JS: Remove Buffer.from as sink for js/resource-exhaustion

2025-12-21 19:26:31 +01:00 · 2022-05-24 14:06:17 +02:00
parent 6781a76b96
commit db4b6d620a
3 changed files with 3 additions and 20 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
@@ -81,8 +81,6 @@ module ResourceExhaustion {
        exists(string name |
          invk = clazz.getAMemberCall(name) and
          (
            name = "from" and index = 2 // the length argument
            or
            name = ["alloc", "allocUnsafe", "allocUnsafeSlow"] and index = 0 // the buffer size
          )
        )
--- a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/ResourceExhaustion.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/ResourceExhaustion.expected
@@ -17,12 +17,6 @@ nodes
 | resource-exhaustion.js:6:7:6:21 | n |
 | resource-exhaustion.js:6:11:6:21 | parseInt(s) |
 | resource-exhaustion.js:6:20:6:20 | s |
 | resource-exhaustion.js:11:21:11:21 | s |
 | resource-exhaustion.js:11:21:11:21 | s |
 | resource-exhaustion.js:12:21:12:21 | n |
 | resource-exhaustion.js:12:21:12:21 | n |
 | resource-exhaustion.js:13:21:13:21 | n |
 | resource-exhaustion.js:13:21:13:21 | n |
 | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:15:22:15:22 | n |
@@ -71,8 +65,6 @@ edges
 | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | documentaion-examples/ResourceExhaustion_timeout.js:5:23:5:46 | url.par ... , true) |
 | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | documentaion-examples/ResourceExhaustion_timeout.js:5:23:5:46 | url.par ... , true) |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:6:20:6:20 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:11:21:11:21 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:11:21:11:21 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:35:12:35:12 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:35:12:35:12 | s |
 | resource-exhaustion.js:5:7:5:42 | s | resource-exhaustion.js:82:17:82:17 | s |
@@ -84,10 +76,6 @@ edges
 | resource-exhaustion.js:5:11:5:42 | url.par ... query.s | resource-exhaustion.js:5:7:5:42 | s |
 | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:5:11:5:34 | url.par ... , true) |
 | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:5:11:5:34 | url.par ... , true) |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:12:21:12:21 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:12:21:12:21 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:13:21:13:21 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:13:21:13:21 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:14:16:14:16 | n |
 | resource-exhaustion.js:6:7:6:21 | n | resource-exhaustion.js:15:22:15:22 | n |
@@ -124,9 +112,6 @@ edges
 | resource-exhaustion.js:6:20:6:20 | s | resource-exhaustion.js:6:11:6:21 | parseInt(s) |
 #select
 | documentaion-examples/ResourceExhaustion_timeout.js:7:16:7:20 | delay | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | documentaion-examples/ResourceExhaustion_timeout.js:7:16:7:20 | delay | This creates a timer with a user-controlled duration from $@. | documentaion-examples/ResourceExhaustion_timeout.js:5:33:5:39 | req.url | here |
 | resource-exhaustion.js:11:21:11:21 | s | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:11:21:11:21 | s | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:12:21:12:21 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:12:21:12:21 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:13:21:13:21 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:13:21:13:21 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:14:16:14:16 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:14:16:14:16 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:15:22:15:22 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:15:22:15:22 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
 | resource-exhaustion.js:16:26:16:26 | n | resource-exhaustion.js:5:21:5:27 | req.url | resource-exhaustion.js:16:26:16:26 | n | This creates a buffer with a user-controlled size from $@. | resource-exhaustion.js:5:21:5:27 | req.url | here |
--- a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
@@ -8,9 +8,9 @@ var server = http.createServer(function(req, res) {
  Buffer.from(s); // OK
  Buffer.from(n); // OK
  Buffer.from(x, n); // OK
-  Buffer.from(x, y, s); // NOT OK
+  Buffer.from(x, y, s); // OK - does not allocate memory
-  Buffer.from(x, y, n); // NOT OK
+  Buffer.from(x, y, n); // OK - does not allocate memory
-  Buffer.from(x, y, n); // NOT OK
+  Buffer.from(x, y, n); // OK - does not allocate memory
  Buffer.alloc(n); // NOT OK
  Buffer.allocUnsafe(n); // NOT OK
  Buffer.allocUnsafeSlow(n); // NOT OK