mirror of
https://github.com/github/codeql.git
synced 2026-04-29 10:45:15 +02:00
remove property reads on process.env as a taint step, and add a barrier for masking replace calls
This commit is contained in:
Erik Krogh Kristensen
@@ -34,20 +34,10 @@ module CleartextLogging {
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl) {
|
||||
// Only unknown property reads on sensitive objects propagate taint.
|
||||
(not lbl instanceof PartiallySensitiveMap or exists(succ.(DataFlow::PropRead).getPropertyName())) and
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
succ.(DataFlow::PropRead).getBase() = pred
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
trg.(DataFlow::PropRead).getBase() = src and
|
||||
inlbl instanceof PartiallySensitiveMap and
|
||||
outlbl.isData()
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
// A taint propagating data flow edge through objects: a tainted write taints the entire object.
|
||||
exists(DataFlow::PropWrite write |
|
||||
|
||||
@@ -32,6 +32,22 @@ module CleartextLogging {
|
||||
* A barrier for clear-text logging of sensitive information.
|
||||
*/
|
||||
abstract class Barrier extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A call to `.replace()` that seems to mask
|
||||
*/
|
||||
class MaskingReplacer extends Barrier, DataFlow::MethodCallNode {
|
||||
MaskingReplacer() {
|
||||
this.getCalleeName() = "replace" and
|
||||
exists(RegExpLiteral reg|
|
||||
reg = this.getArgument(0).getALocalSource().asExpr() and
|
||||
reg.getFlags().regexpMatch("(?i).*g.*") and
|
||||
reg.getRoot().getRawValue().regexpMatch(".*\\..*")
|
||||
)
|
||||
and
|
||||
this.getArgument(1).asExpr() instanceof StringLiteral
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* An argument to a logging mechanism.
|
||||
|
||||
@@ -105,27 +105,16 @@ nodes
|
||||
| passwords.js:137:17:137:24 | config.y |
|
||||
| passwords.js:137:17:137:24 | config.y |
|
||||
| passwords.js:142:26:142:34 | arguments |
|
||||
<<<<<<< HEAD
|
||||
| passwords.js:147:12:147:19 | password |
|
||||
| passwords.js:149:21:149:28 | config.x |
|
||||
| passwords.js:150:21:150:31 | process.env |
|
||||
=======
|
||||
| passwords.js:142:26:142:34 | arguments |
|
||||
| passwords.js:147:12:147:19 | password |
|
||||
| passwords.js:147:12:147:19 | password |
|
||||
| passwords.js:149:21:149:28 | config.x |
|
||||
| passwords.js:150:21:150:31 | process.env |
|
||||
| passwords.js:150:21:150:31 | process.env |
|
||||
>>>>>>> remove type cast, and fix expected test results
|
||||
| passwords.js:152:9:152:63 | procdesc |
|
||||
| passwords.js:152:20:152:44 | Util.in ... ss.env) |
|
||||
| passwords.js:152:20:152:63 | Util.in ... /g, '') |
|
||||
| passwords.js:152:33:152:43 | process.env |
|
||||
<<<<<<< HEAD
|
||||
| passwords.js:154:21:154:28 | procdesc |
|
||||
| passwords.js:156:17:156:27 | process.env |
|
||||
| passwords.js:158:17:158:27 | process.env |
|
||||
=======
|
||||
| passwords.js:152:33:152:43 | process.env |
|
||||
| passwords.js:154:21:154:28 | procdesc |
|
||||
| passwords.js:156:17:156:27 | process.env |
|
||||
@@ -134,7 +123,6 @@ nodes
|
||||
| passwords.js:158:17:158:27 | process.env |
|
||||
| passwords.js:158:17:158:27 | process.env |
|
||||
| passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
>>>>>>> remove type cast, and fix expected test results
|
||||
| passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password |
|
||||
@@ -272,10 +260,6 @@ edges
|
||||
| passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
|
||||
| passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
|
||||
| passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env |
|
||||
| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ... "bar"] |
|
||||
| passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
|
||||
| passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
|
||||
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
|
||||
@@ -317,7 +301,6 @@ edges
|
||||
| passwords.js:142:26:142:34 | arguments | passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:150:21:150:31 | process.env | process environment |
|
||||
| passwords.js:142:26:142:34 | arguments | passwords.js:152:33:152:43 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:152:33:152:43 | process.env | process environment |
|
||||
| passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
|
||||
| passwords.js:158:17:158:42 | process ... "bar"] | passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ... "bar"] | Sensitive data returned by $@ is logged here. | passwords.js:158:17:158:27 | process.env | process environment |
|
||||
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
|
||||
| passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
|
||||
| passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
|
||||
|
||||
@@ -155,5 +155,5 @@ var Util = require('util');
|
||||
|
||||
console.log(process.env); // NOT OK
|
||||
console.log(process.env.PATH); // OK.
|
||||
console.log(process.env["foo" + "bar"]); // NOT OK.
|
||||
console.log(process.env["foo" + "bar"]); // OK.
|
||||
});
|
||||
Reference in New Issue
Block a user