Add Flow Labels

2026-04-26 17:25:19 +02:00 · 2023-11-22 19:50:16 +01:00
parent acac534ed0
commit d661f7f482
3 changed files with 89 additions and 36 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll
@@ -28,9 +28,28 @@ module CorsPermissiveConfiguration {
    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
  }

-  /** An overfly permissive value for `origin` */
-  class BadValues extends Source {
-    BadValues() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
+  /** A flow label representing `true` and `null` values. */
+  abstract class TrueAndNull extends DataFlow::FlowLabel {
+    TrueAndNull() { this = "TrueAndNull" }
+  }
+
+  TrueAndNull truenullLabel() { any() }
+
+  /** A flow label representing `*` value. */
+  abstract class Wildcard extends DataFlow::FlowLabel {
+    Wildcard() { this = "Wildcard" }
+  }
+
+  Wildcard wildcardLabel() { any() }
+
+  /** An overly permissive value for `origin` (Apollo) */
+  class TrueNullValue extends Source {
+    TrueNullValue() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
+  }
+
+  /** An overly permissive value for `origin` (Express) */
+  class WildcardValue extends Source {
+    WildcardValue() { this.mayHaveStringValue("*") }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationQuery.qll
@@ -17,12 +17,30 @@ import CorsPermissiveConfigurationCustomizations::CorsPermissiveConfiguration
 class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "CorsPermissiveConfiguration" }

-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source instanceof TrueNullValue and label = truenullLabel()
+    or
+    source instanceof WildcardValue and label = wildcardLabel()
+    or
+    source instanceof RemoteFlowSource and label = DataFlow::FlowLabel::taint()
+  }

-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink instanceof CorsApolloServer and label = [DataFlow::FlowLabel::taint(), truenullLabel()]
+    or
+    sink instanceof ExpressCors and label = [DataFlow::FlowLabel::taint(), wildcardLabel()]
+  }

  override predicate isSanitizer(DataFlow::Node node) {
    super.isSanitizer(node) or
    node instanceof Sanitizer
  }
 }
+
+private class WildcardActivated extends DataFlow::FlowLabel, Wildcard {
+  WildcardActivated() { this = this }
+}
+
+private class TrueAndNullActivated extends DataFlow::FlowLabel, TrueAndNull {
+  TrueAndNullActivated() { this = this }
+}
--- a/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
+++ b/javascript/ql/test/experimental/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -1,34 +1,50 @@
 nodes
-| tst.js:8:9:8:59 | user_origin |
-| tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:23:8:52 | url.par ... ).query |
-| tst.js:8:23:8:59 | url.par ... .origin |
-| tst.js:8:33:8:39 | req.url |
-| tst.js:8:33:8:39 | req.url |
-| tst.js:8:42:8:45 | true |
-| tst.js:8:42:8:45 | true |
-| tst.js:11:25:11:28 | true |
-| tst.js:11:25:11:28 | true |
-| tst.js:11:25:11:28 | true |
-| tst.js:21:25:21:28 | null |
-| tst.js:21:25:21:28 | null |
-| tst.js:21:25:21:28 | null |
-| tst.js:26:25:26:35 | user_origin |
-| tst.js:26:25:26:35 | user_origin |
+| apollo-test.js:8:9:8:59 | user_origin |
+| apollo-test.js:8:23:8:46 | url.par ... , true) |
+| apollo-test.js:8:23:8:52 | url.par ... ).query |
+| apollo-test.js:8:23:8:59 | url.par ... .origin |
+| apollo-test.js:8:33:8:39 | req.url |
+| apollo-test.js:8:33:8:39 | req.url |
+| apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:21:25:21:28 | null |
+| apollo-test.js:21:25:21:28 | null |
+| apollo-test.js:21:25:21:28 | null |
+| apollo-test.js:26:25:26:35 | user_origin |
+| apollo-test.js:26:25:26:35 | user_origin |
+| express-test.js:10:9:10:59 | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) |
+| express-test.js:10:23:10:52 | url.par ... ).query |
+| express-test.js:10:23:10:59 | url.par ... .origin |
+| express-test.js:10:33:10:39 | req.url |
+| express-test.js:10:33:10:39 | req.url |
+| express-test.js:26:17:26:19 | '*' |
+| express-test.js:26:17:26:19 | '*' |
+| express-test.js:26:17:26:19 | '*' |
+| express-test.js:33:17:33:27 | user_origin |
+| express-test.js:33:17:33:27 | user_origin |
 edges
-| tst.js:8:9:8:59 | user_origin | tst.js:26:25:26:35 | user_origin |
-| tst.js:8:9:8:59 | user_origin | tst.js:26:25:26:35 | user_origin |
-| tst.js:8:23:8:46 | url.par ... , true) | tst.js:8:23:8:52 | url.par ... ).query |
-| tst.js:8:23:8:52 | url.par ... ).query | tst.js:8:23:8:59 | url.par ... .origin |
-| tst.js:8:23:8:59 | url.par ... .origin | tst.js:8:9:8:59 | user_origin |
-| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:33:8:39 | req.url | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:8:42:8:45 | true | tst.js:8:23:8:46 | url.par ... , true) |
-| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true |
-| tst.js:21:25:21:28 | null | tst.js:21:25:21:28 | null |
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin |
+| apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin |
+| apollo-test.js:8:23:8:46 | url.par ... , true) | apollo-test.js:8:23:8:52 | url.par ... ).query |
+| apollo-test.js:8:23:8:52 | url.par ... ).query | apollo-test.js:8:23:8:59 | url.par ... .origin |
+| apollo-test.js:8:23:8:59 | url.par ... .origin | apollo-test.js:8:9:8:59 | user_origin |
+| apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) |
+| apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) |
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:23:10:52 | url.par ... ).query |
+| express-test.js:10:23:10:52 | url.par ... ).query | express-test.js:10:23:10:59 | url.par ... .origin |
+| express-test.js:10:23:10:59 | url.par ... .origin | express-test.js:10:9:10:59 | user_origin |
+| express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) |
+| express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' |
 #select
-| tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | tst.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | tst.js:11:25:11:28 | true | too permissive or user controlled value |
-| tst.js:21:25:21:28 | null | tst.js:21:25:21:28 | null | tst.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | tst.js:21:25:21:28 | null | too permissive or user controlled value |
-| tst.js:26:25:26:35 | user_origin | tst.js:8:33:8:39 | req.url | tst.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | tst.js:8:33:8:39 | req.url | too permissive or user controlled value |
-| tst.js:26:25:26:35 | user_origin | tst.js:8:42:8:45 | true | tst.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | tst.js:8:42:8:45 | true | too permissive or user controlled value |
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |