add taint-step in js/insecure-randomness for selecting a random element

2026-05-01 03:35:13 +02:00 · 2022-09-08 15:00:00 +02:00
parent 8b8e74cc9a
commit a21a4275f3
3 changed files with 37 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
@@ -104,6 +104,12 @@ module InsecureRandomness {
      pred = mc.getAnArgument() and
      succ = mc
    )
+    or
+    // selecting a random element.
+    exists(DataFlow::PropRead read | read = succ |
+      read.getPropertyNameExpr() = pred.asExpr() and
+      not exists(read.getPropertyName())
+    )
  }

  /**
--- a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
@@ -92,6 +92,13 @@ nodes
 | tst.js:121:18:121:30 | Math.random() |
 | tst.js:121:18:121:30 | Math.random() |
 | tst.js:121:18:121:30 | Math.random() |
+| tst.js:136:9:136:67 | password |
+| tst.js:136:9:136:67 | password |
+| tst.js:136:21:136:67 | chars[M ... ength)] |
+| tst.js:136:27:136:66 | Math.fl ... length) |
+| tst.js:136:38:136:50 | Math.random() |
+| tst.js:136:38:136:50 | Math.random() |
+| tst.js:136:38:136:65 | Math.ra ... .length |
 edges
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() |
 | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() |
@@ -158,6 +165,12 @@ edges
 | tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
 | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() |
 | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() |
+| tst.js:136:21:136:67 | chars[M ... ength)] | tst.js:136:9:136:67 | password |
+| tst.js:136:21:136:67 | chars[M ... ength)] | tst.js:136:9:136:67 | password |
+| tst.js:136:27:136:66 | Math.fl ... length) | tst.js:136:21:136:67 | chars[M ... ength)] |
+| tst.js:136:38:136:50 | Math.random() | tst.js:136:38:136:65 | Math.ra ... .length |
+| tst.js:136:38:136:50 | Math.random() | tst.js:136:38:136:65 | Math.ra ... .length |
+| tst.js:136:38:136:65 | Math.ra ... .length | tst.js:136:27:136:66 | Math.fl ... length) |
 #select
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:2:20:2:32 | Math.random() | Math.random() |
 | tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:6:31:6:43 | Math.random() | Math.random() |
@@ -181,3 +194,4 @@ edges
 | tst.js:118:23:118:63 | Math.fl ... 00_000) | tst.js:118:34:118:46 | Math.random() | tst.js:118:23:118:63 | Math.fl ... 00_000) | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:118:34:118:46 | Math.random() | Math.random() |
 | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:120:16:120:28 | Math.random() | Math.random() |
 | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:121:18:121:30 | Math.random() | Math.random() |
+| tst.js:136:9:136:67 | password | tst.js:136:38:136:50 | Math.random() | tst.js:136:9:136:67 | password | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:136:38:136:50 | Math.random() | Math.random() |
--- a/javascript/ql/test/query-tests/Security/CWE-338/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-338/tst.js
@@ -119,4 +119,21 @@ function uid() {
    var liquid = Math.random(); // OK
    var UUID = Math.random(); // NOT OK
    var MY_UID = Math.random(); // NOK OK
+}
+
+function buildPass(opts, length) {
+    const digits = '0123456789'.split('');
+    const letters = 'abcdefghijklmnopqrstuvwxyz'.split('');
+    const specials = '!@#$%^&*()_+{}|:"<>?[];\',./`~'.split('');
+
+    const chars = [];
+    opts.digits && chars.push(...digits);
+    opts.letters && chars.push(...letters);
+    opts.specials && chars.push(...specials);
+
+    const password = "";
+    for (let i = 0; i < length; i++) {
+        password += chars[Math.floor(Math.random() * chars.length)]; // NOT OK
+    }
+    return password;
 }