Merge pull request #10378 from erik-krogh/aliasFlow

JS: expand localFieldStep to use access-paths, and build access-paths in more cases
2026-05-02 12:15:17 +02:00 · 2022-11-08 14:26:12 +01:00
parent 552c5249ac fc38bf0429
commit e01cbb2ffa
7 changed files with 297 additions and 3 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected
@@ -170,6 +170,10 @@ nodes
 | lib/lib.js:277:23:277:26 | opts |
 | lib/lib.js:277:23:277:30 | opts.bla |
 | lib/lib.js:277:23:277:30 | opts.bla |
+| lib/lib.js:279:19:279:22 | opts |
+| lib/lib.js:279:19:279:26 | opts.bla |
+| lib/lib.js:281:23:281:35 | this.opts.bla |
+| lib/lib.js:281:23:281:35 | this.opts.bla |
 | lib/lib.js:307:39:307:42 | name |
 | lib/lib.js:307:39:307:42 | name |
 | lib/lib.js:308:23:308:26 | name |
@@ -504,8 +508,13 @@ edges
 | lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
 | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
 | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
+| lib/lib.js:276:8:276:11 | opts | lib/lib.js:279:19:279:22 | opts |
+| lib/lib.js:276:8:276:11 | opts | lib/lib.js:279:19:279:22 | opts |
 | lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
 | lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
+| lib/lib.js:279:19:279:22 | opts | lib/lib.js:279:19:279:26 | opts.bla |
+| lib/lib.js:279:19:279:26 | opts.bla | lib/lib.js:281:23:281:35 | this.opts.bla |
+| lib/lib.js:279:19:279:26 | opts.bla | lib/lib.js:281:23:281:35 | this.opts.bla |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
 | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name |
@@ -714,6 +723,7 @@ edges
 | lib/lib.js:261:11:261:33 | "rm -rf ...  + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:257:35:257:38 | name | library input | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command |
 | lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:267:46:267:48 | obj | library input | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
 | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:276:8:276:11 | opts | library input | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
+| lib/lib.js:281:11:281:35 | "rm -rf ... pts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:281:23:281:35 | this.opts.bla | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:276:8:276:11 | opts | library input | lib/lib.js:281:3:281:36 | cp.exec ... ts.bla) | shell command |
 | lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:307:39:307:42 | name | library input | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
 | lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:314:40:314:43 | name | library input | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |
 | lib/lib.js:320:11:320:26 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:320:23:320:26 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:314:40:314:43 | name | library input | lib/lib.js:320:3:320:27 | cp.exec ... + name) | shell command |
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
@@ -278,7 +278,7 @@ module.exports.Foo = class Foo {
 		this.opts = {};
 		this.opts.bla = opts.bla

-		cp.exec("rm -rf " + this.opts.bla); // NOT OK - but FN [INCONSISTENCY]
+		cp.exec("rm -rf " + this.opts.bla); // NOT OK
 	}
 }

--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
@@ -15,6 +15,41 @@ nodes
 | lib/index.js:19:26:19:29 | data |
 | lib/index.js:22:7:22:10 | data |
 | lib/index.js:22:7:22:10 | data |
+| lib/index.js:41:32:41:35 | opts |
+| lib/index.js:41:32:41:35 | opts |
+| lib/index.js:42:3:42:19 | opts |
+| lib/index.js:42:10:42:13 | opts |
+| lib/index.js:42:10:42:19 | opts \|\| {} |
+| lib/index.js:44:21:44:24 | opts |
+| lib/index.js:44:21:44:32 | opts.varName |
+| lib/index.js:51:21:51:32 | opts.varName |
+| lib/index.js:51:21:51:32 | opts.varName |
+| lib/index.js:51:21:51:32 | opts.varName |
+| lib/index.js:86:15:86:19 | taint |
+| lib/index.js:86:15:86:19 | taint |
+| lib/index.js:87:18:87:22 | taint |
+| lib/index.js:89:36:89:40 | taint |
+| lib/index.js:93:32:93:36 | taint |
+| lib/index.js:98:30:98:34 | taint |
+| lib/index.js:103:21:103:47 | this.op ... dOption |
+| lib/index.js:103:21:103:47 | this.op ... dOption |
+| lib/index.js:104:21:104:47 | this.op ... dOption |
+| lib/index.js:104:21:104:47 | this.op ... dOption |
+| lib/index.js:105:21:105:47 | this.op ... dOption |
+| lib/index.js:105:21:105:47 | this.op ... dOption |
+| lib/index.js:106:21:106:30 | this.taint |
+| lib/index.js:106:21:106:30 | this.taint |
+| lib/index.js:112:17:112:21 | taint |
+| lib/index.js:112:17:112:21 | taint |
+| lib/index.js:113:20:113:24 | taint |
+| lib/index.js:121:34:121:38 | taint |
+| lib/index.js:129:32:129:36 | taint |
+| lib/index.js:136:23:136:49 | this.op ... dOption |
+| lib/index.js:136:23:136:49 | this.op ... dOption |
+| lib/index.js:137:23:137:49 | this.op ... dOption |
+| lib/index.js:137:23:137:49 | this.op ... dOption |
+| lib/index.js:138:23:138:32 | this.taint |
+| lib/index.js:138:23:138:32 | this.taint |
 edges
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -32,8 +67,53 @@ edges
 | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
 | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
 | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:41:32:41:35 | opts | lib/index.js:42:10:42:13 | opts |
+| lib/index.js:41:32:41:35 | opts | lib/index.js:42:10:42:13 | opts |
+| lib/index.js:42:3:42:19 | opts | lib/index.js:44:21:44:24 | opts |
+| lib/index.js:42:10:42:13 | opts | lib/index.js:42:10:42:19 | opts \|\| {} |
+| lib/index.js:42:10:42:19 | opts \|\| {} | lib/index.js:42:3:42:19 | opts |
+| lib/index.js:44:21:44:24 | opts | lib/index.js:44:21:44:32 | opts.varName |
+| lib/index.js:44:21:44:32 | opts.varName | lib/index.js:51:21:51:32 | opts.varName |
+| lib/index.js:44:21:44:32 | opts.varName | lib/index.js:51:21:51:32 | opts.varName |
+| lib/index.js:44:21:44:32 | opts.varName | lib/index.js:51:21:51:32 | opts.varName |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:87:18:87:22 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:87:18:87:22 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:89:36:89:40 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:89:36:89:40 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:93:32:93:36 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:93:32:93:36 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:98:30:98:34 | taint |
+| lib/index.js:86:15:86:19 | taint | lib/index.js:98:30:98:34 | taint |
+| lib/index.js:87:18:87:22 | taint | lib/index.js:106:21:106:30 | this.taint |
+| lib/index.js:87:18:87:22 | taint | lib/index.js:106:21:106:30 | this.taint |
+| lib/index.js:89:36:89:40 | taint | lib/index.js:103:21:103:47 | this.op ... dOption |
+| lib/index.js:89:36:89:40 | taint | lib/index.js:103:21:103:47 | this.op ... dOption |
+| lib/index.js:93:32:93:36 | taint | lib/index.js:104:21:104:47 | this.op ... dOption |
+| lib/index.js:93:32:93:36 | taint | lib/index.js:104:21:104:47 | this.op ... dOption |
+| lib/index.js:98:30:98:34 | taint | lib/index.js:105:21:105:47 | this.op ... dOption |
+| lib/index.js:98:30:98:34 | taint | lib/index.js:105:21:105:47 | this.op ... dOption |
+| lib/index.js:112:17:112:21 | taint | lib/index.js:113:20:113:24 | taint |
+| lib/index.js:112:17:112:21 | taint | lib/index.js:113:20:113:24 | taint |
+| lib/index.js:112:17:112:21 | taint | lib/index.js:121:34:121:38 | taint |
+| lib/index.js:112:17:112:21 | taint | lib/index.js:121:34:121:38 | taint |
+| lib/index.js:112:17:112:21 | taint | lib/index.js:129:32:129:36 | taint |
+| lib/index.js:112:17:112:21 | taint | lib/index.js:129:32:129:36 | taint |
+| lib/index.js:113:20:113:24 | taint | lib/index.js:138:23:138:32 | this.taint |
+| lib/index.js:113:20:113:24 | taint | lib/index.js:138:23:138:32 | this.taint |
+| lib/index.js:121:34:121:38 | taint | lib/index.js:136:23:136:49 | this.op ... dOption |
+| lib/index.js:121:34:121:38 | taint | lib/index.js:136:23:136:49 | this.op ... dOption |
+| lib/index.js:129:32:129:36 | taint | lib/index.js:137:23:137:49 | this.op ... dOption |
+| lib/index.js:129:32:129:36 | taint | lib/index.js:137:23:137:49 | this.op ... dOption |
 #select
 | lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:1:35:1:38 | data | library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
 | lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | This string concatenation which depends on $@ is later $@. | lib/index.js:5:35:5:38 | name | library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
 | lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:13:38:13:41 | data | library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |
 | lib/index.js:22:7:22:10 | data | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data | This string concatenation which depends on $@ is later $@. | lib/index.js:19:26:19:29 | data | library input | lib/index.js:25:24:25:26 | str | interpreted as code |
+| lib/index.js:51:21:51:32 | opts.varName | lib/index.js:41:32:41:35 | opts | lib/index.js:51:21:51:32 | opts.varName | This string concatenation which depends on $@ is later $@. | lib/index.js:41:32:41:35 | opts | library input | lib/index.js:51:10:51:52 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:103:21:103:47 | this.op ... dOption | lib/index.js:86:15:86:19 | taint | lib/index.js:103:21:103:47 | this.op ... dOption | This string concatenation which depends on $@ is later $@. | lib/index.js:86:15:86:19 | taint | library input | lib/index.js:103:10:103:67 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:104:21:104:47 | this.op ... dOption | lib/index.js:86:15:86:19 | taint | lib/index.js:104:21:104:47 | this.op ... dOption | This string concatenation which depends on $@ is later $@. | lib/index.js:86:15:86:19 | taint | library input | lib/index.js:104:10:104:67 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:105:21:105:47 | this.op ... dOption | lib/index.js:86:15:86:19 | taint | lib/index.js:105:21:105:47 | this.op ... dOption | This string concatenation which depends on $@ is later $@. | lib/index.js:86:15:86:19 | taint | library input | lib/index.js:105:10:105:67 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:106:21:106:30 | this.taint | lib/index.js:86:15:86:19 | taint | lib/index.js:106:21:106:30 | this.taint | This string concatenation which depends on $@ is later $@. | lib/index.js:86:15:86:19 | taint | library input | lib/index.js:106:10:106:50 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:136:23:136:49 | this.op ... dOption | lib/index.js:112:17:112:21 | taint | lib/index.js:136:23:136:49 | this.op ... dOption | This string concatenation which depends on $@ is later $@. | lib/index.js:112:17:112:21 | taint | library input | lib/index.js:136:12:136:69 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:137:23:137:49 | this.op ... dOption | lib/index.js:112:17:112:21 | taint | lib/index.js:137:23:137:49 | this.op ... dOption | This string concatenation which depends on $@ is later $@. | lib/index.js:112:17:112:21 | taint | library input | lib/index.js:137:12:137:69 | "  var  ... ing();" | interpreted as code |
+| lib/index.js:138:23:138:32 | this.taint | lib/index.js:112:17:112:21 | taint | lib/index.js:138:23:138:32 | this.taint | This string concatenation which depends on $@ is later $@. | lib/index.js:112:17:112:21 | taint | library input | lib/index.js:138:12:138:52 | "  var  ... ing();" | interpreted as code |
--- a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
@@ -33,3 +33,109 @@ export function greySink(data) {
        }
    });
 }
+
+function codeIsAlive() {
+  new Template().compile();
+}
+
+export function Template(text, opts) {
+  opts = opts || {};
+  var options = {};
+  options.varName = opts.varName;
+  this.opts = options;
+}
+
+Template.prototype = {
+  compile: function () {
+    var opts = this.opts;
+    eval("  var " + opts.varName + " = something();"); // NOT OK
+  },
+  // The below are justs tests that ensure the global-access-path computations terminate.
+  pathsTerminate1: function (node, prev) {
+    node.tree = {
+      ancestor: node,
+      number: rand ? prev.tree.number + 1 : 0,
+    };
+  },
+  pathsTerminate2: function (A) {
+    try {
+      var B = A.p1;
+      var C = B.p2;
+      C.p5 = C;
+    } catch (ex) {}
+  },
+  pathsTerminate3: function (A) {
+    var x = foo();
+    while (Math.random()) {
+      x.r = x;
+    }
+  },
+  pathsTerminate4: function () {
+    var dest = foo();
+    var range = foo();
+    while (Math.random() < 0.5) {
+      range.tabstop = dest;
+      if (Math.random() < 0.5) {
+        dest.firstNonLinked = range;
+      }
+    }
+  },
+};
+
+export class AccessPathClass {
+  constructor(taint) {
+    this.taint = taint;
+
+    var options1 = {taintedOption: taint};
+    this.options1 = options1;
+
+    var options2;
+    options2 = {taintedOption: taint};
+    this.options2 = options2;
+
+    var options3;
+    options3 = {};
+    options3.taintedOption = taint;
+    this.options3 = options3;
+  }
+
+  doesTaint() {
+    eval("  var " + this.options1.taintedOption + " = something();"); // NOT OK
+    eval("  var " + this.options2.taintedOption + " = something();"); // NOT OK
+    eval("  var " + this.options3.taintedOption + " = something();"); // NOT OK
+    eval("  var " + this.taint + " = something();"); // NOT OK
+  }
+}
+
+
+export class AccessPathClassBB {
+    constructor(taint) {
+      this.taint = taint;
+  
+      var options1 = {taintedOption: taint};
+      if (Math.random() < 0.5) { console.log("foo"); }
+      this.options1 = options1;
+  
+      var options2;
+      if (Math.random() < 0.5) { console.log("foo"); }
+      options2 = {taintedOption: taint};
+      if (Math.random() < 0.5) { console.log("foo"); }
+      this.options2 = options2;
+  
+      var options3;
+      if (Math.random() < 0.5) { console.log("foo"); }
+      options3 = {};
+      if (Math.random() < 0.5) { console.log("foo"); }
+      options3.taintedOption = taint;
+      if (Math.random() < 0.5) { console.log("foo"); }
+      this.options3 = options3;
+    }
+  
+    doesTaint() {
+      eval("  var " + this.options1.taintedOption + " = something();"); // NOT OK
+      eval("  var " + this.options2.taintedOption + " = something();"); // NOT OK
+      eval("  var " + this.options3.taintedOption + " = something();"); // NOT OK
+      eval("  var " + this.taint + " = something();"); // NOT OK
+    }
+  }
+  
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -248,7 +248,9 @@ edges
 | lib.js:55:15:55:21 | path[0] | lib.js:55:11:55:22 | obj[path[0]] |
 | lib.js:59:18:59:18 | s | lib.js:61:17:61:17 | s |
 | lib.js:59:18:59:18 | s | lib.js:61:17:61:17 | s |
+| lib.js:61:17:61:17 | s | lib.js:68:11:68:26 | path |
 | lib.js:61:17:61:17 | s | lib.js:68:18:68:26 | this.path |
+| lib.js:61:17:61:17 | s | lib.js:70:17:70:20 | path |
 | lib.js:68:11:68:26 | path | lib.js:70:17:70:20 | path |
 | lib.js:68:18:68:26 | this.path | lib.js:68:11:68:26 | path |
 | lib.js:70:17:70:20 | path | lib.js:70:17:70:23 | path[0] |