Merge branch 'main' into noBin

javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql

@@ -43,6 +43,10 @@ where
     or
     // target is a HTTP URL to a domain on any TLD
     target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/?")
+    or
+    // target is a HTTP URL to a domain on any TLD with path elements, and the check is an includes check
+    check instanceof StringOps::Includes and
+    target.regexpMatch("(?i)https?://([a-z0-9-]+\\.)+([a-z]+)(:[0-9]+)?/[a-z0-9/_-]+")
   ) and
   (
     if check instanceof StringOps::StartsWith

javascript/ql/src/semmle/javascript/NodeJS.qll

@@ -221,7 +221,7 @@ class Require extends CallExpr, Import {
    *
    * <ul>
    * <li> the file `c/p`;
-   * <li> the file `c/p.{tsx,ts,jsx,es6,es,mjs}`;
+   * <li> the file `c/p.{tsx,ts,jsx,es6,es,mjs,cjs}`;
    * <li> the file `c/p.js`;
    * <li> the file `c/p.json`;
    * <li> the file `c/p.node`;
@@ -230,12 +230,12 @@ class Require extends CallExpr, Import {
    *      <li> if `c/p/package.json` exists and specifies a `main` module `m`:
    *        <ul>
    *        <li> the file `c/p/m`;
-   *        <li> the file `c/p/m.{tsx,ts,jsx,es6,es,mjs}`;
+   *        <li> the file `c/p/m.{tsx,ts,jsx,es6,es,mjs,cjs}`;
    *        <li> the file `c/p/m.js`;
    *        <li> the file `c/p/m.json`;
    *        <li> the file `c/p/m.node`;
    *        </ul>
-   *      <li> the file `c/p/index.{tsx,ts,jsx,es6,es,mjs}`;
+   *      <li> the file `c/p/index.{tsx,ts,jsx,es6,es,mjs,cjs}`;
    *      <li> the file `c/p/index.js`;
    *      <li> the file `c/p/index.json`;
    *      <li> the file `c/p/index.node`.

javascript/ql/src/semmle/javascript/NodeModuleResolutionImpl.qll

@@ -26,11 +26,13 @@ int getFileExtensionPriority(string ext) {
   or
   ext = "mjs" and result = 5
   or
-  ext = "js" and result = 6
+  ext = "cjs" and result = 6
   or
-  ext = "json" and result = 7
+  ext = "js" and result = 7
   or
-  ext = "node" and result = 8
+  ext = "json" and result = 8
+  or
+  ext = "node" and result = 9
 }
 
 int prioritiesPerCandidate() { result = 3 * (numberOfExtensions() + 1) }

javascript/ql/test/library-tests/CallGraphs/FullTest/non-strict.js

@@ -0,0 +1,8 @@
+(function () {
+  if (true) {
+    function foo() {
+      return 3;
+    }
+  }
+  return foo(); // this resolves to `foo` above, because we have function-scope in non-strict mode.
+})();

javascript/ql/test/library-tests/CallGraphs/FullTest/strict.js

@@ -0,0 +1,10 @@
+(function () {
+  if (true) {
+    function foo() {
+      return 3;
+    }
+  }
+  return foo(); // `foo` is not defined, because we are in strict-mode.
+})();
+
+export default 3; // strict-mode implied because ES2015 module.

javascript/ql/test/library-tests/CallGraphs/FullTest/strict2.js

@@ -0,0 +1,12 @@
+"use strict";
+(function () {
+  "use strict";
+  if (true) {
+    function foo() {
+      return 3;
+    }
+  }
+  return foo(); // `foo` is not defined, because we are in strict-mode.
+})();
+
+export default 3; // strict-mode implied because ES2015 module.

javascript/ql/test/library-tests/CallGraphs/FullTest/tests.expected

@@ -90,6 +90,11 @@ test_getAFunctionValue
 | m.js:3:1:3:16 | module.exports.f | m.js:1:13:1:25 | function() {} |
 | n.js:2:1:2:3 | m.f | m.js:1:13:1:25 | function() {} |
 | n.js:5:1:5:4 | m2.f | m2.js:2:6:2:18 | function() {} |
+| non-strict.js:1:1:8:2 | (functi ... ode.\\n}) | non-strict.js:1:2:8:1 | functio ... mode.\\n} |
+| non-strict.js:1:2:8:1 | functio ... mode.\\n} | non-strict.js:1:2:8:1 | functio ... mode.\\n} |
+| non-strict.js:3:5:5:5 | functio ... ;\\n    } | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
+| non-strict.js:3:14:3:16 | foo | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
+| non-strict.js:7:10:7:12 | foo | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
 | protoclass.js:3:1:5:1 | functio ... it();\\n} | protoclass.js:3:1:5:1 | functio ... it();\\n} |
 | protoclass.js:3:10:3:10 | F | protoclass.js:3:1:5:1 | functio ... it();\\n} |
 | protoclass.js:4:3:4:11 | this.init | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
@@ -110,6 +115,12 @@ test_getAFunctionValue
 | reflection.js:7:1:7:3 | add | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:8:1:8:3 | add | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:8:1:8:9 | add.apply | reflection.js:5:15:5:39 | functio ... n 56; } |
+| strict2.js:2:1:10:2 | (functi ... ode.\\n}) | strict2.js:2:2:10:1 | functio ... mode.\\n} |
+| strict2.js:2:2:10:1 | functio ... mode.\\n} | strict2.js:2:2:10:1 | functio ... mode.\\n} |
+| strict2.js:5:5:7:5 | functio ... ;\\n    } | strict2.js:5:5:7:5 | functio ... ;\\n    } |
+| strict.js:1:1:8:2 | (functi ... ode.\\n}) | strict.js:1:2:8:1 | functio ... mode.\\n} |
+| strict.js:1:2:8:1 | functio ... mode.\\n} | strict.js:1:2:8:1 | functio ... mode.\\n} |
+| strict.js:3:5:5:5 | functio ... ;\\n    } | strict.js:3:5:5:5 | functio ... ;\\n    } |
 | tst3.js:1:1:1:22 | functio ... fn() {} | tst3.js:1:1:1:22 | functio ... fn() {} |
 | tst3.js:2:1:2:23 | functio ... n2() {} | tst3.js:2:1:2:23 | functio ... n2() {} |
 | tst.js:1:1:1:15 | function f() {} | tst.js:1:1:1:15 | function f() {} |
@@ -225,6 +236,8 @@ test_getNumArgument
 | n.js:2:1:2:5 | m.f() | 0 |
 | n.js:4:10:4:24 | require('./m2') | 1 |
 | n.js:5:1:5:6 | m2.f() | 0 |
+| non-strict.js:1:1:8:4 | (functi ... e.\\n})() | 0 |
+| non-strict.js:7:10:7:14 | foo() | 0 |
 | protoclass.js:4:3:4:13 | this.init() | 0 |
 | protoclass.js:8:3:8:15 | this.method() | 0 |
 | protoclass.js:9:11:9:32 | this.me ... d(this) | 1 |
@@ -233,6 +246,10 @@ test_getNumArgument
 | reflection.js:7:1:7:22 | add.cal ... 23, 19) | 3 |
 | reflection.js:7:1:7:22 | reflective call | 2 |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | 2 |
+| strict2.js:2:1:10:4 | (functi ... e.\\n})() | 0 |
+| strict2.js:9:10:9:14 | foo() | 0 |
+| strict.js:1:1:8:4 | (functi ... e.\\n})() | 0 |
+| strict.js:7:10:7:14 | foo() | 0 |
 | tst.js:6:1:6:3 | f() | 0 |
 | tst.js:7:1:7:3 | g() | 0 |
 | tst.js:8:1:8:3 | h() | 0 |
@@ -321,6 +338,8 @@ test_getCalleeNode
 | n.js:2:1:2:5 | m.f() | n.js:2:1:2:3 | m.f |
 | n.js:4:10:4:24 | require('./m2') | n.js:4:10:4:16 | require |
 | n.js:5:1:5:6 | m2.f() | n.js:5:1:5:4 | m2.f |
+| non-strict.js:1:1:8:4 | (functi ... e.\\n})() | non-strict.js:1:1:8:2 | (functi ... ode.\\n}) |
+| non-strict.js:7:10:7:14 | foo() | non-strict.js:7:10:7:12 | foo |
 | protoclass.js:4:3:4:13 | this.init() | protoclass.js:4:3:4:11 | this.init |
 | protoclass.js:8:3:8:15 | this.method() | protoclass.js:8:3:8:13 | this.method |
 | protoclass.js:9:11:9:32 | this.me ... d(this) | protoclass.js:9:11:9:26 | this.method.bind |
@@ -330,6 +349,10 @@ test_getCalleeNode
 | reflection.js:7:1:7:22 | reflective call | reflection.js:7:1:7:3 | add |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | reflection.js:8:1:8:9 | add.apply |
 | reflection.js:8:1:8:25 | reflective call | reflection.js:8:1:8:3 | add |
+| strict2.js:2:1:10:4 | (functi ... e.\\n})() | strict2.js:2:1:10:2 | (functi ... ode.\\n}) |
+| strict2.js:9:10:9:14 | foo() | strict2.js:9:10:9:12 | foo |
+| strict.js:1:1:8:4 | (functi ... e.\\n})() | strict.js:1:1:8:2 | (functi ... ode.\\n}) |
+| strict.js:7:10:7:14 | foo() | strict.js:7:10:7:12 | foo |
 | tst.js:6:1:6:3 | f() | tst.js:6:1:6:1 | f |
 | tst.js:7:1:7:3 | g() | tst.js:7:1:7:1 | g |
 | tst.js:8:1:8:3 | h() | tst.js:8:1:8:1 | h |
@@ -408,11 +431,15 @@ test_getACallee
 | m.js:3:1:3:18 | module.exports.f() | m.js:1:13:1:25 | function() {} |
 | n.js:2:1:2:5 | m.f() | m.js:1:13:1:25 | function() {} |
 | n.js:5:1:5:6 | m2.f() | m2.js:2:6:2:18 | function() {} |
+| non-strict.js:1:1:8:4 | (functi ... e.\\n})() | non-strict.js:1:2:8:1 | functio ... mode.\\n} |
+| non-strict.js:7:10:7:14 | foo() | non-strict.js:3:5:5:5 | functio ... ;\\n    } |
 | protoclass.js:4:3:4:13 | this.init() | protoclass.js:7:20:11:1 | functio ...  m();\\n} |
 | protoclass.js:8:3:8:15 | this.method() | protoclass.js:13:22:13:34 | function() {} |
 | reflection.js:7:1:7:22 | reflective call | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | reflection.js:5:15:5:39 | functio ... n 56; } |
 | reflection.js:8:1:8:25 | reflective call | reflection.js:1:1:3:1 | functio ...  x+y;\\n} |
+| strict2.js:2:1:10:4 | (functi ... e.\\n})() | strict2.js:2:2:10:1 | functio ... mode.\\n} |
+| strict.js:1:1:8:4 | (functi ... e.\\n})() | strict.js:1:2:8:1 | functio ... mode.\\n} |
 | tst.js:6:1:6:3 | f() | tst.js:1:1:1:15 | function f() {} |
 | tst.js:7:1:7:3 | g() | tst.js:2:9:2:21 | function() {} |
 | tst.js:8:1:8:3 | h() | tst.js:3:5:3:17 | function() {} |
@@ -463,6 +490,7 @@ test_getCalleeName
 | n.js:2:1:2:5 | m.f() | f |
 | n.js:4:10:4:24 | require('./m2') | require |
 | n.js:5:1:5:6 | m2.f() | f |
+| non-strict.js:7:10:7:14 | foo() | foo |
 | protoclass.js:4:3:4:13 | this.init() | init |
 | protoclass.js:8:3:8:15 | this.method() | method |
 | protoclass.js:9:11:9:32 | this.me ... d(this) | bind |
@@ -470,6 +498,8 @@ test_getCalleeName
 | reflection.js:4:5:4:12 | sneaky() | sneaky |
 | reflection.js:7:1:7:22 | add.cal ... 23, 19) | call |
 | reflection.js:8:1:8:25 | add.app ... 3, 19]) | apply |
+| strict2.js:9:10:9:14 | foo() | foo |
+| strict.js:7:10:7:14 | foo() | foo |
 | tst.js:6:1:6:3 | f() | f |
 | tst.js:7:1:7:3 | g() | g |
 | tst.js:8:1:8:3 | h() | h |

javascript/ql/test/library-tests/ModuleTypes/commonjs.cjs

@@ -0,0 +1,3 @@
+var fs = require("fs");
+console.log("I'm a .cjs file!");
+console.log(fs);

javascript/ql/test/library-tests/ModuleTypes/import.js

@@ -0,0 +1,5 @@
+import * as fs from "fs";
+
+export default function (x) {
+    return fs.readFileSync(x);
+};

javascript/ql/test/library-tests/ModuleTypes/mjs.mjs

@@ -0,0 +1 @@
+console.log("I'm a .mjs file!");

javascript/ql/test/library-tests/ModuleTypes/require.js

@@ -0,0 +1,7 @@
+var fs = require("fs");
+
+module.exports = {
+    foo: function (x) {
+        return fs.readFileSync(x);
+    }
+}

javascript/ql/test/library-tests/ModuleTypes/script.js

@@ -0,0 +1 @@
+console.log("I'm a plain script!");

javascript/ql/test/library-tests/ModuleTypes/tests.expected

@@ -0,0 +1,5 @@
+| commonjs.cjs:1:1:3:16 | <toplevel> | node |
+| import.js:1:1:5:2 | <toplevel> | es2015 |
+| mjs.mjs:1:1:1:32 | <toplevel> | es2015 |
+| require.js:1:1:7:1 | <toplevel> | node |
+| script.js:1:1:1:35 | <toplevel> | non-module |

javascript/ql/test/library-tests/ModuleTypes/tests.ql

@@ -0,0 +1,18 @@
+import javascript
+
+query string getModuleType(TopLevel top) {
+  not top.isExterns() and
+  (
+    not top instanceof Module and
+    result = "non-module"
+    or
+    top instanceof NodeModule and
+    result = "node"
+    or
+    top instanceof ES2015Module and
+    result = "es2015"
+    or
+    top instanceof AmdModule and
+    result = "amd"
+  )
+}

javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSubstringSanitization.expected

@@ -20,3 +20,6 @@
 | tst-IncompleteUrlSubstringSanitization.js:63:4:63:33 | x.index ...  !== -1 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:63:14:63:25 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:64:3:64:26 | x.inclu ... e.com") | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:64:14:64:25 | "secure.com" | secure.com |
 | tst-IncompleteUrlSubstringSanitization.js:66:6:66:29 | x.inclu ... e.com") | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:66:17:66:28 | "secure.com" | secure.com |
+| tst-IncompleteUrlSubstringSanitization.js:73:5:73:48 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:73:15:73:42 | "https: ... oo/bar" | https://secure.com/foo/bar |
+| tst-IncompleteUrlSubstringSanitization.js:74:5:74:40 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:74:15:74:34 | "https://secure.com" | https://secure.com |
+| tst-IncompleteUrlSubstringSanitization.js:75:5:75:52 | x.index ... ") >= 0 | '$@' can be anywhere in the URL, and arbitrary hosts may come before or after it. | tst-IncompleteUrlSubstringSanitization.js:75:15:75:46 | "https: ... ar-baz" | https://secure.com/foo/bar-baz |

javascript/ql/test/query-tests/Security/CWE-020/tst-IncompleteUrlSubstringSanitization.js

@@ -67,5 +67,10 @@
 
 	} else {
 		doSomeThingWithTrustedURL(x);
-	}
+    }
+    
+    x.startsWith("https://secure.com/foo/bar"); // OK - a forward slash after the domain makes prefix checks safe.
+    x.indexOf("https://secure.com/foo/bar") >= 0 // NOT OK - the url can be anywhere in the string.
+    x.indexOf("https://secure.com") >= 0 // NOT OK
+    x.indexOf("https://secure.com/foo/bar-baz") >= 0 // NOT OK - the url can be anywhere in the string.
 });