improve detection of duplicate results with js/code-injection

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql

@@ -11,7 +11,7 @@
  *       external/cwe/cwe-116
  */
 
-// TODO: Proper customizations module, Source class Sink class etc.
+// TODO: Proper customizations module, Source class Sink class etc. and qldoc.
 import javascript
 import DataFlow::PathGraph
 private import semmle.javascript.heuristics.HeuristicSinks
@@ -33,7 +33,7 @@ class Configuration extends TaintTracking::Configuration {
   }
 }
 
-private DataFlow::Node source() {
+private DataFlow::CallNode source() {
   result instanceof HtmlSanitizerCall
   or
   result = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
@@ -42,8 +42,7 @@ private DataFlow::Node source() {
 private StringOps::ConcatenationLeaf sink() {
   exists(StringOps::ConcatenationRoot root, int i |
     root.getOperand(i) = result and
-    not exists(result.getStringValue()) and
-    not root = endsInCodeInjectionSink()
+    not exists(result.getStringValue())
   |
     exists(StringOps::ConcatenationLeaf functionLeaf |
       functionLeaf = root.getOperand(any(int j | j < i))
@@ -56,19 +55,39 @@ private StringOps::ConcatenationLeaf sink() {
   )
 }
 
+DataFlow::SourceNode remoteFlow(DataFlow::TypeTracker t) {
+  t.start() and
+  result instanceof RemoteFlowSource
+  or
+  exists(DataFlow::TypeTracker t2 | result = remoteFlow(t2).track(t2, t))
+}
+
+DataFlow::SourceNode remoteFlow() { result = remoteFlow(DataFlow::TypeTracker::end()) }
+
 private DataFlow::Node endsInCodeInjectionSink(DataFlow::TypeBackTracker t) {
   t.start() and
-  (result instanceof CodeInjection::Sink or result instanceof HeuristicCodeInjectionSink) and
-  not result instanceof StringOps::ConcatenationRoot // the heuristic CodeInjection sink looks for string-concats, we are not interrested in those here.
+  (
+    result instanceof CodeInjection::Sink
+    or
+    result instanceof HeuristicCodeInjectionSink and
+    not result instanceof StringOps::ConcatenationRoot // the heuristic CodeInjection sink looks for string-concats, we are not interrested in those here.
+  )
   or
   exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, endsInCodeInjectionSink(t2)))
 }
 
-private DataFlow::Node endsInCodeInjectionSink() {
-  result = endsInCodeInjectionSink(DataFlow::TypeBackTracker::end())
+DataFlow::Node endsInCodeInjectionSink() {
+  result = endsInCodeInjectionSink(DataFlow::TypeBackTracker::end()) and
+  result.getFile().getBaseName() = "bad-code-sanitization.js" // TODO: TMp
 }
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+where
+  cfg.hasFlowPath(source, sink) and
+  // Basic detection of duplicate results with `js/code-injection`.
+  not (
+    sink.getNode().(StringOps::ConcatenationLeaf).getRoot() = endsInCodeInjectionSink() and
+    remoteFlow().flowsTo(source.getNode().(DataFlow::InvokeNode).getAnArgument())
+  )
 select sink.getNode(), source, sink, "$@ flows to here and is used to construct code.",
   source.getNode(), "Improperly sanitized value"

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected

@@ -16,12 +16,21 @@ nodes
 | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
 | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
 | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
 | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
 | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
 | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
 | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
 | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
 | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
 edges
 | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
 | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
@@ -35,11 +44,16 @@ edges
 | bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
 | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
 | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
 | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
 | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
+| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
 #select
 | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | $@ flows to here and is used to construct code. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | Improperly sanitized value |
 | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Improperly sanitized value |
 | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | Improperly sanitized value |
+| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | Improperly sanitized value |
 | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | Improperly sanitized value |
 | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | Improperly sanitized value |
+| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | Improperly sanitized value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/bad-code-sanitization.js

@@ -28,7 +28,7 @@ function test4(input) {
 }
 
 function test4(input) {
-    var foo = `(function(){${JSON.stringify(input)}))` // OK - for this query - we can type-track to a code-injection sink.
+    var foo = `(function(){${JSON.stringify(input)}))` // NOT OK - we can type-track to a code-injection sink, the source is not remote flow.
     setTimeout(foo);
 }
 
@@ -42,4 +42,14 @@ function test6(input) {
 
 function test7(input) {
     return `() => {${JSON.stringify(input)}` // NOT OK
-}
+}
+
+var express = require('express');
+
+var app = express();
+
+app.get('/some/path', function(req, res) {
+  var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink.
+
+  setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection.
+});