Merge branch main into rc/3.6

2026-04-30 03:05:15 +02:00 · 2022-06-21 11:15:25 +01:00
parent d7d409f125 091299668a
commit ad02b85efa
1296 changed files with 64800 additions and 9671 deletions
--- a/javascript/ql/src/Declarations/UnusedProperty.ql
+++ b/javascript/ql/src/Declarations/UnusedProperty.ql
@@ -27,6 +27,8 @@ predicate hasUnknownPropertyRead(LocalObject obj) {
  or
  exists(obj.getAPropertyRead("hasOwnProperty"))
  or
+  obj.flowsTo(DataFlow::globalVarRef("Object").getAMemberCall("hasOwn").getArgument(0))
+  or
  exists(obj.getAPropertyRead("propertyIsEnumerable"))
 }

--- a/javascript/ql/src/Performance/PolynomialReDoS.qhelp
+++ b/javascript/ql/src/Performance/PolynomialReDoS.qhelp
@@ -71,7 +71,7 @@
 		</p>

 		<sample language="javascript">
-			^0\.\d+E?\d+$ // BAD
+			/^0\.\d+E?\d+$/.test(str) // BAD
 		</sample>

 		<p>
--- a/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
+++ b/javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql
@@ -9,6 +9,7 @@
 * @tags correctness
 *       security
 *       external/cwe/cwe-020
+ *       external/cwe/cwe-940
 */

 import javascript
--- a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
+++ b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
@@ -45,7 +45,7 @@ where
    or
    // the same thing, but with API-nodes if they happen to be available
    exists(API::Node tlsInvk | tlsInvk.getAnInvocation() = tlsInvocation() |
-      disable.getRhs() = tlsInvk.getAParameter().getMember("rejectUnauthorized").getARhs()
+      disable.getRhs() = tlsInvk.getAParameter().getMember("rejectUnauthorized").asSink()
    )
  ) and
  disable.getRhs().(AnalyzedNode).getTheBooleanValue() = false
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -143,7 +143,7 @@ API::CallNode passportAuthenticateCall() {
 */
 API::CallNode nonSessionBasedAuthMiddleware() {
  result = passportAuthenticateCall() and
-  result.getParameter(1).getMember("session").getARhs().mayHaveBooleanValue(false)
+  result.getParameter(1).getMember("session").asSink().mayHaveBooleanValue(false)
 }

 /**
--- a/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
+++ b/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
@@ -14,12 +14,12 @@
 import javascript

 from
-  Express::RouteSetup setup, Express::RouteHandler handler, Express::RequestInputAccess input,
+  Routing::RouteSetup setup, Routing::RouteHandler handler, HTTP::RequestInputAccess input,
  SensitiveExpr sensitive
 where
-  setup.getRequestMethod() = "GET" and
-  handler = setup.getARouteHandler() and
-  input.getRouteHandler() = handler and
+  setup.getOwnHttpMethod() = "GET" and
+  setup.getAChild+() = handler and
+  input.getRouteHandler() = handler.getFunction() and
  input.getKind() = "parameter" and
  input.(DataFlow::SourceNode).flowsToExpr(sensitive) and
  not sensitive.getClassification() = SensitiveDataClassification::id()
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
@@ -339,19 +339,16 @@ class AllowListEqualityGuard extends DataFlow::LabeledBarrierGuardNode, ValueNod
 * but the destination object generally doesn't. It is therefore only a sanitizer when
 * used on the destination object.
 */
-class HasOwnPropertyGuard extends DataFlow::BarrierGuardNode, CallNode {
+class HasOwnPropertyGuard extends DataFlow::BarrierGuardNode instanceof HasOwnPropertyCall {
  HasOwnPropertyGuard() {
-    // Make sure we handle reflective calls since libraries love to do that.
-    getCalleeNode().getALocalSource().(DataFlow::PropRead).getPropertyName() = "hasOwnProperty" and
-    exists(getReceiver()) and
    // Try to avoid `src.hasOwnProperty` by requiring that the receiver
    // does not locally have its properties enumerated. Typically there is no
    // reason to enumerate the properties of the destination object.
-    not arePropertiesEnumerated(getReceiver().getALocalSource())
+    not arePropertiesEnumerated(super.getObject().getALocalSource())
  }

  override predicate blocks(boolean outcome, Expr e) {
-    e = getArgument(0).asExpr() and outcome = true
+    e = super.getProperty().asExpr() and outcome = true
  }
 }

--- a/javascript/ql/src/change-notes/2022-05-24-resource-exhaustion-no-buffer.from.md
+++ b/javascript/ql/src/change-notes/2022-05-24-resource-exhaustion-no-buffer.from.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The `js/resource-exhaustion` query no longer treats the 3-argument version of `Buffer.from` as a sink,
+  since it does not allocate a new buffer.
--- a/javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
+++ b/javascript/ql/src/meta/ApiGraphs/ApiGraphRhsNodes.ql
@@ -12,4 +12,4 @@
 import javascript
 import meta.MetaMetrics

-select projectRoot(), count(any(API::Node nd).getARhs())
+select projectRoot(), count(any(API::Node nd).asSink())
--- a/javascript/ql/src/meta/ApiGraphs/ApiGraphUseNodes.ql
+++ b/javascript/ql/src/meta/ApiGraphs/ApiGraphUseNodes.ql
@@ -11,4 +11,4 @@
 import javascript
 import meta.MetaMetrics

-select projectRoot(), count(any(API::Node nd).getAUse())
+select projectRoot(), count(any(API::Node nd).getAValueReachableFromSource())
--- a/javascript/ql/src/meta/alerts/LibraryInputs.ql
+++ b/javascript/ql/src/meta/alerts/LibraryInputs.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Library inputs
+ * @description An input coming from the client of a library
+ * @kind problem
+ * @problem.severity recommendation
+ * @id js/meta/alerts/library-inputs
+ * @tags meta
+ * @precision very-low
+ */
+
+import javascript
+import semmle.javascript.PackageExports
+
+select getALibraryInputParameter(), "Library input"
--- a/javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
+++ b/javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
@@ -0,0 +1,42 @@
+/**
+ * @name Unmodeled step
+ * @description A potential step from an argument to a return that has no data/taint step.
+ * @kind metric
+ * @metricType project
+ * @metricAggregate sum
+ * @tags meta
+ * @id js/meta/unmodeled-step
+ */
+
+import javascript
+import meta.MetaMetrics
+private import Expressions.ExprHasNoEffect
+import meta.internal.TaintMetrics
+
+predicate unmodeled(API::Node callee, API::CallNode call, DataFlow::Node pred, DataFlow::Node succ) {
+  callee.getACall() = call and
+  pred = call.getAnArgument() and
+  succ = call and
+  not inVoidContext(succ.asExpr()) and // void calls are irrelevant
+  not call.getAnArgument() = relevantTaintSink() and // calls with sinks are considered modeled
+  // we assume taint to the return value means the call is modeled
+  not (
+    TaintTracking::sharedTaintStep(_, succ)
+    or
+    DataFlow::SharedFlowStep::step(_, succ)
+    or
+    DataFlow::SharedFlowStep::step(_, succ, _, _)
+    or
+    DataFlow::SharedFlowStep::loadStep(_, succ, _)
+    or
+    DataFlow::SharedFlowStep::storeStep(_, succ, _)
+    or
+    DataFlow::SharedFlowStep::loadStoreStep(_, succ, _, _)
+    or
+    DataFlow::SharedFlowStep::loadStoreStep(_, succ, _)
+  ) and
+  not pred.getFile() instanceof IgnoredFile and
+  not succ.getFile() instanceof IgnoredFile
+}
+
+select projectRoot(), count(DataFlow::Node pred, DataFlow::Node succ | unmodeled(_, _, pred, succ))