mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
JS: Port BuildArtifactLeak
This commit is contained in:
Asger F
@@ -14,7 +14,33 @@ import CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
|
||||
/**
|
||||
* A taint tracking configuration for storage of sensitive information in build artifact.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
CleartextLogging::isAdditionalTaintStep(src, trg)
|
||||
}
|
||||
|
||||
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
|
||||
// All properties of a leaked object are themselves leaked.
|
||||
contents = DataFlow::ContentSet::anyProperty() and
|
||||
isSink(node)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Taint tracking flow for storage of sensitive information in build artifact.
|
||||
*/
|
||||
module BuildArtifactLeakFlow = TaintTracking::Global<BuildArtifactLeakConfig>;
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use the `BuildArtifactLeakFlow` module instead.
|
||||
*/
|
||||
deprecated class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "BuildArtifactLeak" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
|
||||
@@ -15,10 +15,10 @@
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.BuildArtifactLeakQuery
|
||||
import DataFlow::PathGraph
|
||||
import BuildArtifactLeakFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
from BuildArtifactLeakFlow::PathNode source, BuildArtifactLeakFlow::PathNode sink
|
||||
where BuildArtifactLeakFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This creates a build artifact that depends on $@.",
|
||||
source.getNode(),
|
||||
"sensitive data returned by" + source.getNode().(CleartextLogging::Source).describe()
|
||||
|
||||
@@ -1,67 +1,63 @@
|
||||
nodes
|
||||
| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
|
||||
| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
|
||||
| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) |
|
||||
| build-leaks.js:5:35:5:45 | process.env |
|
||||
| build-leaks.js:5:35:5:45 | process.env |
|
||||
| build-leaks.js:13:11:19:10 | raw |
|
||||
| build-leaks.js:13:17:19:10 | Object. ... }) |
|
||||
| build-leaks.js:14:18:14:20 | env |
|
||||
| build-leaks.js:15:24:15:34 | process.env |
|
||||
| build-leaks.js:15:24:15:34 | process.env |
|
||||
| build-leaks.js:15:24:15:39 | process.env[key] |
|
||||
| build-leaks.js:16:20:16:22 | env |
|
||||
| build-leaks.js:21:11:26:5 | stringifed |
|
||||
| build-leaks.js:21:24:26:5 | {\\n ... )\\n } |
|
||||
| build-leaks.js:22:24:25:14 | Object. ... }, {}) |
|
||||
| build-leaks.js:22:49:22:51 | env |
|
||||
| build-leaks.js:23:24:23:47 | JSON.st ... w[key]) |
|
||||
| build-leaks.js:23:39:23:41 | raw |
|
||||
| build-leaks.js:23:39:23:46 | raw[key] |
|
||||
| build-leaks.js:24:20:24:22 | env |
|
||||
| build-leaks.js:30:22:30:31 | stringifed |
|
||||
| build-leaks.js:34:26:34:57 | getEnv( ... ngified |
|
||||
| build-leaks.js:34:26:34:57 | getEnv( ... ngified |
|
||||
| build-leaks.js:40:9:40:60 | pw |
|
||||
| build-leaks.js:40:14:40:60 | url.par ... assword |
|
||||
| build-leaks.js:40:14:40:60 | url.par ... assword |
|
||||
| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
|
||||
| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
|
||||
| build-leaks.js:41:67:41:84 | JSON.stringify(pw) |
|
||||
| build-leaks.js:41:82:41:83 | pw |
|
||||
edges
|
||||
| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
|
||||
| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
|
||||
| build-leaks.js:4:39:6:1 | [post update] { // NO ... .env)\\n} [process.env] | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} |
|
||||
| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | [post update] { // NO ... .env)\\n} [process.env] |
|
||||
| build-leaks.js:5:35:5:45 | process.env | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) |
|
||||
| build-leaks.js:5:35:5:45 | process.env | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) |
|
||||
| build-leaks.js:13:11:19:10 | raw | build-leaks.js:23:39:23:41 | raw |
|
||||
| build-leaks.js:13:11:19:10 | raw | build-leaks.js:22:36:22:38 | raw |
|
||||
| build-leaks.js:13:17:19:10 | Object. ... }) | build-leaks.js:13:11:19:10 | raw |
|
||||
| build-leaks.js:14:18:14:20 | env | build-leaks.js:16:20:16:22 | env |
|
||||
| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
|
||||
| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
|
||||
| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:24:15:39 | process.env[key] |
|
||||
| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:24:15:39 | process.env[key] |
|
||||
| build-leaks.js:15:24:15:39 | process.env[key] | build-leaks.js:14:18:14:20 | env |
|
||||
| build-leaks.js:15:13:15:15 | [post update] env | build-leaks.js:14:18:14:20 | env |
|
||||
| build-leaks.js:15:13:15:15 | [post update] env | build-leaks.js:17:12:19:9 | [post update] {\\n ... } |
|
||||
| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:13:15:15 | [post update] env |
|
||||
| build-leaks.js:16:20:16:22 | env | build-leaks.js:13:17:19:10 | Object. ... }) |
|
||||
| build-leaks.js:16:20:16:22 | env | build-leaks.js:14:18:14:20 | env |
|
||||
| build-leaks.js:21:11:26:5 | stringifed | build-leaks.js:30:22:30:31 | stringifed |
|
||||
| build-leaks.js:21:24:26:5 | {\\n ... )\\n } | build-leaks.js:21:11:26:5 | stringifed |
|
||||
| build-leaks.js:22:24:25:14 | Object. ... }, {}) | build-leaks.js:21:24:26:5 | {\\n ... )\\n } |
|
||||
| build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env |
|
||||
| build-leaks.js:23:24:23:47 | JSON.st ... w[key]) | build-leaks.js:22:49:22:51 | env |
|
||||
| build-leaks.js:23:39:23:41 | raw | build-leaks.js:22:49:22:51 | env |
|
||||
| build-leaks.js:23:39:23:41 | raw | build-leaks.js:23:39:23:46 | raw[key] |
|
||||
| build-leaks.js:23:39:23:46 | raw[key] | build-leaks.js:23:24:23:47 | JSON.st ... w[key]) |
|
||||
| build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ... }, {}) |
|
||||
| build-leaks.js:24:20:24:22 | env | build-leaks.js:22:49:22:51 | env |
|
||||
| build-leaks.js:30:22:30:31 | stringifed | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
|
||||
| build-leaks.js:30:22:30:31 | stringifed | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
|
||||
| build-leaks.js:17:12:19:9 | [post update] {\\n ... } | build-leaks.js:17:12:19:9 | {\\n ... } |
|
||||
| build-leaks.js:17:12:19:9 | {\\n ... } | build-leaks.js:13:17:19:10 | Object. ... }) |
|
||||
| build-leaks.js:21:11:26:5 | stringifed [process.env] | build-leaks.js:30:22:30:31 | stringifed [process.env] |
|
||||
| build-leaks.js:21:24:26:5 | {\\n ... )\\n } [process.env] | build-leaks.js:21:11:26:5 | stringifed [process.env] |
|
||||
| build-leaks.js:22:24:25:14 | Object. ... }, {}) | build-leaks.js:21:24:26:5 | {\\n ... )\\n } [process.env] |
|
||||
| build-leaks.js:22:36:22:38 | raw | build-leaks.js:22:24:25:14 | Object. ... }, {}) |
|
||||
| build-leaks.js:22:36:22:38 | raw | build-leaks.js:25:12:25:13 | [post update] {} |
|
||||
| build-leaks.js:25:12:25:13 | [post update] {} | build-leaks.js:25:12:25:13 | {} |
|
||||
| build-leaks.js:25:12:25:13 | {} | build-leaks.js:22:24:25:14 | Object. ... }, {}) |
|
||||
| build-leaks.js:28:12:31:5 | {\\n ... d\\n } [stringified, process.env] | build-leaks.js:34:26:34:45 | getEnv('production') [stringified, process.env] |
|
||||
| build-leaks.js:30:22:30:31 | stringifed [process.env] | build-leaks.js:28:12:31:5 | {\\n ... d\\n } [stringified, process.env] |
|
||||
| build-leaks.js:34:26:34:45 | getEnv('production') [stringified, process.env] | build-leaks.js:34:26:34:57 | getEnv( ... ngified [process.env] |
|
||||
| build-leaks.js:34:26:34:57 | getEnv( ... ngified [process.env] | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
|
||||
| build-leaks.js:40:9:40:60 | pw | build-leaks.js:41:82:41:83 | pw |
|
||||
| build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:40:9:40:60 | pw |
|
||||
| build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:40:9:40:60 | pw |
|
||||
| build-leaks.js:41:67:41:84 | JSON.stringify(pw) | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
|
||||
| build-leaks.js:41:67:41:84 | JSON.stringify(pw) | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
|
||||
| build-leaks.js:41:43:41:86 | [post update] { "proc ... y(pw) } [process.env.secret] | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } |
|
||||
| build-leaks.js:41:67:41:84 | JSON.stringify(pw) | build-leaks.js:41:43:41:86 | [post update] { "proc ... y(pw) } [process.env.secret] |
|
||||
| build-leaks.js:41:82:41:83 | pw | build-leaks.js:41:67:41:84 | JSON.stringify(pw) |
|
||||
nodes
|
||||
| build-leaks.js:4:39:6:1 | [post update] { // NO ... .env)\\n} [process.env] | semmle.label | [post update] { // NO ... .env)\\n} [process.env] |
|
||||
| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} | semmle.label | { // NO ... .env)\\n} |
|
||||
| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | semmle.label | JSON.st ... ss.env) |
|
||||
| build-leaks.js:5:35:5:45 | process.env | semmle.label | process.env |
|
||||
| build-leaks.js:13:11:19:10 | raw | semmle.label | raw |
|
||||
| build-leaks.js:13:17:19:10 | Object. ... }) | semmle.label | Object. ... }) |
|
||||
| build-leaks.js:14:18:14:20 | env | semmle.label | env |
|
||||
| build-leaks.js:15:13:15:15 | [post update] env | semmle.label | [post update] env |
|
||||
| build-leaks.js:15:24:15:34 | process.env | semmle.label | process.env |
|
||||
| build-leaks.js:16:20:16:22 | env | semmle.label | env |
|
||||
| build-leaks.js:17:12:19:9 | [post update] {\\n ... } | semmle.label | [post update] {\\n ... } |
|
||||
| build-leaks.js:17:12:19:9 | {\\n ... } | semmle.label | {\\n ... } |
|
||||
| build-leaks.js:21:11:26:5 | stringifed [process.env] | semmle.label | stringifed [process.env] |
|
||||
| build-leaks.js:21:24:26:5 | {\\n ... )\\n } [process.env] | semmle.label | {\\n ... )\\n } [process.env] |
|
||||
| build-leaks.js:22:24:25:14 | Object. ... }, {}) | semmle.label | Object. ... }, {}) |
|
||||
| build-leaks.js:22:36:22:38 | raw | semmle.label | raw |
|
||||
| build-leaks.js:25:12:25:13 | [post update] {} | semmle.label | [post update] {} |
|
||||
| build-leaks.js:25:12:25:13 | {} | semmle.label | {} |
|
||||
| build-leaks.js:28:12:31:5 | {\\n ... d\\n } [stringified, process.env] | semmle.label | {\\n ... d\\n } [stringified, process.env] |
|
||||
| build-leaks.js:30:22:30:31 | stringifed [process.env] | semmle.label | stringifed [process.env] |
|
||||
| build-leaks.js:34:26:34:45 | getEnv('production') [stringified, process.env] | semmle.label | getEnv('production') [stringified, process.env] |
|
||||
| build-leaks.js:34:26:34:57 | getEnv( ... ngified | semmle.label | getEnv( ... ngified |
|
||||
| build-leaks.js:34:26:34:57 | getEnv( ... ngified [process.env] | semmle.label | getEnv( ... ngified [process.env] |
|
||||
| build-leaks.js:40:9:40:60 | pw | semmle.label | pw |
|
||||
| build-leaks.js:40:14:40:60 | url.par ... assword | semmle.label | url.par ... assword |
|
||||
| build-leaks.js:41:43:41:86 | [post update] { "proc ... y(pw) } [process.env.secret] | semmle.label | [post update] { "proc ... y(pw) } [process.env.secret] |
|
||||
| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | semmle.label | { "proc ... y(pw) } |
|
||||
| build-leaks.js:41:67:41:84 | JSON.stringify(pw) | semmle.label | JSON.stringify(pw) |
|
||||
| build-leaks.js:41:82:41:83 | pw | semmle.label | pw |
|
||||
subpaths
|
||||
#select
|
||||
| build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} | build-leaks.js:5:35:5:45 | process.env | build-leaks.js:4:39:6:1 | { // NO ... .env)\\n} | This creates a build artifact that depends on $@. | build-leaks.js:5:35:5:45 | process.env | sensitive data returned byprocess environment |
|
||||
| build-leaks.js:34:26:34:57 | getEnv( ... ngified | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:34:26:34:57 | getEnv( ... ngified | This creates a build artifact that depends on $@. | build-leaks.js:15:24:15:34 | process.env | sensitive data returned byprocess environment |
|
||||
|
||||
Reference in New Issue
Block a user