hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port FileAccessToHttp

Browse Source
This commit is contained in:
Asger F
2023-10-05 09:18:11 +02:00
parent 8e95a90d03
commit 2935aac559
3 changed files with 99 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
javascript/ql/lib/semmle/javascript/security/dataflow/FileAccessToHttpQuery.qll
View File

@@ -13,7 +13,30 @@ import FileAccessToHttpCustomizations::FileAccessToHttp
/**
* A taint tracking configuration for file data in outbound network requests.
*/
class Configuration extends TaintTracking::Configuration {
module FileAccessToHttpConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
isSink(node) and
// or
// node = any(DataFlow::MethodCallNode call | call.getMethodName() = "stringify").getAnArgument()
contents = DataFlow::ContentSet::anyProperty()
}
}
/**
* Taint tracking for file data in outbound network requests.
*/
module FileAccessToHttpFlow = TaintTracking::Global<FileAccessToHttpConfig>;
/**
* DEPRECATED. Use the `FileAccessToHttpFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "FileAccessToHttp" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }

6
javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
View File

@@ -12,9 +12,9 @@
import javascript
import semmle.javascript.security.dataflow.FileAccessToHttpQuery
import DataFlow::PathGraph
import FileAccessToHttpFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
from FileAccessToHttpFlow::PathNode source, FileAccessToHttpFlow::PathNode sink
where FileAccessToHttpFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Outbound network request depends on $@.", source.getNode(),
"file data"

178
javascript/ql/test/query-tests/Security/CWE-200/FileAccessToHttp.expected
View File

@@ -1,123 +1,35 @@
nodes
| FileAccessToHttp.js:4:5:4:47 | content |
| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") |
| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") |
| FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} |
| FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} |
| FileAccessToHttp.js:9:12:9:31 | { Referer: content } |
| FileAccessToHttp.js:9:23:9:29 | content |
| bufferRead.js:12:13:12:43 | buffer |
| bufferRead.js:12:22:12:43 | new Buf ... s.size) |
| bufferRead.js:12:22:12:43 | new Buf ... s.size) |
| bufferRead.js:15:15:15:62 | postData |
| bufferRead.js:15:26:15:31 | buffer |
| bufferRead.js:15:26:15:62 | buffer. ... esRead) |
| bufferRead.js:33:21:33:28 | postData |
| bufferRead.js:33:21:33:28 | postData |
| googlecompiler.js:7:19:7:28 | codestring |
| googlecompiler.js:9:7:15:4 | post_data |
| googlecompiler.js:9:19:15:4 | queryst ... dy\\n }) |
| googlecompiler.js:9:41:15:3 | {\\n ... ody\\n } |
| googlecompiler.js:14:21:14:30 | codestring |
| googlecompiler.js:38:18:38:26 | post_data |
| googlecompiler.js:38:18:38:26 | post_data |
| googlecompiler.js:44:54:44:57 | data |
| googlecompiler.js:44:54:44:57 | data |
| googlecompiler.js:56:14:56:17 | data |
| readFileSync.js:5:5:5:39 | data |
| readFileSync.js:5:12:5:39 | fs.read ... t.txt") |
| readFileSync.js:5:12:5:39 | fs.read ... t.txt") |
| readFileSync.js:7:7:7:25 | s |
| readFileSync.js:7:11:7:14 | data |
| readFileSync.js:7:11:7:25 | data.toString() |
| readFileSync.js:26:18:26:18 | s |
| readFileSync.js:26:18:26:18 | s |
| readStreamRead.js:13:13:13:35 | chunk |
| readStreamRead.js:13:21:13:35 | readable.read() |
| readStreamRead.js:13:21:13:35 | readable.read() |
| readStreamRead.js:30:19:30:23 | chunk |
| readStreamRead.js:30:19:30:23 | chunk |
| request.js:6:19:6:26 | jsonData |
| request.js:8:11:8:20 | {jsonData} |
| request.js:8:11:8:20 | {jsonData} |
| request.js:8:12:8:19 | jsonData |
| request.js:13:18:13:24 | xmlData |
| request.js:16:11:23:3 | {\\n u ... ody\\n } |
| request.js:16:11:23:3 | {\\n u ... ody\\n } |
| request.js:22:11:22:17 | xmlData |
| request.js:28:52:28:55 | data |
| request.js:28:52:28:55 | data |
| request.js:35:14:35:17 | data |
| request.js:43:51:43:54 | data |
| request.js:43:51:43:54 | data |
| request.js:50:13:50:16 | data |
| sentAsHeaders.js:10:79:10:84 | buffer |
| sentAsHeaders.js:10:79:10:84 | buffer |
| sentAsHeaders.js:11:13:11:59 | content |
| sentAsHeaders.js:11:23:11:28 | buffer |
| sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) |
| sentAsHeaders.js:12:9:12:81 | content |
| sentAsHeaders.js:12:19:12:25 | content |
| sentAsHeaders.js:12:19:12:74 | content ... =", "") |
| sentAsHeaders.js:12:19:12:81 | content ... .trim() |
| sentAsHeaders.js:14:20:19:9 | {\\n ... } |
| sentAsHeaders.js:14:20:19:9 | {\\n ... } |
| sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } |
| sentAsHeaders.js:18:31:18:53 | "http:/ ... content |
| sentAsHeaders.js:18:47:18:53 | content |
| sentAsHeaders.js:20:20:25:9 | {\\n ... } |
| sentAsHeaders.js:20:20:25:9 | {\\n ... } |
| sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } |
| sentAsHeaders.js:24:31:24:53 | "http:/ ... content |
| sentAsHeaders.js:24:47:24:53 | content |
edges
| FileAccessToHttp.js:4:5:4:47 | content | FileAccessToHttp.js:9:23:9:29 | content |
| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:4:5:4:47 | content |
| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:4:5:4:47 | content |
| FileAccessToHttp.js:9:12:9:31 | { Referer: content } | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} |
| FileAccessToHttp.js:9:12:9:31 | { Referer: content } | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} |
| FileAccessToHttp.js:9:23:9:29 | content | FileAccessToHttp.js:9:12:9:31 | { Referer: content } |
| bufferRead.js:12:13:12:43 | buffer | bufferRead.js:15:26:15:31 | buffer |
| FileAccessToHttp.js:5:11:10:1 | [post update] {\\n hos ... ent }\\n} [headers, Referer] | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} |
| FileAccessToHttp.js:9:12:9:31 | { Referer: content } [Referer] | FileAccessToHttp.js:5:11:10:1 | [post update] {\\n hos ... ent }\\n} [headers, Referer] |
| FileAccessToHttp.js:9:23:9:29 | content | FileAccessToHttp.js:9:12:9:31 | { Referer: content } [Referer] |
| bufferRead.js:12:13:12:43 | buffer | bufferRead.js:13:21:13:26 | buffer |
| bufferRead.js:12:13:12:43 | buffer | bufferRead.js:13:32:13:37 | buffer |
| bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:12:13:12:43 | buffer |
| bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:12:13:12:43 | buffer |
| bufferRead.js:15:15:15:62 | postData | bufferRead.js:33:21:33:28 | postData |
| bufferRead.js:13:21:13:26 | buffer | bufferRead.js:13:32:13:37 | buffer |
| bufferRead.js:13:32:13:37 | buffer | bufferRead.js:15:26:15:31 | buffer |
| bufferRead.js:15:15:15:62 | postData | bufferRead.js:33:21:33:28 | postData |
| bufferRead.js:15:26:15:31 | buffer | bufferRead.js:15:26:15:62 | buffer. ... esRead) |
| bufferRead.js:15:26:15:62 | buffer. ... esRead) | bufferRead.js:15:15:15:62 | postData |
| googlecompiler.js:7:19:7:28 | codestring | googlecompiler.js:14:21:14:30 | codestring |
| googlecompiler.js:9:7:15:4 | post_data | googlecompiler.js:38:18:38:26 | post_data |
| googlecompiler.js:9:7:15:4 | post_data | googlecompiler.js:38:18:38:26 | post_data |
| googlecompiler.js:9:19:15:4 | queryst ... dy\\n }) | googlecompiler.js:9:7:15:4 | post_data |
| googlecompiler.js:9:41:15:3 | {\\n ... ody\\n } | googlecompiler.js:9:19:15:4 | queryst ... dy\\n }) |
| googlecompiler.js:14:21:14:30 | codestring | googlecompiler.js:9:41:15:3 | {\\n ... ody\\n } |
| googlecompiler.js:44:54:44:57 | data | googlecompiler.js:56:14:56:17 | data |
| googlecompiler.js:44:54:44:57 | data | googlecompiler.js:56:14:56:17 | data |
| googlecompiler.js:56:14:56:17 | data | googlecompiler.js:7:19:7:28 | codestring |
| readFileSync.js:5:5:5:39 | data | readFileSync.js:7:11:7:14 | data |
| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:5:5:5:39 | data |
| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:5:5:5:39 | data |
| readFileSync.js:7:7:7:25 | s | readFileSync.js:26:18:26:18 | s |
| readFileSync.js:7:7:7:25 | s | readFileSync.js:26:18:26:18 | s |
| readFileSync.js:7:11:7:14 | data | readFileSync.js:7:11:7:25 | data.toString() |
| readFileSync.js:7:11:7:25 | data.toString() | readFileSync.js:7:7:7:25 | s |
| readStreamRead.js:13:13:13:35 | chunk | readStreamRead.js:30:19:30:23 | chunk |
| readStreamRead.js:13:13:13:35 | chunk | readStreamRead.js:30:19:30:23 | chunk |
| readStreamRead.js:13:21:13:35 | readable.read() | readStreamRead.js:13:13:13:35 | chunk |
| readStreamRead.js:13:21:13:35 | readable.read() | readStreamRead.js:13:13:13:35 | chunk |
| request.js:6:19:6:26 | jsonData | request.js:8:12:8:19 | jsonData |
| request.js:8:12:8:19 | jsonData | request.js:8:11:8:20 | {jsonData} |
| request.js:8:12:8:19 | jsonData | request.js:8:11:8:20 | {jsonData} |
| request.js:8:11:8:20 | [post update] {jsonData} [jsonData] | request.js:8:11:8:20 | {jsonData} |
| request.js:8:12:8:19 | jsonData | request.js:8:11:8:20 | [post update] {jsonData} [jsonData] |
| request.js:13:18:13:24 | xmlData | request.js:22:11:22:17 | xmlData |
| request.js:22:11:22:17 | xmlData | request.js:16:11:23:3 | {\\n u ... ody\\n } |
| request.js:22:11:22:17 | xmlData | request.js:16:11:23:3 | {\\n u ... ody\\n } |
| request.js:28:52:28:55 | data | request.js:35:14:35:17 | data |
| request.js:16:11:23:3 | [post update] {\\n u ... ody\\n } [body] | request.js:16:11:23:3 | {\\n u ... ody\\n } |
| request.js:22:11:22:17 | xmlData | request.js:16:11:23:3 | [post update] {\\n u ... ody\\n } [body] |
| request.js:28:52:28:55 | data | request.js:35:14:35:17 | data |
| request.js:35:14:35:17 | data | request.js:6:19:6:26 | jsonData |
| request.js:43:51:43:54 | data | request.js:50:13:50:16 | data |
| request.js:43:51:43:54 | data | request.js:50:13:50:16 | data |
| request.js:50:13:50:16 | data | request.js:13:18:13:24 | xmlData |
| sentAsHeaders.js:10:79:10:84 | buffer | sentAsHeaders.js:11:23:11:28 | buffer |
| sentAsHeaders.js:10:79:10:84 | buffer | sentAsHeaders.js:11:23:11:28 | buffer |
| sentAsHeaders.js:11:13:11:59 | content | sentAsHeaders.js:12:19:12:25 | content |
| sentAsHeaders.js:11:23:11:28 | buffer | sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) |
| sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) | sentAsHeaders.js:11:13:11:59 | content |
@@ -126,18 +38,72 @@ edges
| sentAsHeaders.js:12:19:12:25 | content | sentAsHeaders.js:12:19:12:74 | content ... =", "") |
| sentAsHeaders.js:12:19:12:74 | content ... =", "") | sentAsHeaders.js:12:19:12:81 | content ... .trim() |
| sentAsHeaders.js:12:19:12:81 | content ... .trim() | sentAsHeaders.js:12:9:12:81 | content |
| sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } | sentAsHeaders.js:14:20:19:9 | {\\n ... } |
| sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } | sentAsHeaders.js:14:20:19:9 | {\\n ... } |
| sentAsHeaders.js:18:31:18:53 | "http:/ ... content | sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } |
| sentAsHeaders.js:14:20:19:9 | [post update] {\\n ... } [headers, Referer] | sentAsHeaders.js:14:20:19:9 | {\\n ... } |
| sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } [Referer] | sentAsHeaders.js:14:20:19:9 | [post update] {\\n ... } [headers, Referer] |
| sentAsHeaders.js:18:31:18:53 | "http:/ ... content | sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } [Referer] |
| sentAsHeaders.js:18:47:18:53 | content | sentAsHeaders.js:18:31:18:53 | "http:/ ... content |
| sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } | sentAsHeaders.js:20:20:25:9 | {\\n ... } |
| sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } | sentAsHeaders.js:20:20:25:9 | {\\n ... } |
| sentAsHeaders.js:24:31:24:53 | "http:/ ... content | sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } |
| sentAsHeaders.js:20:20:25:9 | [post update] {\\n ... } [headers, Referer] | sentAsHeaders.js:20:20:25:9 | {\\n ... } |
| sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } [Referer] | sentAsHeaders.js:20:20:25:9 | [post update] {\\n ... } [headers, Referer] |
| sentAsHeaders.js:24:31:24:53 | "http:/ ... content | sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } [Referer] |
| sentAsHeaders.js:24:47:24:53 | content | sentAsHeaders.js:24:31:24:53 | "http:/ ... content |
nodes
| FileAccessToHttp.js:4:5:4:47 | content | semmle.label | content |
| FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | semmle.label | fs.read ... "utf8") |
| FileAccessToHttp.js:5:11:10:1 | [post update] {\\n hos ... ent }\\n} [headers, Referer] | semmle.label | [post update] {\\n hos ... ent }\\n} [headers, Referer] |
| FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | semmle.label | {\\n hos ... ent }\\n} |
| FileAccessToHttp.js:9:12:9:31 | { Referer: content } [Referer] | semmle.label | { Referer: content } [Referer] |
| FileAccessToHttp.js:9:23:9:29 | content | semmle.label | content |
| bufferRead.js:12:13:12:43 | buffer | semmle.label | buffer |
| bufferRead.js:12:22:12:43 | new Buf ... s.size) | semmle.label | new Buf ... s.size) |
| bufferRead.js:13:21:13:26 | buffer | semmle.label | buffer |
| bufferRead.js:13:32:13:37 | buffer | semmle.label | buffer |
| bufferRead.js:15:15:15:62 | postData | semmle.label | postData |
| bufferRead.js:15:26:15:31 | buffer | semmle.label | buffer |
| bufferRead.js:15:26:15:62 | buffer. ... esRead) | semmle.label | buffer. ... esRead) |
| bufferRead.js:33:21:33:28 | postData | semmle.label | postData |
| readFileSync.js:5:5:5:39 | data | semmle.label | data |
| readFileSync.js:5:12:5:39 | fs.read ... t.txt") | semmle.label | fs.read ... t.txt") |
| readFileSync.js:7:7:7:25 | s | semmle.label | s |
| readFileSync.js:7:11:7:14 | data | semmle.label | data |
| readFileSync.js:7:11:7:25 | data.toString() | semmle.label | data.toString() |
| readFileSync.js:26:18:26:18 | s | semmle.label | s |
| readStreamRead.js:13:13:13:35 | chunk | semmle.label | chunk |
| readStreamRead.js:13:21:13:35 | readable.read() | semmle.label | readable.read() |
| readStreamRead.js:30:19:30:23 | chunk | semmle.label | chunk |
| request.js:6:19:6:26 | jsonData | semmle.label | jsonData |
| request.js:8:11:8:20 | [post update] {jsonData} [jsonData] | semmle.label | [post update] {jsonData} [jsonData] |
| request.js:8:11:8:20 | {jsonData} | semmle.label | {jsonData} |
| request.js:8:12:8:19 | jsonData | semmle.label | jsonData |
| request.js:13:18:13:24 | xmlData | semmle.label | xmlData |
| request.js:16:11:23:3 | [post update] {\\n u ... ody\\n } [body] | semmle.label | [post update] {\\n u ... ody\\n } [body] |
| request.js:16:11:23:3 | {\\n u ... ody\\n } | semmle.label | {\\n u ... ody\\n } |
| request.js:22:11:22:17 | xmlData | semmle.label | xmlData |
| request.js:28:52:28:55 | data | semmle.label | data |
| request.js:35:14:35:17 | data | semmle.label | data |
| request.js:43:51:43:54 | data | semmle.label | data |
| request.js:50:13:50:16 | data | semmle.label | data |
| sentAsHeaders.js:10:79:10:84 | buffer | semmle.label | buffer |
| sentAsHeaders.js:11:13:11:59 | content | semmle.label | content |
| sentAsHeaders.js:11:23:11:28 | buffer | semmle.label | buffer |
| sentAsHeaders.js:11:23:11:59 | buffer. ... esRead) | semmle.label | buffer. ... esRead) |
| sentAsHeaders.js:12:9:12:81 | content | semmle.label | content |
| sentAsHeaders.js:12:19:12:25 | content | semmle.label | content |
| sentAsHeaders.js:12:19:12:74 | content ... =", "") | semmle.label | content ... =", "") |
| sentAsHeaders.js:12:19:12:81 | content ... .trim() | semmle.label | content ... .trim() |
| sentAsHeaders.js:14:20:19:9 | [post update] {\\n ... } [headers, Referer] | semmle.label | [post update] {\\n ... } [headers, Referer] |
| sentAsHeaders.js:14:20:19:9 | {\\n ... } | semmle.label | {\\n ... } |
| sentAsHeaders.js:18:20:18:55 | { Refer ... ntent } [Referer] | semmle.label | { Refer ... ntent } [Referer] |
| sentAsHeaders.js:18:31:18:53 | "http:/ ... content | semmle.label | "http:/ ... content |
| sentAsHeaders.js:18:47:18:53 | content | semmle.label | content |
| sentAsHeaders.js:20:20:25:9 | [post update] {\\n ... } [headers, Referer] | semmle.label | [post update] {\\n ... } [headers, Referer] |
| sentAsHeaders.js:20:20:25:9 | {\\n ... } | semmle.label | {\\n ... } |
| sentAsHeaders.js:24:20:24:55 | { Refer ... ntent } [Referer] | semmle.label | { Refer ... ntent } [Referer] |
| sentAsHeaders.js:24:31:24:53 | "http:/ ... content | semmle.label | "http:/ ... content |
| sentAsHeaders.js:24:47:24:53 | content | semmle.label | content |
subpaths
#select
| FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | FileAccessToHttp.js:5:11:10:1 | {\\n hos ... ent }\\n} | Outbound network request depends on $@. | FileAccessToHttp.js:4:15:4:47 | fs.read ... "utf8") | file data |
| bufferRead.js:33:21:33:28 | postData | bufferRead.js:12:22:12:43 | new Buf ... s.size) | bufferRead.js:33:21:33:28 | postData | Outbound network request depends on $@. | bufferRead.js:12:22:12:43 | new Buf ... s.size) | file data |
| googlecompiler.js:38:18:38:26 | post_data | googlecompiler.js:44:54:44:57 | data | googlecompiler.js:38:18:38:26 | post_data | Outbound network request depends on $@. | googlecompiler.js:44:54:44:57 | data | file data |
| readFileSync.js:26:18:26:18 | s | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | readFileSync.js:26:18:26:18 | s | Outbound network request depends on $@. | readFileSync.js:5:12:5:39 | fs.read ... t.txt") | file data |
| readStreamRead.js:30:19:30:23 | chunk | readStreamRead.js:13:21:13:35 | readable.read() | readStreamRead.js:30:19:30:23 | chunk | Outbound network request depends on $@. | readStreamRead.js:13:21:13:35 | readable.read() | file data |
| request.js:8:11:8:20 | {jsonData} | request.js:28:52:28:55 | data | request.js:8:11:8:20 | {jsonData} | Outbound network request depends on $@. | request.js:28:52:28:55 | data | file data |