remove FPs in js/build-artifact-leak where the "leaked" properties are constrained to a safe subset

2026-04-30 19:26:02 +02:00 · 2020-11-18 10:35:02 +01:00
parent 06733eadea
commit 64828713d6
2 changed files with 72 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -205,6 +205,7 @@ module CleartextLogging {
    |
      not exists(write.getPropertyName()) and
      not exists(read.getPropertyName()) and
+      not isFilteredPropertyName(read.getPropertyNameExpr().flow().getALocalSource()) and
      src = read.getBase() and
      trg = write.getBase().getALocalSource()
    )
@@ -217,4 +218,24 @@ module CleartextLogging {
      trg.asExpr() = f.getArgumentsVariable().getAnAccess()
    )
  }
+
+  /**
+   * Holds if `name` is filtered by e.g. a regular-expression test or a filter call.
+   */
+  private predicate isFilteredPropertyName(DataFlow::Node name) {
+    exists(DataFlow::MethodCallNode reduceCall |
+      reduceCall.getABoundCallbackParameter(0, 1).flowsTo(name) and
+      reduceCall.getMethodName() = "reduce"
+    |
+      reduceCall.getReceiver+().(DataFlow::MethodCallNode).getMethodName() = "filter"
+    )
+    or
+    exists(StringOps::RegExpTest test |
+      test.getStringOperand().getALocalSource() = name.getALocalSource()
+    )
+    or
+    exists(MembershipCandidate test |
+      test.getAMemberNode().getALocalSource() = name.getALocalSource()
+    )
+  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js
+++ b/javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js
@@ -40,3 +40,54 @@ var server = https.createServer(function (req, res) {
    let pw = url.parse(req.url, true).query.current_password;
    var plugin = new webpack.DefinePlugin({ "process.env.secret": JSON.stringify(pw) }); // NOT OK
 });
+
+(function () {
+    const REACT_APP = /^REACT_APP_/i;
+
+    function getOnlyReactVariables() {
+        const raw = Object.keys(process.env)
+            .filter(key => REACT_APP.test(key)) // This filters makes it safe.
+            .reduce(
+                (env, key) => {
+                    env[key] = process.env[key];
+                    return env;
+                },
+                {}
+            );
+        return raw;
+    }
+
+    new webpack.DefinePlugin(getOnlyReactVariables()); // OK
+
+    function getOnlyReactVariables2() {
+        const raw = Object.keys(process.env)
+            .reduce(
+                (env, key) => {
+                    if (REACT_APP.test(key)) {
+                        env[key] = process.env[key];
+                    }
+                    return env;
+                },
+                {}
+            );
+        return raw;
+    }
+
+    new webpack.DefinePlugin(getOnlyReactVariables2()); // OK
+
+    function getOnlyReactVariables3() {
+        const raw = Object.keys(process.env)
+            .reduce(
+                (env, key) => {
+                    if (key == ["1", "2", "3"]) {
+                        env[key] = process.env[key];
+                    }
+                    return env;
+                },
+                {}
+            );
+        return raw;
+    }
+
+    new webpack.DefinePlugin(getOnlyReactVariables3()); // OK
+})();