Updated modeling of aws-sdk with MaD

2026-04-28 02:05:14 +02:00 · 2025-04-28 12:38:04 +02:00
parent 654177daa7
commit 73309fb9dd
3 changed files with 102 additions and 182 deletions
--- a/javascript/ql/lib/ext/aws-sdk.model.yml
+++ b/javascript/ql/lib/ext/aws-sdk.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+    - ["aws-sdk", "AnyMember.Argument[0].Member[secretAccessKey,accessKeyId]", "credentials-key"]
+    - ["aws-sdk", "AnyMember.Member[secretAccessKey,accessKeyId]", "credentials-key"]
+    - ["aws-sdk", "Member[Credentials].Argument[0,1]", "credentials-key"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/AWS.qll
@@ -5,74 +5,16 @@
 import javascript

 module AWS {
-  /**
-   * Gets the name of a supported AWS service.
-   */
-  private string getAwsServiceName() {
-    result =
-      [
-        "EC2", "Lambda", "ECS", "EKS", "Batch", "ElasticBeanstalk", "Lightsail", "AppRunner", "S3",
-        "EFS", "Glacier", "S3Control", "StorageGateway", "Backup", "DynamoDB", "DynamoDBStreams",
-        "RDS", "Redshift", "ElastiCache", "Neptune", "QLDB", "Athena", "Route53", "CloudFront",
-        "APIGateway", "ApiGatewayV2", "DirectConnect", "GlobalAccelerator", "CloudWatch",
-        "CloudFormation", "CloudTrail", "Config", "Organizations", "ServiceCatalog", "SSM",
-        "ResourceGroups", "IAM", "CognitoIdentity", "CognitoIdentityServiceProvider", "GuardDuty",
-        "Inspector", "KMS", "SecretsManager", "SecurityHub", "STS", "WAF", "WAFRegional",
-        "SageMaker", "Rekognition", "Comprehend", "Textract", "Translate", "Polly",
-        "LexModelBuildingService", "MachineLearning", "Personalize", "EMR", "Kinesis",
-        "KinesisAnalytics", "KinesisVideo", "QuickSight", "DataPipeline", "Glue", "LakeFormation",
-        "SNS", "SQS", "SES", "Pinpoint", "Chime", "Connect", "Amplify", "AppSync", "DeviceFarm",
-        "IoTAnalytics", "IoTEvents", "IoT1ClickDevicesService", "IoTSiteWise", "MediaConvert",
-        "MediaLive", "MediaPackage", "MediaStore", "ElasticTranscoder", "EventBridge", "MQ", "SWF",
-        "StepFunctions"
-      ]
-  }
-
-  /**
-   * Gets a node representing an import of the AWS SDK.
-   */
-  private API::Node getAwsImport() { result = API::moduleImport("aws-sdk") }
-
-  /**
-   * Gets a data flow node representing an instantiation of an AWS service.
-   */
-  private DataFlow::Node getServiceInstantation() {
-    result =
-      getAwsImport().getMember(getAwsServiceName()).getAnInstantiation().getReturn().asSource()
-  }
-
-  /**
-   * Gets a node representing the AWS global config object.
-   */
-  private API::Node getAwsConfig() { result = getAwsImport().getMember("config") }
-
-  /**
-   * Gets a property write to the AWS config object.
-   * This captures assignments to AWS.config properties.
-   */
-  private DataFlow::PropWrite configAssigment() {
-    result = getAwsConfig().asSource().getAPropertyWrite()
-  }
-
-  /**
-   * Gets a data flow node representing an instance of `new AWS.Credentials(accessKeyId, secretAccessKey)`.
-   */
-  private DataFlow::Node getCredentialsCreationNode() {
-    result = getAwsImport().getMember("Credentials").getAnInstantiation().getReturn().asSource()
-  }
-
  /**
   * Holds if the `i`th argument of `invk` is an object hash for `AWS.Config`.
   */
  private predicate takesConfigurationObject(DataFlow::InvokeNode invk, int i) {
-    exists(API::Node mod | mod = getAwsImport() |
+    exists(DataFlow::ModuleImportNode mod | mod.getPath() = "aws-sdk" |
      // `AWS.config.update(nd)`
-      invk = mod.getMember("config").getMember("update").getACall() and
+      invk = mod.getAPropertyRead("config").getAMemberCall("update") and
      i = 0
      or
-      exists(DataFlow::SourceNode cfg |
-        cfg = mod.getMember("Config").getAnInstantiation().getReturn().asSource()
-      |
+      exists(DataFlow::SourceNode cfg | cfg = mod.getAConstructorInvocation("Config") |
        // `new AWS.Config(nd)`
        invk = cfg and
        i = 0
@@ -94,42 +36,11 @@ module AWS {
      exists(string prop, DataFlow::InvokeNode invk, int i |
        takesConfigurationObject(invk, i) and
        this = invk.getOptionArgument(i, prop)
-        or
-        // `new AWS.ServiceName({ accessKeyId: <user>, secretAccessKey: <password> })`
-        invk = getServiceInstantation() and
-        i = 0 and
-        this = invk.getOptionArgument(i, prop)
      |
        prop = "accessKeyId" and kind = "user name"
        or
        prop = "secretAccessKey" and kind = "password"
      )
-      or
-      // `AWS.config.accessKeyId = <user>` or `AWS.config.secretAccessKey = <password>`
-      exists(string prop, DataFlow::PropWrite propWrite |
-        propWrite = configAssigment() and
-        this = propWrite.getRhs() and
-        prop = propWrite.getPropertyName() and
-        (
-          kind = "user name" and
-          prop = "accessKeyId"
-          or
-          kind = "password" and
-          prop = "secretAccessKey"
-        )
-      )
-      or
-      // `new AWS.Credentials({ accessKeyId: <user>, secretAccessKey: <password> })`
-      exists(DataFlow::InvokeNode invk |
-        invk = getCredentialsCreationNode() and
-        (
-          this = invk.getArgument(0) and
-          kind = "user name"
-          or
-          this = invk.getArgument(1) and
-          kind = "password"
-        )
-      )
    }

    override string getCredentialsKind() { result = kind }