hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port experimental EnvValueAndKeyInjection to ConfigSig

Browse Source
This commit is contained in:
Asger F
2024-11-28 11:23:03 +01:00
parent 8887ca1722
commit 4f839070a0
2 changed files with 40 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql
View File

@@ -11,20 +11,17 @@
*/
import javascript
import DataFlow::PathGraph
/** A taint tracking configuration for unsafe environment injection. */
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "envInjection" }
module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink = keyOfEnv() or
sink = valueOfEnv()
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::InvokeNode ikn |
ikn = DataFlow::globalVarRef("Object").getAMemberInvocation("keys")
|
@@ -38,6 +35,8 @@ class Configuration extends TaintTracking::Configuration {
}
}
module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;
DataFlow::Node keyOfEnv() {
result =
NodeJSLib::process().getAPropertyRead("env").getAPropertyWrite().getPropertyNameExpr().flow()
@@ -56,13 +55,15 @@ private predicate readToProcessEnv(DataFlow::Node envKey, DataFlow::Node envValu
)
}
import EnvValueAndKeyInjectionFlow::PathGraph
from
Configuration cfgForValue, Configuration cfgForKey, DataFlow::PathNode source,
DataFlow::PathNode envKey, DataFlow::PathNode envValue
EnvValueAndKeyInjectionFlow::PathNode source, EnvValueAndKeyInjectionFlow::PathNode envKey,
EnvValueAndKeyInjectionFlow::PathNode envValue
where
cfgForValue.hasFlowPath(source, envKey) and
EnvValueAndKeyInjectionFlow::flowPath(source, envKey) and
envKey.getNode() = keyOfEnv() and
cfgForKey.hasFlowPath(source, envValue) and
EnvValueAndKeyInjectionFlow::flowPath(source, envValue) and
envValue.getNode() = valueOfEnv() and
readToProcessEnv(envKey.getNode(), envValue.getNode())
select envKey.getNode(), source, envKey, "arbitrary environment variable assignment from this $@.",

79
javascript/ql/test/experimental/Security/CWE-099/EnvValueAndKeyInjection/EnvValueAndKeyInjection.expected
View File

@@ -1,55 +1,32 @@
nodes
| test.js:5:9:5:28 | { EnvValue, EnvKey } |
| test.js:5:9:5:39 | EnvKey |
| test.js:5:9:5:39 | EnvValue |
| test.js:5:11:5:18 | EnvValue |
| test.js:5:21:5:26 | EnvKey |
| test.js:5:32:5:39 | req.body |
| test.js:5:32:5:39 | req.body |
| test.js:6:15:6:20 | EnvKey |
| test.js:6:15:6:20 | EnvKey |
| test.js:6:25:6:32 | EnvValue |
| test.js:6:25:6:32 | EnvValue |
| test.js:7:15:7:20 | EnvKey |
| test.js:7:15:7:20 | EnvKey |
| test.js:7:25:7:32 | EnvValue |
| test.js:7:25:7:32 | EnvValue |
| test.js:13:9:13:28 | { EnvValue, EnvKey } |
| test.js:13:9:13:39 | EnvKey |
| test.js:13:9:13:39 | EnvValue |
| test.js:13:11:13:18 | EnvValue |
| test.js:13:21:13:26 | EnvKey |
| test.js:13:32:13:39 | req.body |
| test.js:13:32:13:39 | req.body |
| test.js:15:15:15:20 | EnvKey |
| test.js:15:15:15:20 | EnvKey |
| test.js:16:26:16:33 | EnvValue |
| test.js:16:26:16:33 | EnvValue |
edges
| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:11:5:18 | EnvValue |
| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:21:5:26 | EnvKey |
| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey |
| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey |
| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue |
| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue |
| test.js:5:11:5:18 | EnvValue | test.js:5:9:5:39 | EnvValue |
| test.js:5:21:5:26 | EnvKey | test.js:5:9:5:39 | EnvKey |
| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } |
| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:11:13:18 | EnvValue |
| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:21:13:26 | EnvKey |
| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey |
| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey |
| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue |
| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue |
| test.js:13:11:13:18 | EnvValue | test.js:13:9:13:39 | EnvValue |
| test.js:13:21:13:26 | EnvKey | test.js:13:9:13:39 | EnvKey |
| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } |
| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } |
| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:9:5:39 | EnvKey | provenance | |
| test.js:5:9:5:28 | { EnvValue, EnvKey } | test.js:5:9:5:39 | EnvValue | provenance | |
| test.js:5:9:5:39 | EnvKey | test.js:6:15:6:20 | EnvKey | provenance | |
| test.js:5:9:5:39 | EnvKey | test.js:7:15:7:20 | EnvKey | provenance | |
| test.js:5:9:5:39 | EnvValue | test.js:6:25:6:32 | EnvValue | provenance | |
| test.js:5:9:5:39 | EnvValue | test.js:7:25:7:32 | EnvValue | provenance | |
| test.js:5:32:5:39 | req.body | test.js:5:9:5:28 | { EnvValue, EnvKey } | provenance | |
| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:9:13:39 | EnvKey | provenance | |
| test.js:13:9:13:28 | { EnvValue, EnvKey } | test.js:13:9:13:39 | EnvValue | provenance | |
| test.js:13:9:13:39 | EnvKey | test.js:15:15:15:20 | EnvKey | provenance | |
| test.js:13:9:13:39 | EnvValue | test.js:16:26:16:33 | EnvValue | provenance | |
| test.js:13:32:13:39 | req.body | test.js:13:9:13:28 | { EnvValue, EnvKey } | provenance | |
nodes
| test.js:5:9:5:28 | { EnvValue, EnvKey } | semmle.label | { EnvValue, EnvKey } |
| test.js:5:9:5:39 | EnvKey | semmle.label | EnvKey |
| test.js:5:9:5:39 | EnvValue | semmle.label | EnvValue |
| test.js:5:32:5:39 | req.body | semmle.label | req.body |
| test.js:6:15:6:20 | EnvKey | semmle.label | EnvKey |
| test.js:6:25:6:32 | EnvValue | semmle.label | EnvValue |
| test.js:7:15:7:20 | EnvKey | semmle.label | EnvKey |
| test.js:7:25:7:32 | EnvValue | semmle.label | EnvValue |
| test.js:13:9:13:28 | { EnvValue, EnvKey } | semmle.label | { EnvValue, EnvKey } |
| test.js:13:9:13:39 | EnvKey | semmle.label | EnvKey |
| test.js:13:9:13:39 | EnvValue | semmle.label | EnvValue |
| test.js:13:32:13:39 | req.body | semmle.label | req.body |
| test.js:15:15:15:20 | EnvKey | semmle.label | EnvKey |
| test.js:16:26:16:33 | EnvValue | semmle.label | EnvValue |
subpaths
#select
| test.js:6:15:6:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:6:15:6:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |
| test.js:7:15:7:20 | EnvKey | test.js:5:32:5:39 | req.body | test.js:7:15:7:20 | EnvKey | arbitrary environment variable assignment from this $@. | test.js:5:32:5:39 | req.body | user controllable source |