such as `JSON.parse` or another library, like in the examples below, 
+that does not allow arbitrary code to be executed.
+</p>
+
+<sample src="examples/UnsafeCodeConstructionSafe.js" />
+
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
+</li>
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-094/UnsafeCodeConstruction.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Unsafe code constructed from libary input
+ * @description Using externally controlled strings to construct code may allow a malicious
+ *              user to execute arbitrary code.
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision medium
+ * @id js/unsafe-code-construction
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.UnsafeCodeConstruction::UnsafeCodeConstruction
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "$@ flows to here and is later $@.", source.getNode(),
+  "Library input", sink.getNode().(Sink).getCodeSink(), "interpreted as code"

javascript/ql/src/Security/CWE-094/examples/UnsafeCodeConstruction.js

@@ -0,0 +1,7 @@
+export function unsafeDeserialize(value) {
+  return eval(`(${value})`);
+}
+
+export function unsafeGetter(obj, path) {
+    return eval(`obj.${path}`);
+}

javascript/ql/src/Security/CWE-094/examples/UnsafeCodeConstructionSafe.js

@@ -0,0 +1,8 @@
+export function safeDeserialize(value) {
+  return JSON.parse(value);
+}
+
+const _ = require("lodash");
+export function safeGetter(object, path) {
+  return _.get(object, path);
+}

javascript/ql/src/change-notes/2022-02-04-unsafe-code-construction.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* A new query, `js/unsafe-code-construction`, has been added to the query suite, highlighting libraries that may leave clients vulnerable to arbitary code execution.
+  The query is not run by default.