Merge branch 'main' into js-threat-models

2026-04-26 17:25:19 +02:00 · 2024-11-01 10:48:32 +01:00
parent dc8e645594 03ffaac87a
commit c0ad9ba529
660 changed files with 80032 additions and 72643 deletions
--- a/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/HTMLExtractor.java
@@ -184,8 +184,9 @@ public class HTMLExtractor implements IExtractor {
  private static final Pattern ANGULAR_FOR_LOOP_DECL =
      Pattern.compile("^ *let +(\\w+) +of(?: +|(?!\\w))(.*)");

+  /** Attribute names that look valid in HTML or in one of the template languages we support, like Vue and Angular. */
  private static final Pattern VALID_ATTRIBUTE_NAME =
-      Pattern.compile("\\*?\\[?\\(?[\\w:_\\-]+\\]?\\)?");
+      Pattern.compile("[*:@]?\\[?\\(?[\\w:_\\-.]+\\]?\\)?");

  /** List of HTML attributes whose value is interpreted as JavaScript. */
  private static final Pattern JS_ATTRIBUTE =
--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@@ -41,7 +41,7 @@ public class Main {
   * A version identifier that should be updated every time the extractor changes in such a way that
   * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
   */
-  public static final String EXTRACTOR_VERSION = "2024-04-17";
+  public static final String EXTRACTOR_VERSION = "2024-10-29";

  public static final Pattern NEWLINE = Pattern.compile("\n");

--- a/javascript/ql/test/library-tests/frameworks/Vue/special-syntax.vue
+++ b/javascript/ql/test/library-tests/frameworks/Vue/special-syntax.vue
@@ -0,0 +1,5 @@
+<template>
+  <Blah :colonProp="x" @atProp="x" />
+  <Blah :colonField.field="x" />
+</template>
+<script></script>
--- a/javascript/ql/test/library-tests/frameworks/Vue/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/Vue/tests.expected
@@ -76,6 +76,7 @@ component
 | single-file-component-3.vue:0:0:0:0 | single-file-component-3.vue |
 | single-file-component-4.vue:0:0:0:0 | single-file-component-4.vue |
 | single-file-component-5.vue:0:0:0:0 | single-file-component-5.vue |
+| special-syntax.vue:0:0:0:0 | special-syntax.vue |
 | tst.js:3:1:10:2 | new Vue ... 2\\n\\t}\\n}) |
 | tst.js:12:1:16:2 | new Vue ... \\t}),\\n}) |
 | tst.js:18:1:27:2 | Vue.com ... }\\n\\t}\\n}) |
@@ -126,6 +127,10 @@ templateElement
 | single-file-component-5.vue:2:5:18:9 | <p>...</> |
 | single-file-component-5.vue:4:1:16:9 | <script>...</> |
 | single-file-component-5.vue:17:1:18:8 | <style>...</> |
+| special-syntax.vue:1:1:4:11 | <template>...</> |
+| special-syntax.vue:2:3:2:37 | <blah>...</> |
+| special-syntax.vue:3:3:3:32 | <blah>...</> |
+| special-syntax.vue:5:1:5:17 | <script>...</> |
 xssSink
 | compont-with-route.vue:2:8:2:21 | v-html=dataA |
 | single-component-file-1.vue:2:8:2:21 | v-html=dataA |
@@ -161,3 +166,15 @@ remoteFlowSource
 | router.js:30:5:30:14 | from.query |
 | router.js:34:5:34:12 | to.query |
 | router.js:35:5:35:14 | from.query |
+parseErrors
+attribute
+| compont-with-route.vue:2:8:2:21 | v-html=dataA | v-html |
+| single-component-file-1.vue:2:8:2:21 | v-html=dataA | v-html |
+| single-file-component-2.vue:2:8:2:21 | v-html=dataA | v-html |
+| single-file-component-3.vue:2:8:2:21 | v-html=dataA | v-html |
+| single-file-component-3.vue:4:9:4:49 | src=./single-file-component-3-script.js | src |
+| single-file-component-4.vue:2:8:2:21 | v-html=dataA | v-html |
+| single-file-component-5.vue:2:8:2:21 | v-html=dataA | v-html |
+| special-syntax.vue:2:9:2:22 | :colonProp=x | :colonProp |
+| special-syntax.vue:2:24:2:34 | @atProp=x | @atProp |
+| special-syntax.vue:3:9:3:29 | :colonField.field=x | :colonField.field |
--- a/javascript/ql/test/library-tests/frameworks/Vue/tests.ql
+++ b/javascript/ql/test/library-tests/frameworks/Vue/tests.ql
@@ -20,3 +20,7 @@ query predicate templateElement(Vue::Template::Element template) { any() }
 query predicate xssSink(DomBasedXss::Sink s) { any() }

 query RemoteFlowSource remoteFlowSource() { any() }
+
+query predicate parseErrors(JSParseError err) { exists(err) }
+
+query predicate attribute(HTML::Attribute attrib, string name) { attrib.getName() = name }
--- a/javascript/ql/test/query-tests/Security/CWE-611/Xxe.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-611/Xxe.qlref
@@ -1 +1,2 @@
-Security/CWE-611/Xxe.ql
+query: Security/CWE-611/Xxe.ql
+postprocess: testUtilities/InlineExpectationsTestQuery.ql
--- a/javascript/ql/test/query-tests/Security/CWE-611/domparser.js
+++ b/javascript/ql/test/query-tests/Security/CWE-611/domparser.js
@@ -1,5 +1,5 @@
 function test() {
-  var src = document.location.search;
+  var src = document.location.search; // $ Source=search

  if (window.DOMParser) {
    // OK: DOMParser only expands internal general entities
@@ -8,10 +8,10 @@ function test() {
    var parser;
    try {
      // NOT OK: XMLDOM expands external entities by default
-      (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src);
+      (new ActiveXObject("Microsoft.XMLDOM")).loadXML(src); // $ Alert=search
    } catch (e) {
      // NOT OK: MSXML expands external entities by default
-      (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src);
+      (new ActiveXObject("Msxml2.DOMDocument")).loadXML(src); // $ Alert=search
    }
  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js
+++ b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js
@@ -1,20 +1,20 @@
 const express = require('express');
 const libxmljs = require('libxmljs');

-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
  // NOT OK: unguarded entity expansion
-  libxmljs.parseXml(req.param("some-xml"), { noent: true });
+  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert
 });

-express().post('/some/path', function(req, res) {
+express().post('/some/path', function (req, res) {
  // NOT OK: unguarded entity expansion
-  libxmljs.parseXml(req.param("some-xml"), { noent: true });
+  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert

  // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.param("some-xml"), {noent:true})
+  libxmljs.parseXmlString(req.param("some-xml"), { noent: true }) // $ Alert
  // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true})
-  
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: true })// $ Source=files $ Alert=files
+
  // OK - no entity expansion
-  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false})
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), { noent: false })
 });
--- a/javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js
+++ b/javascript/ql/test/query-tests/Security/CWE-611/libxml.sax.js
@@ -1,7 +1,7 @@
 const express = require('express');
 const libxmljs = require('libxmljs');

-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
  const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml")); // NOT OK: the SAX parser expands external entities by default
+  parser.parseString(req.param("some-xml")); // $ Alert: the SAX parser expands external entities by default
 });
--- a/javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js
+++ b/javascript/ql/test/query-tests/Security/CWE-611/libxml.saxpush.js
@@ -1,7 +1,7 @@
 const express = require('express');
 const libxmljs = require('libxmljs');

-express().get('/some/path', function(req) {
+express().get('/some/path', function (req) {
  const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml"));  // NOT OK: the SAX parser expands external entities by default
+  parser.push(req.param("some-xml")); // $ Alert: the SAX parser expands external entities by default
 });
--- a/javascript/ql/test/testUtilities/InlineExpectationsTestQuery.ql
+++ b/javascript/ql/test/testUtilities/InlineExpectationsTestQuery.ql
@@ -0,0 +1,21 @@
+/**
+ * @kind test-postprocess
+ */
+
+private import javascript
+private import codeql.util.test.InlineExpectationsTest as T
+private import internal.InlineExpectationsTestImpl
+import T::TestPostProcessing
+import T::TestPostProcessing::Make<Impl, Input>
+
+private module Input implements T::TestPostProcessing::InputSig<Impl> {
+  string getRelativeUrl(Location location) {
+    exists(File f, int startline, int startcolumn, int endline, int endcolumn |
+      location.hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and
+      f = location.getFile()
+    |
+      result =
+        f.getRelativePath() + ":" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
+    )
+  }
+}
--- a/javascript/resources/tools/autobuild.cmd
+++ b/javascript/resources/tools/autobuild.cmd
@@ -6,7 +6,7 @@ set jvm_args=-Xss16m
 rem If CODEQL_RAM is set, use half for Java and half for TS.
 if NOT [%CODEQL_RAM%] == [] (
    set /a "half_ram=CODEQL_RAM/2"
-    set LGTM_TYPESCRIPT_RAM=%half_ram%
+    set LGTM_TYPESCRIPT_RAM=!half_ram!
    set jvm_args=!jvm_args! -Xmx!half_ram!m
 )