JS: add query js/memory-exhaustion

2026-04-30 19:26:02 +02:00 · 2020-06-12 10:52:20 +02:00
parent 6d6f29eb85
commit 7b97fd07a8
5 changed files with 535 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-770/MemoryExhaustion.qhelp
+++ b/javascript/ql/src/Security/CWE-770/MemoryExhaustion.qhelp
@@ -0,0 +1,22 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+	</overview>
+
+	<recommendation>
+
+	</recommendation>
+
+	<example>
+
+	</example>
+
+	<references>
+
+	</references>
+
+</qhelp>
--- a/javascript/ql/src/Security/CWE-770/MemoryExhaustion.ql
+++ b/javascript/ql/src/Security/CWE-770/MemoryExhaustion.ql
@@ -0,0 +1,237 @@
+/**
+ * @name Memory exhaustion
+ * @description Allocating objects with user-controlled sizes
+ *              can cause memory exhaustion.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id js/memory-exhaustion
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-770
+ */
+
+import javascript
+import DataFlow::PathGraph
+private import semmle.javascript.dataflow.InferredTypes
+import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations
+
+/**
+ * A data flow source for memory exhaustion vulnerabilities.
+ */
+abstract class Source extends DataFlow::Node {
+  /** Gets a flow label denoting the type of value for which this is a source. */
+  DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
+}
+
+/**
+ * A data flow sink for memory exhaustion vulnerabilities.
+ */
+abstract class Sink extends DataFlow::Node {
+  /** Gets a flow label denoting the type of value for which this is a sink. */
+  DataFlow::FlowLabel getAFlowLabel() { result instanceof Label::Number }
+}
+
+/**
+ * A data flow sanitizer for memory exhaustion vulnerabilities.
+ */
+abstract class Sanitizer extends DataFlow::Node { }
+
+/**
+ * Provides data flow labels for memory exhaustion vulnerabilities.
+ */
+module Label {
+  /**
+   * A number data flow label.
+   */
+  class Number extends DataFlow::FlowLabel {
+    Number() { this = "number" }
+  }
+}
+
+/**
+ * A data flow configuration for memory exhaustion vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "MemoryExhaustion" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source.(Source).getAFlowLabel() = label
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink.(Sink).getAFlowLabel() = label
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
+    DataFlow::FlowLabel dstlabel
+  ) {
+    exists(Expr dstExpr, Expr srcExpr | dstExpr = dst.asExpr() and srcExpr = src.asExpr() |
+      // reuse taint steps
+      super.isAdditionalFlowStep(src, dst) and
+      (
+        srclabel = dstlabel and
+        not dstExpr instanceof AddExpr and
+        not dst.(DataFlow::MethodCallNode).calls(src, "toString")
+        or
+        dstlabel.isTaint() and
+        dst.(DataFlow::MethodCallNode).calls(src, "toString")
+        or
+        // this conversion step is probably covered below
+        dstlabel instanceof Label::Number and dst.(AnalyzedNode).getTheType() = TTNumber()
+      )
+      or
+      //
+      // steps that introduce or preserve a number
+      dstlabel instanceof Label::Number and
+      (
+        dst.(DataFlow::PropRead).accesses(src, ["length", "size"])
+        or
+        dstExpr.(BinaryExpr).getAnOperand() = srcExpr and
+        not dstExpr instanceof AddExpr
+        or
+        dstExpr.(PlusExpr).getOperand() = srcExpr
+        or
+        exists(DataFlow::CallNode c |
+          c = dst and
+          src = c.getAnArgument()
+        |
+          c = DataFlow::globalVarRef("Math").getAPropertyRead().getACall() or
+          c = DataFlow::globalVarRef(["Number", "parseInt", "parseFloat"]).getACall()
+        )
+      )
+      or
+      // optimistic propagation through plus if either operand is a number
+      exists(Expr operand | dstExpr.(AddExpr).hasOperands(operand, srcExpr) |
+        operand.analyze().getTheType() = TTNumber()
+        or
+        operand.flow().getALocalSource().(DataFlow::PropRead).getPropertyName() = "length"
+        or
+        srclabel instanceof Label::Number and
+        // unless the result provably is a string
+        not operand.analyze().getTheType() = TTString()
+      )
+    )
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof LoopBoundInjection::LengthCheckSanitizerGuard or
+    guard instanceof UpperBoundsCheckSanitizerGuard or
+    guard instanceof TypeTestGuard
+  }
+}
+
+/**
+ * A sanitizer that blocks taint flow if the size of a number is limited.
+ */
+class UpperBoundsCheckSanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode,
+  DataFlow::ValueNode {
+  override RelationalComparison astNode;
+
+  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    label instanceof Label::Number and
+    (
+      true = outcome and
+      e = astNode.getLesserOperand()
+      or
+      false = outcome and
+      e = astNode.getGreaterOperand()
+    )
+  }
+}
+
+/**
+ * A test of form `typeof x === "something"`, preventing `x` from being a number in some cases.
+ */
+private class TypeTestGuard extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+  override EqualityTest astNode;
+  TypeofExpr typeof;
+  boolean polarity;
+
+  TypeTestGuard() {
+    astNode.getAnOperand() = typeof and
+    (
+      // typeof x === "number" sanitizes `x` when it evaluates to false
+      astNode.getAnOperand().getStringValue() = "number" and
+      polarity = astNode.getPolarity().booleanNot()
+      or
+      // typeof x === "string" sanitizes `x` when it evaluates to true
+      astNode.getAnOperand().getStringValue() != "number" and
+      polarity = astNode.getPolarity()
+    )
+  }
+
+  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    polarity = outcome and
+    e = typeof.getOperand() and
+    label instanceof Label::Number
+  }
+}
+
+/** A source of remote user input, considered as a data flow source for memory exhaustion vulnerabilities. */
+class RemoteFlowSourceAsSource extends Source {
+  RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+}
+
+/**
+ * A node that determines the size of a buffer, considered as a data flow sink for memory exhaustion vulnerabilities.
+ */
+class BufferSizeSink extends Sink {
+  BufferSizeSink() {
+    exists(DataFlow::SourceNode clazz, DataFlow::InvokeNode invk, int index |
+      clazz = DataFlow::globalVarRef("Buffer") and this = invk.getArgument(index)
+    |
+      exists(string name |
+        invk = clazz.getAMemberCall(name) and
+        (
+          name = "from" and index = 2
+          or
+          name = ["alloc", "allocUnsafe", "allocUnsafeSlow"] and index = 0
+        )
+      )
+      or
+      invk = clazz.getAnInvocation() and
+      invk.getNumArgument() = 1 and
+      index = 0
+      or
+      invk.getNumArgument() = 3 and index = 2
+    )
+    or
+    this = DataFlow::globalVarRef("SlowBuffer").getAnInstantiation().getArgument(0)
+  }
+}
+
+/**
+ * A node that determines the size of an array, considered as a data flow sink for memory exhaustion vulnerabilities.
+ */
+class DenseArraySizeSink extends Sink {
+  DenseArraySizeSink() {
+    // Arrays are sparse by default, so we must also look at how the array is used
+    exists(DataFlow::ArrayConstructorInvokeNode instance |
+      this = instance.getArgument(0) and
+      instance.getNumArgument() = 1
+    |
+      exists(instance.getAMethodCall(["map", "fill", "join", "toString"])) or
+      instance.flowsToExpr(any(AddExpr p).getAnOperand())
+    )
+  }
+}
+
+/**
+ * A node that determines the repetitions of a string, considered as a data flow sink for memory exhaustion vulnerabilities.
+ */
+class StringRepetitionSink extends Sink {
+  StringRepetitionSink() {
+    exists(DataFlow::MethodCallNode repeat |
+      repeat.getMethodName() = "repeat" and
+      this = repeat.getArgument(0)
+    )
+  }
+
+  override DataFlow::FlowLabel getAFlowLabel() { any() }
+}
+
+from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
+where dataflow.hasFlowPath(source, sink)
+select sink, source, sink, "This allocates an object with a user-controlled size from $@.", source,
+  "here"
--- a/javascript/ql/test/query-tests/Security/CWE-770/MemoryExhaustion.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MemoryExhaustion.expected
@@ -0,0 +1,193 @@
+nodes
+| memory-exhaustion.js:6:7:6:42 | s |
+| memory-exhaustion.js:6:11:6:34 | url.par ... , true) |
+| memory-exhaustion.js:6:11:6:40 | url.par ... ).query |
+| memory-exhaustion.js:6:11:6:42 | url.par ... query.s |
+| memory-exhaustion.js:6:21:6:27 | req.url |
+| memory-exhaustion.js:6:21:6:27 | req.url |
+| memory-exhaustion.js:7:7:7:21 | n |
+| memory-exhaustion.js:7:11:7:21 | parseInt(s) |
+| memory-exhaustion.js:7:20:7:20 | s |
+| memory-exhaustion.js:13:21:13:21 | n |
+| memory-exhaustion.js:13:21:13:21 | n |
+| memory-exhaustion.js:14:21:14:21 | n |
+| memory-exhaustion.js:14:21:14:21 | n |
+| memory-exhaustion.js:15:16:15:16 | n |
+| memory-exhaustion.js:15:16:15:16 | n |
+| memory-exhaustion.js:16:22:16:22 | n |
+| memory-exhaustion.js:16:22:16:22 | n |
+| memory-exhaustion.js:17:26:17:26 | n |
+| memory-exhaustion.js:17:26:17:26 | n |
+| memory-exhaustion.js:19:14:19:14 | n |
+| memory-exhaustion.js:19:14:19:14 | n |
+| memory-exhaustion.js:21:20:21:20 | n |
+| memory-exhaustion.js:21:20:21:20 | n |
+| memory-exhaustion.js:23:18:23:18 | n |
+| memory-exhaustion.js:23:18:23:18 | n |
+| memory-exhaustion.js:28:9:28:9 | n |
+| memory-exhaustion.js:28:9:28:9 | n |
+| memory-exhaustion.js:29:13:29:13 | n |
+| memory-exhaustion.js:29:13:29:13 | n |
+| memory-exhaustion.js:30:9:30:9 | n |
+| memory-exhaustion.js:30:9:30:9 | n |
+| memory-exhaustion.js:31:9:31:9 | n |
+| memory-exhaustion.js:31:9:31:9 | n |
+| memory-exhaustion.js:32:9:32:9 | n |
+| memory-exhaustion.js:32:9:32:9 | n |
+| memory-exhaustion.js:33:9:33:9 | n |
+| memory-exhaustion.js:33:9:33:9 | n |
+| memory-exhaustion.js:35:12:35:12 | n |
+| memory-exhaustion.js:35:12:35:12 | n |
+| memory-exhaustion.js:36:12:36:12 | s |
+| memory-exhaustion.js:36:12:36:12 | s |
+| memory-exhaustion.js:38:14:38:14 | n |
+| memory-exhaustion.js:38:14:38:18 | n * x |
+| memory-exhaustion.js:38:14:38:18 | n * x |
+| memory-exhaustion.js:39:14:39:14 | n |
+| memory-exhaustion.js:39:14:39:18 | n + n |
+| memory-exhaustion.js:39:14:39:18 | n + n |
+| memory-exhaustion.js:39:18:39:18 | n |
+| memory-exhaustion.js:40:14:40:14 | n |
+| memory-exhaustion.js:40:14:40:18 | n + x |
+| memory-exhaustion.js:40:14:40:18 | n + x |
+| memory-exhaustion.js:41:14:41:14 | n |
+| memory-exhaustion.js:41:14:41:18 | n + s |
+| memory-exhaustion.js:41:14:41:18 | n + s |
+| memory-exhaustion.js:42:14:42:14 | s |
+| memory-exhaustion.js:42:14:42:18 | s + 2 |
+| memory-exhaustion.js:42:14:42:18 | s + 2 |
+| memory-exhaustion.js:46:14:46:25 | Math.ceil(s) |
+| memory-exhaustion.js:46:14:46:25 | Math.ceil(s) |
+| memory-exhaustion.js:46:24:46:24 | s |
+| memory-exhaustion.js:47:14:47:22 | Number(s) |
+| memory-exhaustion.js:47:14:47:22 | Number(s) |
+| memory-exhaustion.js:47:21:47:21 | s |
+| memory-exhaustion.js:50:14:50:14 | s |
+| memory-exhaustion.js:50:14:50:25 | s + x.length |
+| memory-exhaustion.js:50:14:50:25 | s + x.length |
+| memory-exhaustion.js:51:14:51:14 | s |
+| memory-exhaustion.js:51:14:51:21 | s.length |
+| memory-exhaustion.js:51:14:51:21 | s.length |
+| memory-exhaustion.js:56:16:56:16 | n |
+| memory-exhaustion.js:56:16:56:16 | n |
+| memory-exhaustion.js:59:7:59:20 | ns |
+| memory-exhaustion.js:59:12:59:20 | x ? n : s |
+| memory-exhaustion.js:59:16:59:16 | n |
+| memory-exhaustion.js:60:14:60:15 | ns |
+| memory-exhaustion.js:60:14:60:15 | ns |
+| memory-exhaustion.js:67:16:67:16 | n |
+| memory-exhaustion.js:67:16:67:16 | n |
+| memory-exhaustion.js:71:16:71:16 | n |
+| memory-exhaustion.js:71:16:71:16 | n |
+edges
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:7:20:7:20 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:36:12:36:12 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:36:12:36:12 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:42:14:42:14 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:46:24:46:24 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:47:21:47:21 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:50:14:50:14 | s |
+| memory-exhaustion.js:6:7:6:42 | s | memory-exhaustion.js:51:14:51:14 | s |
+| memory-exhaustion.js:6:11:6:34 | url.par ... , true) | memory-exhaustion.js:6:11:6:40 | url.par ... ).query |
+| memory-exhaustion.js:6:11:6:40 | url.par ... ).query | memory-exhaustion.js:6:11:6:42 | url.par ... query.s |
+| memory-exhaustion.js:6:11:6:42 | url.par ... query.s | memory-exhaustion.js:6:7:6:42 | s |
+| memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:6:11:6:34 | url.par ... , true) |
+| memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:6:11:6:34 | url.par ... , true) |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:13:21:13:21 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:13:21:13:21 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:14:21:14:21 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:14:21:14:21 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:15:16:15:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:15:16:15:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:16:22:16:22 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:16:22:16:22 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:17:26:17:26 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:17:26:17:26 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:19:14:19:14 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:19:14:19:14 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:21:20:21:20 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:21:20:21:20 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:23:18:23:18 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:23:18:23:18 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:28:9:28:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:28:9:28:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:29:13:29:13 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:29:13:29:13 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:30:9:30:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:30:9:30:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:31:9:31:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:31:9:31:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:32:9:32:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:32:9:32:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:33:9:33:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:33:9:33:9 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:35:12:35:12 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:35:12:35:12 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:38:14:38:14 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:39:14:39:14 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:39:18:39:18 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:40:14:40:14 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:41:14:41:14 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:56:16:56:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:56:16:56:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:59:16:59:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:67:16:67:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:67:16:67:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:71:16:71:16 | n |
+| memory-exhaustion.js:7:7:7:21 | n | memory-exhaustion.js:71:16:71:16 | n |
+| memory-exhaustion.js:7:11:7:21 | parseInt(s) | memory-exhaustion.js:7:7:7:21 | n |
+| memory-exhaustion.js:7:20:7:20 | s | memory-exhaustion.js:7:11:7:21 | parseInt(s) |
+| memory-exhaustion.js:38:14:38:14 | n | memory-exhaustion.js:38:14:38:18 | n * x |
+| memory-exhaustion.js:38:14:38:14 | n | memory-exhaustion.js:38:14:38:18 | n * x |
+| memory-exhaustion.js:39:14:39:14 | n | memory-exhaustion.js:39:14:39:18 | n + n |
+| memory-exhaustion.js:39:14:39:14 | n | memory-exhaustion.js:39:14:39:18 | n + n |
+| memory-exhaustion.js:39:18:39:18 | n | memory-exhaustion.js:39:14:39:18 | n + n |
+| memory-exhaustion.js:39:18:39:18 | n | memory-exhaustion.js:39:14:39:18 | n + n |
+| memory-exhaustion.js:40:14:40:14 | n | memory-exhaustion.js:40:14:40:18 | n + x |
+| memory-exhaustion.js:40:14:40:14 | n | memory-exhaustion.js:40:14:40:18 | n + x |
+| memory-exhaustion.js:41:14:41:14 | n | memory-exhaustion.js:41:14:41:18 | n + s |
+| memory-exhaustion.js:41:14:41:14 | n | memory-exhaustion.js:41:14:41:18 | n + s |
+| memory-exhaustion.js:42:14:42:14 | s | memory-exhaustion.js:42:14:42:18 | s + 2 |
+| memory-exhaustion.js:42:14:42:14 | s | memory-exhaustion.js:42:14:42:18 | s + 2 |
+| memory-exhaustion.js:46:24:46:24 | s | memory-exhaustion.js:46:14:46:25 | Math.ceil(s) |
+| memory-exhaustion.js:46:24:46:24 | s | memory-exhaustion.js:46:14:46:25 | Math.ceil(s) |
+| memory-exhaustion.js:47:21:47:21 | s | memory-exhaustion.js:47:14:47:22 | Number(s) |
+| memory-exhaustion.js:47:21:47:21 | s | memory-exhaustion.js:47:14:47:22 | Number(s) |
+| memory-exhaustion.js:50:14:50:14 | s | memory-exhaustion.js:50:14:50:25 | s + x.length |
+| memory-exhaustion.js:50:14:50:14 | s | memory-exhaustion.js:50:14:50:25 | s + x.length |
+| memory-exhaustion.js:51:14:51:14 | s | memory-exhaustion.js:51:14:51:21 | s.length |
+| memory-exhaustion.js:51:14:51:14 | s | memory-exhaustion.js:51:14:51:21 | s.length |
+| memory-exhaustion.js:59:7:59:20 | ns | memory-exhaustion.js:60:14:60:15 | ns |
+| memory-exhaustion.js:59:7:59:20 | ns | memory-exhaustion.js:60:14:60:15 | ns |
+| memory-exhaustion.js:59:12:59:20 | x ? n : s | memory-exhaustion.js:59:7:59:20 | ns |
+| memory-exhaustion.js:59:16:59:16 | n | memory-exhaustion.js:59:12:59:20 | x ? n : s |
+#select
+| memory-exhaustion.js:13:21:13:21 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:13:21:13:21 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:14:21:14:21 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:14:21:14:21 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:15:16:15:16 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:15:16:15:16 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:16:22:16:22 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:16:22:16:22 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:17:26:17:26 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:17:26:17:26 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:19:14:19:14 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:19:14:19:14 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:21:20:21:20 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:21:20:21:20 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:23:18:23:18 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:23:18:23:18 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:28:9:28:9 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:28:9:28:9 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:29:13:29:13 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:29:13:29:13 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:30:9:30:9 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:30:9:30:9 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:31:9:31:9 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:31:9:31:9 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:32:9:32:9 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:32:9:32:9 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:33:9:33:9 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:33:9:33:9 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:35:12:35:12 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:35:12:35:12 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:36:12:36:12 | s | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:36:12:36:12 | s | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:38:14:38:18 | n * x | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:38:14:38:18 | n * x | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:39:14:39:18 | n + n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:39:14:39:18 | n + n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:40:14:40:18 | n + x | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:40:14:40:18 | n + x | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:41:14:41:18 | n + s | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:41:14:41:18 | n + s | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:42:14:42:18 | s + 2 | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:42:14:42:18 | s + 2 | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:46:14:46:25 | Math.ceil(s) | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:46:14:46:25 | Math.ceil(s) | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:47:14:47:22 | Number(s) | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:47:14:47:22 | Number(s) | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:50:14:50:25 | s + x.length | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:50:14:50:25 | s + x.length | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:51:14:51:21 | s.length | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:51:14:51:21 | s.length | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:56:16:56:16 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:56:16:56:16 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:60:14:60:15 | ns | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:60:14:60:15 | ns | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:67:16:67:16 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:67:16:67:16 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
+| memory-exhaustion.js:71:16:71:16 | n | memory-exhaustion.js:6:21:6:27 | req.url | memory-exhaustion.js:71:16:71:16 | n | This allocates an object with a user-controlled size from $@. | memory-exhaustion.js:6:21:6:27 | req.url | here |
--- a/javascript/ql/test/query-tests/Security/CWE-770/MemoryExhaustion.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MemoryExhaustion.qlref
@@ -0,0 +1 @@
+Security/CWE-770/MemoryExhaustion.ql
--- a/javascript/ql/test/query-tests/Security/CWE-770/memory-exhaustion.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/memory-exhaustion.js
@@ -0,0 +1,82 @@
+var http = require("http"),
+  url = require("url"),
+  fs = require("fs");
+
+var server = http.createServer(function(req, res) {
+  let s = url.parse(req.url, true).query.s;
+  let n = parseInt(s);
+
+  Buffer.from(s); // OK
+  Buffer.from(n); // OK
+  Buffer.from(x, n); // OK
+  Buffer.from(x, y, s); // NOT OK
+  Buffer.from(x, y, n); // NOT OK
+  Buffer.from(x, y, n); // NOT OK
+  Buffer.alloc(n); // NOT OK
+  Buffer.allocUnsafe(n); // NOT OK
+  Buffer.allocUnsafeSlow(n); // NOT OK
+
+  new Buffer(n); // NOT OK
+  new Buffer(x, n); // OK
+  new Buffer(x, y, n); // NOT OK
+
+  new SlowBuffer(n); // NOT OK
+
+  Array(n); // OK
+  new Array(n); // OK
+
+  Array(n).map(); // NOT OK
+  new Array(n).map(); // NOT OK
+  Array(n).fill(); // NOT OK
+  Array(n).join(); // NOT OK
+  Array(n).toString(); // NOT OK
+  Array(n) + x; // NOT OK
+
+  x.repeat(n); // NOT OK
+  x.repeat(s); // NOT OK
+
+  new Buffer(n * x); // NOT OK
+  new Buffer(n + n); // NOT OK
+  new Buffer(n + x); // NOT OK (maybe)
+  new Buffer(n + s); // OK [INCONSISTENCY]: this is  a string if `s` is a string
+  new Buffer(s + 2); // OK [INCONSISTENCY]: this is  a string if `s` is a string
+  new Buffer(s + s); // OK
+  new Buffer(n + "X"); // OK
+
+  new Buffer(Math.ceil(s)); // NOT OK
+  new Buffer(Number(s)); // NOT OK
+  new Buffer(new Number(s)); // OK
+
+  new Buffer(s + x.length); // OK [INCONSISTENCY]: this is a string if `s` is a string
+  new Buffer(s.length); // NOT OK
+
+  if (n < 100) {
+    new Buffer(n); // OK
+  } else {
+    new Buffer(n); // NOT OK
+  }
+
+  let ns = x ? n : s;
+  new Buffer(ns); // NOT OK
+
+  new Buffer(n.toString()); // OK
+
+  if (typeof n === "string") {
+    new Buffer(n); // OK
+  } else {
+    new Buffer(n); // NOT OK
+  }
+
+  if (typeof n === "number") {
+    new Buffer(n); // NOT OK
+  } else {
+    new Buffer(n); // OK
+  }
+
+  if (typeof s === "number") {
+    new Buffer(s); // NOT OK [INCONSISTENCY]
+  } else {
+    new Buffer(s); // OK
+  }
+
+});