JS: Add environment threat-model source

2026-04-25 08:45:14 +02:00 · 2024-08-19 11:52:00 +02:00
parent f733ac19a9
commit 412e841d69
4 changed files with 53 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -1244,4 +1244,13 @@ module NodeJSLib {
      result = moduleImport().getAPropertyRead(member)
    }
  }
+
+  /** A read of `process.env`, considered as a threat-model source. */
+  private class ProcessEnvThreatSource extends ThreatModelSource::Range {
+    ProcessEnvThreatSource() { this = NodeJSLib::process().getAPropertyRead("env") }
+
+    override string getThreatModel() { result = "environment" }
+
+    override string getSourceType() { result = "process.env" }
+  }
 }
--- a/javascript/ql/test/library-tests/threat-models/sources/TestSources.expected
+++ b/javascript/ql/test/library-tests/threat-models/sources/TestSources.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
--- a/javascript/ql/test/library-tests/threat-models/sources/TestSources.ql
+++ b/javascript/ql/test/library-tests/threat-models/sources/TestSources.ql
@@ -0,0 +1,38 @@
+import javascript
+import testUtilities.InlineExpectationsTest
+
+class TestSourcesConfiguration extends TaintTracking::Configuration {
+  TestSourcesConfiguration() { this = "TestSources" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof ThreatModelSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CallExpr call |
+      call.getAnArgument() = sink.asExpr() and
+      call.getCalleeName() = "SINK"
+    )
+  }
+}
+
+private module InlineTestSources implements TestSig {
+  string getARelevantTag() { result in ["hasFlow", "threat-source"] }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(DataFlow::Node sink |
+      any(TestSourcesConfiguration c).hasFlow(_, sink) and
+      value = "" and
+      location = sink.getLocation() and
+      tag = "hasFlow" and
+      element = sink.toString()
+    )
+    or
+    exists(ThreatModelSource source |
+      value = source.getThreatModel() and
+      location = source.getLocation() and
+      tag = "threat-source" and
+      element = source.toString()
+    )
+  }
+}
+
+import MakeTest<InlineTestSources>
--- a/javascript/ql/test/library-tests/threat-models/sources/sources.js
+++ b/javascript/ql/test/library-tests/threat-models/sources/sources.js
@@ -0,0 +1,4 @@
+import 'dummy';
+
+var x = process.env['foo']; // $ threat-source=environment
+SINK(x); // $ hasFlow