some changes based on review. And change to only flag unknown reads of process.env

2026-04-30 19:26:02 +02:00 · 2019-11-04 18:31:51 +01:00
parent 68c30aaef3
commit 850278c62f
4 changed files with 13 additions and 12 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -660,11 +660,11 @@ module TaintTracking {
  }

  /**
-   * A taint step through the NodeJS function `util.inspect(..)`.
+   * A taint step through the Node.JS function `util.inspect(..)`.
   */
  class UtilInspectTaintStep extends AdditionalTaintStep, DataFlow::InvokeNode {
    UtilInspectTaintStep() {
-      this =  DataFlow::moduleImport("util").getAMethodCall("inspect")
+      this = DataFlow::moduleImport("util").getAMemberCall("inspect")
    }

    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -35,9 +35,11 @@ module CleartextLogging {
    override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }

    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl) {
-      // Property reads do not propagate taint.
+      // Only unknown property reads on `process.env` propagate taint.
      not lbl instanceof ProcessEnvLabel and 
      succ.(DataFlow::PropRead).getBase() = pred
+      or 
+      exists(succ.(DataFlow::PropRead).getPropertyName())
    }
       
    override predicate isAdditionalFlowStep(
@@ -56,13 +58,11 @@ module CleartextLogging {
      )
      or
      // Taint through the arguments object.
-      exists(DataFlow::CallNode call, Function f, VarAccess var |
+      exists(DataFlow::CallNode call, Function f |
        src = call.getAnArgument() and
        f = call.getACallee() and
        not call.isImprecise() and
-        var.getName() = "arguments" and
-        var.getContainer() = f and
-        trg.asExpr() = var
+        trg.asExpr() = f.getArgumentsVariable().getAnAccess()
      )
    }
  }
--- a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -114,8 +114,8 @@ nodes
 | passwords.js:152:33:152:43 | process.env |
 | passwords.js:154:21:154:28 | procdesc |
 | passwords.js:156:17:156:27 | process.env |
-| passwords.js:157:17:157:27 | process.env |
-| passwords.js:157:17:157:32 | process.env.PATH |
+| passwords.js:158:17:158:27 | process.env |
+| passwords.js:158:17:158:42 | process ...  "bar"] |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -235,7 +235,7 @@ edges
 | passwords.js:152:20:152:63 | Util.in ... /g, '') | passwords.js:152:9:152:63 | procdesc |
 | passwords.js:152:33:152:43 | process.env | passwords.js:152:20:152:44 | Util.in ... ss.env) |
 | passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
-| passwords.js:157:17:157:27 | process.env | passwords.js:157:17:157:32 | process.env.PATH |
+| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] |
 | passwords_in_server_5.js:4:7:4:24 | req.query.password | passwords_in_server_5.js:7:12:7:12 | x |
 | passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x |
 | passwords_in_server_5.js:7:12:7:12 | x | passwords_in_server_5.js:8:17:8:17 | x |
@@ -270,7 +270,7 @@ edges
 | passwords.js:142:26:142:34 | arguments | passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:150:21:150:31 | process.env | process environment |
 | passwords.js:142:26:142:34 | arguments | passwords.js:152:33:152:43 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:152:33:152:43 | process.env | process environment |
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
-| passwords.js:157:17:157:32 | process.env.PATH | passwords.js:157:17:157:27 | process.env | passwords.js:157:17:157:32 | process.env.PATH | Sensitive data returned by $@ is logged here. | passwords.js:157:17:157:27 | process.env | process environment |
+| passwords.js:158:17:158:42 | process ...  "bar"] | passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] | Sensitive data returned by $@ is logged here. | passwords.js:158:17:158:27 | process.env | process environment |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
--- a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
+++ b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -154,5 +154,6 @@ var Util = require('util');
    indirectLogCall(procdesc); // NOT OK

    console.log(process.env); // NOT OK
-    console.log(process.env.PATH); // NOT OK.
+    console.log(process.env.PATH); // OK.
+    console.log(process.env["foo" + "bar"]); // NOT OK.
 });