Merge branch 'main' into henrymercer/rc-3.15-mergeback

2026-04-26 17:25:19 +02:00 · 2024-08-29 19:48:01 +01:00
parent d5bccd5373 72e2910d17
commit 3490067316
927 changed files with 15314 additions and 11766 deletions
--- a/javascript/ql/integration-tests/all-platforms/no-types/qlpack.yml
+++ b/javascript/ql/integration-tests/all-platforms/no-types/qlpack.yml
@@ -1,3 +0,0 @@
-dependencies:
-  codeql/javascript-all: '*'
-warnOnImplicitThis: true
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/diagnostics.expected
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/diagnostics.expected
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/src/my_failure.ts
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/src/my_failure.ts
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/test.py
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/test.py
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/tsconfig.json
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/internal-error/tsconfig.json
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/syntax-error/bad.js
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/syntax-error/bad.js
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/syntax-error/diagnostics.expected
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/syntax-error/diagnostics.expected
--- a/javascript/ql/integration-tests/all-platforms/diagnostics/syntax-error/test.py
+++ b/javascript/ql/integration-tests/all-platforms/diagnostics/syntax-error/test.py
--- a/javascript/ql/integration-tests/all-platforms/no-types/foo.ts
+++ b/javascript/ql/integration-tests/all-platforms/no-types/foo.ts
--- a/javascript/ql/integration-tests/all-platforms/no-types/javascript.expected
+++ b/javascript/ql/integration-tests/all-platforms/no-types/javascript.expected
--- a/javascript/ql/integration-tests/all-platforms/no-types/javascript.ql
+++ b/javascript/ql/integration-tests/all-platforms/no-types/javascript.ql
--- a/javascript/ql/integration-tests/all-platforms/no-types/test.py
+++ b/javascript/ql/integration-tests/all-platforms/no-types/test.py
--- a/javascript/ql/integration-tests/all-platforms/no-types/tsconfig.json
+++ b/javascript/ql/integration-tests/all-platforms/no-types/tsconfig.json
--- a/javascript/ql/lib/semmle/javascript/NodeJS.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeJS.qll
@@ -295,6 +295,15 @@ private predicate isRequire(DataFlow::Node nd) {
    isCreateRequire(call.getCallee().flow()) and
    nd = call.flow()
  )
+  or
+  // `$.require('underscore');`.
+  // NPM as supported in [XSJS files](https://www.npmjs.com/package/@sap/async-xsjs#npm-packages-support).
+  exists(MethodCallExpr require |
+    nd.getFile().getExtension() = ["xsjs", "xsjslib"] and
+    require.getCalleeName() = "require" and
+    require.getReceiver().(GlobalVarAccess).getName() = "$" and
+    nd = require.getCallee().flow()
+  )
 }

 /**
--- a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
+++ b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
@@ -1,6 +1,6 @@
 extensions:
  - addsTo:
-      pack: codeql/javascript-queries
+      pack: codeql/javascript-all
      extensible: requiredHelmetSecuritySetting
    data:
      - ["frameguard"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll
@@ -0,0 +1,41 @@
+/**
+ * Provides classes for working with Helmet
+ */
+
+private import javascript
+
+/**
+ * A write to a property of a route handler from the "helmet" module.
+ */
+class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
+  ExpressLibraries::HelmetRouteHandler helmet;
+
+  HelmetProperty() {
+    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
+  }
+
+  /**
+   * Gets the route handler associated to this property.
+   */
+  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
+
+  /**
+   * Gets the boolean value of this property, if it may evaluate to a `Boolean`.
+   */
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
+
+  /**
+   * Gets the name of the `HelmetProperty`.
+   */
+  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
+
+  /**
+   * read from data extensions to allow enforcing custom settings
+   */
+  predicate isImportantSecuritySetting() { requiredHelmetSecuritySetting(this.getName()) }
+}
+
+/**
+ * defaults are located in `javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml`
+ */
+extensible predicate requiredHelmetSecuritySetting(string name);
--- a/javascript/ql/src/Security/CWE-693/CUSTOMIZING.md
+++ b/javascript/ql/src/Security/CWE-693/CUSTOMIZING.md
@@ -24,7 +24,7 @@ A suitable [model pack](https://docs.github.com/en/code-security/codeql-cli/usin
 name: my-org/javascript-helmet-insecure-config-model-pack
 version: 1.0.0
 extensionTargets:
-  codeql/java-all: '*'
+  codeql/javascript-all: '*'
 dataExtensions:
  - models/**/*.yml
 ```
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -12,30 +12,8 @@
 */

 import javascript
-import DataFlow
 import semmle.javascript.frameworks.ExpressModules
-
-class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
-  ExpressLibraries::HelmetRouteHandler helmet;
-
-  HelmetProperty() {
-    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
-  }
-
-  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
-
-  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
-
-  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
-
-  predicate isImportantSecuritySetting() {
-    // read from data extensions to allow enforcing custom settings
-    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
-    requiredHelmetSecuritySetting(this.getName())
-  }
-}
-
-extensible predicate requiredHelmetSecuritySetting(string name);
+import semmle.javascript.frameworks.helmet.Helmet

 from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
 where
--- a/javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected
@@ -9,3 +9,4 @@
 | tst.js:35:13:35:43 | crypto. ... an(512) | Creation of an asymmetric key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:39:13:39:33 | new Nod ... : 512}) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:43:1:43:31 | key.gen ...  65537) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
+| tst.xsjs:3:14:3:71 | crypto. ... 1024 }) | Creation of an asymmetric RSA key uses 1024 bits, which is below 2048 and considered breakable. |
--- a/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs
+++ b/javascript/ql/test/query-tests/Security/CWE-326/tst.xsjs
@@ -0,0 +1,5 @@
+const crypto = $.require("crypto");
+
+const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // NOT OK
+
+const good1 = crypto.generateKeyPairSync("rsa", { modulusLength: 4096 }); // OK