Merge branch 'main' into js/shared-dataflow

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.inc.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly evaluating user input (for example, an HTTP request parameter) as code without properly
+sanitizing the input first allows an attacker arbitrary code execution. This can occur when user
+input is treated as JavaScript, or passed to a framework which interprets it as an expression to be
+evaluated. Examples include AngularJS expressions or JQuery selectors.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid including user input in any expression which may be dynamically evaluated. If user input must
+be included, use context-specific escaping before
+including it. It is important that the correct escaping is used for the type of evaluation that will
+occur.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows part of the page URL being evaluated as JavaScript code on the server. This allows an
+attacker to provide JavaScript within the URL and send it to server. client side attacks need victim users interaction 
+like clicking on a attacker provided URL.
+</p>
+
+<sample src="examples/CodeInjection.js" />
+
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
+</li>
+<li>
+PortSwigger Research Blog:
+<a href="https://portswigger.net/research/server-side-template-injection">Server-Side Template Injection</a>.
+</li>
+</references>
+</qhelp>

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.qhelp

@@ -0,0 +1,6 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<include src="CodeInjection.inc.qhelp" />
+</qhelp>

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql

@@ -0,0 +1,89 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @precision high
+ * @id js/code-injection-dynamic-import
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import DataFlow
+import DataFlow::PathGraph
+
+abstract class Sanitizer extends DataFlow::Node { }
+
+/** A non-first leaf in a string-concatenation. Seen as a sanitizer for dynamic import code injection. */
+class NonFirstStringConcatLeaf extends Sanitizer {
+  NonFirstStringConcatLeaf() {
+    exists(StringOps::ConcatenationRoot root |
+      this = root.getALeaf() and
+      not this = root.getFirstLeaf()
+    )
+    or
+    exists(DataFlow::CallNode join |
+      join = DataFlow::moduleMember("path", "join").getACall() and
+      this = join.getArgument([1 .. join.getNumArgument() - 1])
+    )
+  }
+}
+
+/**
+ * The dynamic import expression input can be a `data:` URL which loads any module from that data
+ */
+class DynamicImport extends DataFlow::ExprNode {
+  DynamicImport() { this = any(DynamicImportExpr e).getSource().flow() }
+}
+
+/**
+ * The dynamic import expression input can be a `data:` URL which loads any module from that data
+ */
+class WorkerThreads extends DataFlow::Node {
+  WorkerThreads() {
+    this = API::moduleImport("node:worker_threads").getMember("Worker").getParameter(0).asSink()
+  }
+}
+
+class UrlConstructorLabel extends FlowLabel {
+  UrlConstructorLabel() { this = "UrlConstructorLabel" }
+}
+
+/**
+ * A taint-tracking configuration for reasoning about code injection vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "CodeInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DynamicImport }
+
+  override predicate isSink(DataFlow::Node sink, FlowLabel label) {
+    sink instanceof WorkerThreads and label instanceof UrlConstructorLabel
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::Node succ, FlowLabel predlbl, FlowLabel succlbl
+  ) {
+    exists(DataFlow::NewNode newUrl | succ = newUrl |
+      newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
+      pred = newUrl.getArgument(0)
+    ) and
+    predlbl instanceof StandardFlowLabel and
+    succlbl instanceof UrlConstructorLabel
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"

javascript/ql/src/experimental/Security/CWE-094-dataURL/examples/CodeInjection.js

@@ -0,0 +1,14 @@
+const { Worker } = require('node:worker_threads');
+var app = require('express')();
+
+app.post('/path', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    const payloadURL = new URL(payload)
+    new Worker(payloadURL);
+});
+
+app.post('/path2', async function (req, res) {
+    const payload = req.query.queryParameter // like:  payload = 'data:text/javascript,console.log("hello!");//'
+    await import(payload)
+});
+

javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.qhelp

@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+			Controlling the value of arbitrary environment variables from user-controllable data is not safe.
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+			Restrict this operation only to privileged users or only for some not important environment variables.
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+			The following example allows unauthorized users to assign a value to any environment variable.
+		</p>
+
+		<sample src="examples/Bad_Value_And_Key_Assignment.js" />
+
+	</example>
+
+	<references>
+		<li> <a href="https://huntr.com/bounties/00ec6847-125b-43e9-9658-d3cace1751d6/">Admin account TakeOver in mintplex-labs/anything-llm</a></li>
+	</references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql

@@ -0,0 +1,69 @@
+/**
+ * @name User controlled arbitrary environment variable injection
+ * @description creating arbitrary environment variables from user controlled data is not secure
+ * @kind path-problem
+ * @id js/env-key-and-value-injection
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+/** A taint tracking configuration for unsafe environment injection. */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "envInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = keyOfEnv() or
+    sink = valueOfEnv()
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::InvokeNode ikn |
+      ikn = DataFlow::globalVarRef("Object").getAMemberInvocation("keys")
+    |
+      pred = ikn.getArgument(0) and
+      (
+        succ = ikn.getAChainedMethodCall(["filter", "map"]) or
+        succ = ikn or
+        succ = ikn.getAChainedMethodCall("forEach").getABoundCallbackParameter(0, 0)
+      )
+    )
+  }
+}
+
+DataFlow::Node keyOfEnv() {
+  result =
+    NodeJSLib::process().getAPropertyRead("env").getAPropertyWrite().getPropertyNameExpr().flow()
+}
+
+DataFlow::Node valueOfEnv() {
+  result = API::moduleImport("process").getMember("env").getAMember().asSink()
+}
+
+private predicate readToProcessEnv(DataFlow::Node envKey, DataFlow::Node envValue) {
+  exists(DataFlow::PropWrite env |
+    env = NodeJSLib::process().getAPropertyRead("env").getAPropertyWrite()
+  |
+    envKey = env.getPropertyNameExpr().flow() and
+    envValue = env.getRhs()
+  )
+}
+
+from
+  Configuration cfgForValue, Configuration cfgForKey, DataFlow::PathNode source,
+  DataFlow::PathNode envKey, DataFlow::PathNode envValue
+where
+  cfgForValue.hasFlowPath(source, envKey) and
+  envKey.getNode() = keyOfEnv() and
+  cfgForKey.hasFlowPath(source, envValue) and
+  envValue.getNode() = valueOfEnv() and
+  readToProcessEnv(envKey.getNode(), envValue.getNode())
+select envKey.getNode(), source, envKey, "arbitrary environment variable assignment from this $@.",
+  source.getNode(), "user controllable source"

javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.qhelp

@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+			Assigning Value to environment variables from user-controllable data is not safe.
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+			Restrict this operation only to privileged users or only for some not important environment variables.
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+			The following example allows unauthorized users to assign a value to a critical environment variable.
+		</p>
+
+		<sample src="examples/Bad_Value_Assignment.js" />
+
+	</example>
+
+	<references>
+		<li><a href="https://huntr.com/bounties/00ec6847-125b-43e9-9658-d3cace1751d6/">Admin account TakeOver in mintplex-labs/anything-llm</a></li>
+	</references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql

@@ -0,0 +1,30 @@
+/**
+ * @name User controlled environment variable value injection
+ * @description assigning important environment variables from user controlled data is not secure
+ * @kind path-problem
+ * @id js/env-value-injection
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+/** A taint tracking configuration for unsafe environment injection. */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "envInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = API::moduleImport("process").getMember("env").getAMember().asSink()
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "this environment variable assignment is $@.",
+  source.getNode(), "user controllable"

javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_And_Key_Assignment.js

@@ -0,0 +1,8 @@
+const http = require('node:http');
+
+http.createServer((req, res) => {
+  const { EnvValue, EnvKey } = req.body;
+  process.env[EnvKey] = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});

javascript/ql/src/experimental/Security/CWE-099/examples/Bad_Value_Assignment.js

@@ -0,0 +1,8 @@
+const http = require('node:http');
+
+http.createServer((req, res) => {
+  const { EnvValue } = req.body;
+  process.env["A_Critical_Env"] = EnvValue; // NOT OK
+
+  res.end('env has been injected!');
+});

javascript/ql/src/experimental/Security/CWE-347/Examples/Bad.js

@@ -0,0 +1,39 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+app.get('/jose', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jose.decodeJwt(UserToken)
+})
+
+app.get('/jwtDecode', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jwt_decode(UserToken)
+})
+
+app.get('/jwtSimple', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // jwt.decode(token, key, noVerify, algorithm)
+    // BAD: no signature verification
+    jwt_simple.decode(UserToken, getSecret(), true);
+})
+
+app.get('/jwtJsonwebtoken', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // BAD: no signature verification
+    jwtJsonwebtoken.decode(UserToken)
+})
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})

javascript/ql/src/experimental/Security/CWE-347/Examples/Good.js

@@ -0,0 +1,56 @@
+const express = require('express')
+const app = express()
+const jwtJsonwebtoken = require('jsonwebtoken');
+const jwt_decode = require('jwt-decode');
+const jwt_simple = require('jwt-simple');
+const jose = require('jose')
+const port = 3000
+
+function getSecret() {
+    return "A Safe generated random key"
+}
+
+app.get('/jose1', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
+})
+
+app.get('/jose2', async (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jose.decodeJwt(UserToken)
+    await jose.jwtVerify(UserToken, new TextEncoder().encode(getSecret()))
+})
+
+app.get('/jwtSimple1', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwt_simple.decode(UserToken, getSecret(), false);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.get('/jwtSimple2', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    jwt_simple.decode(UserToken, getSecret(), true);
+    jwt_simple.decode(UserToken, getSecret());
+})
+
+app.get('/jwtJsonwebtoken1', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: with signature verification
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+app.get('/jwtJsonwebtoken2', (req, res) => {
+    const UserToken = req.headers.authorization;
+    // GOOD: first without signature verification then with signature verification for same UserToken
+    jwtJsonwebtoken.decode(UserToken)
+    jwtJsonwebtoken.verify(UserToken, getSecret())
+})
+
+
+app.listen(port, () => {
+    console.log(`Example app listening on port ${port}`)
+})

javascript/ql/src/experimental/Security/CWE-347/JWT.qll

@@ -0,0 +1,54 @@
+import javascript
+
+DataFlow::Node unverifiedDecode() {
+  result = API::moduleImport("jsonwebtoken").getMember("decode").getParameter(0).asSink()
+  or
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    verify
+        .getParameter(2)
+        .getMember("algorithms")
+        .getUnknownMember()
+        .asSink()
+        .mayHaveStringValue("none") and
+    result = verify.getParameter(0).asSink()
+  )
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = true) and
+    result = n.getParameter(0).asSink()
+  )
+  or
+  // jwt-decode
+  result = API::moduleImport("jwt-decode").getParameter(0).asSink()
+  or
+  //jose
+  result = API::moduleImport("jose").getMember("decodeJwt").getParameter(0).asSink()
+}
+
+DataFlow::Node verifiedDecode() {
+  exists(API::Node verify | verify = API::moduleImport("jsonwebtoken").getMember("verify") |
+    (
+      not verify
+          .getParameter(2)
+          .getMember("algorithms")
+          .getUnknownMember()
+          .asSink()
+          .mayHaveStringValue("none") or
+      not exists(verify.getParameter(2).getMember("algorithms"))
+    ) and
+    result = verify.getParameter(0).asSink()
+  )
+  or
+  // jwt-simple
+  exists(API::Node n | n = API::moduleImport("jwt-simple").getMember("decode") |
+    (
+      n.getParameter(2).asSink().asExpr() = any(BoolLiteral b | b.getBoolValue() = false) or
+      not exists(n.getParameter(2))
+    ) and
+    result = n.getParameter(0).asSink()
+    or
+    //jose
+    result = API::moduleImport("jose").getMember("jwtVerify").getParameter(0).asSink()
+  )
+}

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.qhelp

@@ -0,0 +1,37 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+     <overview>
+          <p>
+               A JSON Web Token (JWT) is used for authenticating and managing users in an application.
+          </p>
+          <p>
+               Only Decoding JWTs without checking if they have a valid signature or not can lead to security vulnerabilities.
+          </p>
+
+     </overview>
+     <recommendation>
+
+          <p>
+               Don't use methods that only decode JWT, Instead use methods that verify the signature of JWT.
+          </p>
+
+     </recommendation>
+     <example>
+
+          <p>
+               In the following code, you can see the proper usage of the most popular JWT libraries.
+          </p>
+          <sample src="Examples/Good.js" />
+
+          <p>
+               In the following code, you can see the improper usage of the most popular JWT libraries.
+          </p>
+          <sample src="Examples/Bad.js" />
+     </example>
+     <references>
+          <li>
+               <a href="https://www.ghostccamm.com/blog/multi_strapi_vulns/#cve-2023-22893-authentication-bypass-for-aws-cognito-login-provider-in-strapi-versions-456">JWT claim has not been verified</a>
+          </li>
+     </references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql

@@ -0,0 +1,40 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id js/decode-jwt-without-verification
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow::PathGraph
+import JWT
+
+class ConfigurationUnverifiedDecode extends TaintTracking::Configuration {
+  ConfigurationUnverifiedDecode() { this = "jsonwebtoken without any signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
+}
+
+class ConfigurationVerifiedDecode extends TaintTracking::Configuration {
+  ConfigurationVerifiedDecode() { this = "jsonwebtoken with signature verification" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+}
+
+from ConfigurationUnverifiedDecode cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  not exists(ConfigurationVerifiedDecode cfg2 |
+    cfg2.hasFlowPath(any(DataFlow::PathNode p | p.getNode() = source.getNode()), _)
+  )
+select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
+  "without signature verification"

javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql

@@ -0,0 +1,55 @@
+/**
+ * @name JWT missing secret or public key verification
+ * @description The application does not verify the JWT payload with a cryptographic secret or public key.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id js/decode-jwt-without-verification-local-source
+ * @tags security
+ *       external/cwe/cwe-347
+ */
+
+import javascript
+import DataFlow::PathGraph
+import JWT
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "jsonwebtoken without any signature verification" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source = [unverifiedDecode(), verifiedDecode()].getALocalSource()
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = unverifiedDecode()
+    or
+    sink = verifiedDecode()
+  }
+}
+
+/** Holds if `source` flows to the first parameter of jsonwebtoken.verify */
+predicate isSafe(Configuration cfg, DataFlow::Node source) {
+  exists(DataFlow::Node sink |
+    cfg.hasFlow(source, sink) and
+    sink = verifiedDecode()
+  )
+}
+
+/**
+ * Holds if:
+ * - `source` does not flow to the first parameter of `jsonwebtoken.verify`, and
+ * - `source` flows to the first parameter of `jsonwebtoken.decode`
+ */
+predicate isVulnerable(Configuration cfg, DataFlow::Node source, DataFlow::Node sink) {
+  not isSafe(cfg, source) and // i.e., source does not flow to a verify call
+  cfg.hasFlow(source, sink) and // but it does flow to something else
+  sink = unverifiedDecode() // and that something else is a call to decode.
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  isVulnerable(cfg, source.getNode(), sink.getNode())
+select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
+  "without signature verification"

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Extracting Compressed files with any compression algorithm like gzip can cause to denial of service attacks.</p>
+<p>Attackers can compress a huge file which created by repeated similiar byte and convert it to a small compressed file.</p>
+
+</overview>
+<recommendation>
+
+<p>When you want to decompress a user-provided compressed file you must be careful about the decompression ratio or read these files within a loop byte by byte to be able to manage the decompressed size in each cycle of the loop.</p>
+
+</recommendation>
+<example>
+
+<p>
+JsZip: check uncompressedSize Object Field before extraction.
+</p>
+<sample src="jszip_good.js"/>
+
+<p>
+nodejs Zlib: use <a href="https://nodejs.org/dist/latest-v18.x/docs/api/zlib.html#class-options">maxOutputLength option</a> which it'll limit the buffer read size
+</p>
+<sample src="zlib_good.js" />
+
+<p>
+node-tar: use <a href="https://github.com/isaacs/node-tar/blob/8c5af15e43a769fd24aa7f1c84d93e54824d19d2/lib/list.js#L90">maxReadSize option</a> which it'll limit the buffer read size
+</p>
+<sample src="node-tar_good.js" />
+
+</example>
+<references>
+
+<li>
+<a href="https://github.com/advisories/GHSA-8225-6cvr-8pqp">CVE-2017-16129</a>
+</li>
+<li>
+<a href="https://www.bamsoftware.com/hacks/zipbomb/">A great research to gain more impact by this kind of attacks</a>
+</li>
+
+</references>
+</qhelp>

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.ql

@@ -0,0 +1,35 @@
+/**
+ * @name User-controlled file decompression
+ * @description User-controlled data that flows into decompression library APIs without checking the compression rate is dangerous
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision high
+ * @id js/user-controlled-data-decompression
+ * @tags security
+ *       experimental
+ *       external/cwe/cwe-522
+ */
+
+import javascript
+import DataFlow::PathGraph
+import DecompressionBombs
+
+class BombConfiguration extends TaintTracking::Configuration {
+  BombConfiguration() { this = "DecompressionBombs" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionBomb::Sink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DecompressionBomb::AdditionalTaintStep addstep |
+      addstep.isAdditionalTaintStep(pred, succ)
+    )
+  }
+}
+
+from BombConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This Decompression depends on a $@.", source.getNode(),
+  "potentially untrusted source"

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/DecompressionBombs.qll

@@ -0,0 +1,432 @@
+import javascript
+import experimental.semmle.javascript.FormParsers
+import experimental.semmle.javascript.ReadableStream
+import DataFlow::PathGraph
+
+module DecompressionBomb {
+  /**
+   * The Sinks of uncontrolled data decompression
+   */
+  class Sink extends DataFlow::Node {
+    Sink() { this = any(Range r).sink() }
+  }
+
+  /**
+   * The additional taint steps that need for creating taint tracking or dataflow.
+   */
+  abstract class AdditionalTaintStep extends string {
+    AdditionalTaintStep() { this = "AdditionalTaintStep" }
+
+    /**
+     * Holds if there is a additional taint step between pred and succ.
+     */
+    abstract predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ);
+  }
+
+  /**
+   * A abstract class responsible for extending new decompression sinks
+   */
+  abstract class Range extends API::Node {
+    /**
+     * Gets the sink of responsible for decompression node
+     *
+     * it can be a path, stream of compressed data,
+     * or a call to function that use pipe
+     */
+    abstract DataFlow::Node sink();
+  }
+}
+
+/**
+ * Provides additional taint steps for Readable Stream object
+ */
+module ReadableStream {
+  class ReadableStreamAdditionalTaintStep extends DecompressionBomb::AdditionalTaintStep {
+    ReadableStreamAdditionalTaintStep() { this = "AdditionalTaintStep" }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      (
+        readablePipeAdditionalTaintStep(pred, succ)
+        or
+        streamPipelineAdditionalTaintStep(pred, succ)
+        or
+        promisesFileHandlePipeAdditionalTaintStep(pred, succ)
+      )
+    }
+  }
+}
+
+/**
+ * Provides additional taint steps for File system access functions
+ */
+module FileSystemAccessAdditionalTaintStep {
+  class ReadableStreamAdditionalTaintStep extends DecompressionBomb::AdditionalTaintStep {
+    ReadableStreamAdditionalTaintStep() { this = "AdditionalTaintStep" }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      // additional taint step for fs.readFile(pred)
+      // It can be global additional step too
+      exists(DataFlow::CallNode n | n = DataFlow::moduleMember("fs", "readFile").getACall() |
+        pred = n.getArgument(0) and succ = n.getABoundCallbackParameter(1, 1)
+      )
+      or
+      exists(FileSystemReadAccess cn |
+        pred = cn.getAPathArgument() and
+        succ = cn.getADataNode()
+      )
+    }
+  }
+}
+
+/**
+ * Provides Models for [jszip](https://www.npmjs.com/package/jszip) package
+ */
+module JsZip {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() { this = API::moduleImport("jszip").getMember("loadAsync") }
+
+    override DataFlow::Node sink() {
+      result = this.getParameter(0).asSink() and not this.sanitizer(this)
+    }
+
+    /**
+     * Gets a jszip `loadAsync` instance
+     * and Holds if member of name `uncompressedSize` exists
+     */
+    predicate sanitizer(API::Node loadAsync) {
+      exists(loadAsync.getASuccessor*().getMember("_data").getMember("uncompressedSize"))
+    }
+  }
+}
+
+/**
+ * Provides Models for [node-tar](https://www.npmjs.com/package/tar) package
+ */
+module NodeTar {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() { this = API::moduleImport("tar").getMember(["x", "extract"]) }
+
+    override DataFlow::Node sink() {
+      (
+        // piping tar.x()
+        result = this.getACall()
+        or
+        // tar.x({file: filename})
+        result = this.getParameter(0).getMember("file").asSink()
+      ) and
+      // and there shouldn't be a  "maxReadSize: ANum" option
+      not this.sanitizer(this.getParameter(0))
+    }
+
+    /**
+     * Gets a options parameter that belong to a `tar` instance
+     * and Holds if "maxReadSize: ANumber" option exists
+     */
+    predicate sanitizer(API::Node tarExtract) { exists(tarExtract.getMember("maxReadSize")) }
+  }
+
+  /**
+   * The decompression Additional Taint Steps
+   */
+  class DecompressionAdditionalSteps extends DecompressionBomb::AdditionalTaintStep {
+    DecompressionAdditionalSteps() { this = "AdditionalTaintStep" }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node n | n = API::moduleImport("tar") |
+        pred = n.asSource() and
+        (
+          succ = n.getMember("x").getACall() or
+          succ = n.getMember("x").getACall().getArgument(0)
+        )
+      )
+    }
+  }
+}
+
+/**
+ * Provides Models for `node:zlib` package
+ */
+module Zlib {
+  /**
+   * The decompression sinks of `node:zlib`
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    boolean isSynk;
+
+    DecompressionBomb() {
+      this =
+        API::moduleImport("zlib")
+            .getMember([
+                "gunzip", "gunzipSync", "unzip", "unzipSync", "brotliDecompress",
+                "brotliDecompressSync", "inflateSync", "inflateRawSync", "inflate", "inflateRaw"
+              ]) and
+      isSynk = true
+      or
+      this =
+        API::moduleImport("zlib")
+            .getMember([
+                "createGunzip", "createBrotliDecompress", "createUnzip", "createInflate",
+                "createInflateRaw"
+              ]) and
+      isSynk = false
+    }
+
+    override DataFlow::Node sink() {
+      result = this.getACall() and
+      not this.sanitizer(this.getParameter(0)) and
+      isSynk = false
+      or
+      result = this.getACall().getArgument(0) and
+      not this.sanitizer(this.getParameter(1)) and
+      isSynk = true
+    }
+
+    /**
+     * Gets a options parameter that belong to a zlib instance
+     * and Holds if "maxOutputLength: ANumber" option exists
+     */
+    predicate sanitizer(API::Node zlib) { exists(zlib.getMember("maxOutputLength")) }
+  }
+}
+
+/**
+ * Provides Models for [pako](https://www.npmjs.com/package/pako) package
+ */
+module Pako {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() {
+      this = API::moduleImport("pako").getMember(["inflate", "inflateRaw", "ungzip"])
+    }
+
+    override DataFlow::Node sink() { result = this.getParameter(0).asSink() }
+  }
+
+  /**
+   * The decompression Additional Taint Steps
+   */
+  class DecompressionAdditionalSteps extends DecompressionBomb::AdditionalTaintStep {
+    DecompressionAdditionalSteps() { this = "AdditionalTaintStep" }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      // succ = new Uint8Array(pred)
+      exists(DataFlow::Node n, NewExpr ne | ne = n.asExpr() |
+        pred.asExpr() = ne.getArgument(0) and
+        succ.asExpr() = ne and
+        ne.getCalleeName() = "Uint8Array"
+      )
+    }
+  }
+}
+
+/**
+ * Provides Models for [adm-zip](https://www.npmjs.com/package/adm-zip) package
+ */
+module AdmZip {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() { this = API::moduleImport("adm-zip").getInstance() }
+
+    override DataFlow::Node sink() {
+      result =
+        this.getMember(["extractAllTo", "extractEntryTo", "readAsText"]).getReturn().asSource()
+      or
+      result = this.getASuccessor*().getMember("getData").getReturn().asSource()
+    }
+  }
+
+  /**
+   * The decompression Additional Taint Steps
+   */
+  class DecompressionAdditionalSteps extends DecompressionBomb::AdditionalTaintStep {
+    DecompressionAdditionalSteps() { this = "AdditionalTaintStep" }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node n | n = API::moduleImport("adm-zip") |
+        pred = n.getParameter(0).asSink() and
+        (
+          succ =
+            n.getInstance()
+                .getMember(["extractAllTo", "extractEntryTo", "readAsText"])
+                .getReturn()
+                .asSource()
+          or
+          succ =
+            n.getInstance()
+                .getMember("getEntries")
+                .getASuccessor*()
+                .getMember("getData")
+                .getReturn()
+                .asSource()
+        )
+      )
+    }
+  }
+}
+
+/**
+ * Provides Models for [decompress](https://www.npmjs.com/package/decompress) package
+ */
+module Decompress {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() { this = API::moduleImport("decompress") }
+
+    override DataFlow::Node sink() { result = this.getACall().getArgument(0) }
+  }
+}
+
+/**
+ * Provides Models for [gunzip-maybe][https://www.npmjs.com/package/gunzip-maybe] package
+ */
+module GunzipMaybe {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() { this = API::moduleImport("gunzip-maybe") }
+
+    override DataFlow::Node sink() { result = this.getACall() }
+  }
+}
+
+/**
+ * Provides Models for [unbzip2-stream](https://www.npmjs.com/package/unbzip2-stream) package
+ */
+module Unbzip2Stream {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    DecompressionBomb() { this = API::moduleImport("unbzip2-stream") }
+
+    override DataFlow::Node sink() { result = this.getACall() }
+  }
+}
+
+/**
+ * Provides Models for [unzipper](https://www.npmjs.com/package/unzipper) package
+ */
+module Unzipper {
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    string funcName;
+
+    DecompressionBomb() {
+      this = API::moduleImport("unzipper").getMember(["Extract", "Parse", "ParseOne"]) and
+      funcName = ["Extract", "Parse", "ParseOne"]
+      or
+      this = API::moduleImport("unzipper").getMember("Open") and
+      // open has some functions which will be specified in sink predicate
+      funcName = "Open"
+    }
+
+    override DataFlow::Node sink() {
+      result = this.getMember(["buffer", "file", "url", "file"]).getACall().getArgument(0) and
+      funcName = "Open"
+      or
+      result = this.getACall() and
+      funcName = ["Extract", "Parse", "ParseOne"]
+    }
+
+    /**
+     * Gets a
+     * and Holds if unzipper instance has a member `uncompressedSize`
+     *
+     * it is really difficult to implement this sanitizer,
+     * so i'm going to check if there is a member like `vars.uncompressedSize` in whole DB or not!
+     */
+    predicate sanitizer() {
+      exists(this.getASuccessor*().getMember("vars").getMember("uncompressedSize")) and
+      funcName = ["Extract", "Parse", "ParseOne"]
+    }
+  }
+}
+
+/**
+ * Provides Models for [yauzl](https://www.npmjs.com/package/yauzl) package
+ */
+module Yauzl {
+  API::Node test() { result = API::moduleImport("yauzl").getASuccessor*() }
+
+  /**
+   * The decompression bomb sinks
+   */
+  class DecompressionBomb extends DecompressionBomb::Range {
+    // open function has a sanitizer
+    string methodName;
+
+    DecompressionBomb() {
+      this =
+        API::moduleImport("yauzl").getMember(["fromFd", "fromBuffer", "fromRandomAccessReader"]) and
+      methodName = "from"
+      or
+      this = API::moduleImport("yauzl").getMember("open") and
+      methodName = "open"
+    }
+
+    override DataFlow::Node sink() {
+      (
+        result = this.getParameter(2).getParameter(1).getMember("readEntry").getACall() or
+        result =
+          this.getParameter(2)
+              .getParameter(1)
+              .getMember("openReadStream")
+              .getParameter(1)
+              .getParameter(1)
+              .asSource()
+      ) and
+      not this.sanitizer() and
+      methodName = "open"
+      or
+      result = this.getParameter(0).asSink() and
+      methodName = "from"
+    }
+
+    /**
+     * Gets a
+     * and Holds if yauzl `open` instance has a member `uncompressedSize`
+     */
+    predicate sanitizer() {
+      exists(this.getASuccessor*().getMember("uncompressedSize")) and
+      methodName = ["readStream", "open"]
+    }
+  }
+
+  /**
+   * The decompression Additional Taint Steps
+   */
+  class DecompressionAdditionalSteps extends DecompressionBomb::AdditionalTaintStep {
+    DecompressionAdditionalSteps() { this = "AdditionalTaintStep" }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node open | open = API::moduleImport("yauzl").getMember("open") |
+        pred = open.getParameter(0).asSink() and
+        (
+          succ = open.getParameter(2).getParameter(1).getMember("readEntry").getACall() or
+          succ =
+            open.getParameter(2)
+                .getParameter(1)
+                .getMember("openReadStream")
+                .getParameter(1)
+                .getParameter(1)
+                .asSource()
+        )
+      )
+    }
+  }
+}

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/jszip_good.js

@@ -0,0 +1,11 @@
+const jszipp = require("jszip");
+function zipBombSafe(zipFile) {
+    jszipp.loadAsync(zipFile.data).then(function (zip) {
+        if (zip.file("10GB")["_data"]["uncompressedSize"] > 1024 * 1024 * 8) {
+            console.log("error")
+        }
+        zip.file("10GB").async("uint8array").then(function (u8) {
+            console.log(u8);
+        });
+    });
+}

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/node-tar_good.js

@@ -0,0 +1,8 @@
+const tar = require("tar");
+
+tar.x({
+    file: tarFileName,
+    strip: 1,
+    C: 'some-dir',
+    maxReadSize: 16 * 1024 * 1024 // 16 MB
+})

javascript/ql/src/experimental/Security/CWE-522-DecompressionBombs/zlib_good.js

@@ -0,0 +1,11 @@
+const zlib = require("zlib");
+
+zlib.gunzip(
+    inputZipFile.data,
+    { maxOutputLength: 1024 * 1024 * 5 },
+    (err, buffer) => {
+        doSomeThingWithData(buffer);
+    });
+zlib.gunzipSync(inputZipFile.data, { maxOutputLength: 1024 * 1024 * 5 });
+
+inputZipFile.pipe(zlib.createGunzip({ maxOutputLength: 1024 * 1024 * 5 })).pipe(outputFile);

javascript/ql/src/experimental/semmle/javascript/Execa.qll

@@ -0,0 +1,211 @@
+/**
+ * Models the `execa` library in terms of `FileSystemAccess` and `SystemCommandExecution`.
+ */
+
+import javascript
+
+/**
+ * Provide model for [Execa](https://github.com/sindresorhus/execa) package
+ */
+module Execa {
+  /**
+   * The Execa input file read and output file write
+   */
+  class ExecaFileSystemAccess extends FileSystemReadAccess, DataFlow::Node {
+    API::Node execaArg;
+    boolean isPipedToFile;
+
+    ExecaFileSystemAccess() {
+      (
+        execaArg = API::moduleImport("execa").getMember("$").getParameter(0) and
+        isPipedToFile = false
+        or
+        execaArg =
+          API::moduleImport("execa")
+              .getMember(["execa", "execaCommand", "execaCommandSync", "execaSync"])
+              .getParameter([0, 1, 2]) and
+        isPipedToFile = false
+        or
+        execaArg =
+          API::moduleImport("execa")
+              .getMember(["execa", "execaCommand", "execaCommandSync", "execaSync"])
+              .getReturn()
+              .getMember(["pipeStdout", "pipeAll", "pipeStderr"])
+              .getParameter(0) and
+        isPipedToFile = true
+      ) and
+      this = execaArg.asSink()
+    }
+
+    override DataFlow::Node getADataNode() { none() }
+
+    override DataFlow::Node getAPathArgument() {
+      result = execaArg.getMember("inputFile").asSink() and isPipedToFile = false
+      or
+      result = execaArg.asSink() and isPipedToFile = true
+    }
+  }
+
+  /**
+   * A call to `execa.execa` or `execa.execaSync`
+   */
+  class ExecaCall extends API::CallNode {
+    boolean isSync;
+
+    ExecaCall() {
+      this = API::moduleImport("execa").getMember("execa").getACall() and
+      isSync = false
+      or
+      this = API::moduleImport("execa").getMember("execaSync").getACall() and
+      isSync = true
+    }
+  }
+
+  /**
+   * The system command execution nodes for `execa.execa` or `execa.execaSync` functions
+   */
+  class ExecaExec extends SystemCommandExecution, ExecaCall {
+    ExecaExec() { isSync = [false, true] }
+
+    override DataFlow::Node getACommandArgument() { result = this.getArgument(0) }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) {
+      // if shell: true then first and second args are sinks
+      // options can be third argument
+      arg = [this.getArgument(0), this.getParameter(1).getUnknownMember().asSink()] and
+      isExecaShellEnable(this.getParameter(2))
+      or
+      // options can be second argument
+      arg = this.getArgument(0) and
+      isExecaShellEnable(this.getParameter(1))
+    }
+
+    override DataFlow::Node getArgumentList() {
+      // execa(cmd, [arg]);
+      exists(DataFlow::Node arg | arg = this.getArgument(1) |
+        // if it is a object then it is a option argument not command argument
+        result = arg and not arg.asExpr() instanceof ObjectExpr
+      )
+    }
+
+    override predicate isSync() { isSync = true }
+
+    override DataFlow::Node getOptionsArg() {
+      result = this.getLastArgument() and result.asExpr() instanceof ObjectExpr
+    }
+  }
+
+  /**
+   * A call to `execa.$` or `execa.$.sync` or `execa.$({})` or `execa.$.sync({})` tag functions
+   */
+  private class ExecaScriptCall extends API::CallNode {
+    boolean isSync;
+
+    ExecaScriptCall() {
+      exists(API::Node script |
+        script =
+          [
+            API::moduleImport("execa").getMember("$"),
+            API::moduleImport("execa").getMember("$").getReturn()
+          ]
+      |
+        this = script.getACall() and
+        isSync = false
+        or
+        this = script.getMember("sync").getACall() and
+        isSync = true
+      )
+    }
+  }
+
+  /**
+   * The system command execution nodes for `execa.$` or `execa.$.sync` tag functions
+   */
+  class ExecaScript extends SystemCommandExecution, ExecaScriptCall {
+    ExecaScript() { isSync = [false, true] }
+
+    override DataFlow::Node getACommandArgument() {
+      result = this.getParameter(1).asSink() and
+      not isTaggedTemplateFirstChildAnElement(this.getParameter(1).asSink().asExpr().getParent())
+    }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) {
+      isExecaShellEnable(this.getParameter(0)) and
+      arg = this.getAParameter().asSink()
+    }
+
+    override DataFlow::Node getArgumentList() {
+      result = this.getParameter(any(int i | i >= 1)).asSink() and
+      isTaggedTemplateFirstChildAnElement(this.getParameter(1).asSink().asExpr().getParent())
+      or
+      result = this.getParameter(any(int i | i >= 2)).asSink() and
+      not isTaggedTemplateFirstChildAnElement(this.getParameter(1).asSink().asExpr().getParent())
+    }
+
+    override DataFlow::Node getOptionsArg() { result = this.getParameter(0).asSink() }
+
+    override predicate isSync() { isSync = true }
+  }
+
+  /**
+   * A call to `execa.execaCommandSync` or `execa.execaCommand`
+   */
+  private class ExecaCommandCall extends API::CallNode {
+    boolean isSync;
+
+    ExecaCommandCall() {
+      this = API::moduleImport("execa").getMember("execaCommandSync").getACall() and
+      isSync = true
+      or
+      this = API::moduleImport("execa").getMember("execaCommand").getACall() and
+      isSync = false
+    }
+  }
+
+  /**
+   * The system command execution nodes for `execa.execaCommand` or `execa.execaCommandSync` functions
+   */
+  class ExecaCommandExec extends SystemCommandExecution, ExecaCommandCall {
+    ExecaCommandExec() { isSync = [false, true] }
+
+    override DataFlow::Node getACommandArgument() {
+      result = this.(DataFlow::CallNode).getArgument(0)
+    }
+
+    override DataFlow::Node getArgumentList() {
+      // execaCommand(`${cmd} ${arg}`);
+      result.asExpr() = this.getParameter(0).asSink().asExpr().getAChildExpr() and
+      not result.asExpr() = this.getArgument(0).asExpr().getChildExpr(0)
+    }
+
+    override predicate isShellInterpreted(DataFlow::Node arg) {
+      // execaCommandSync(`${cmd} ${arg}`, {shell: true})
+      arg.asExpr() = this.getArgument(0).asExpr().getAChildExpr+() and
+      isExecaShellEnable(this.getParameter(1))
+      or
+      // there is only one argument that is constructed in previous nodes,
+      // it makes sanitizing really hard to select whether it is vulnerable to argument injection or not
+      arg = this.getParameter(0).asSink() and
+      not exists(this.getArgument(0).asExpr().getChildExpr(1))
+    }
+
+    override predicate isSync() { isSync = true }
+
+    override DataFlow::Node getOptionsArg() {
+      result = this.getLastArgument() and result.asExpr() instanceof ObjectExpr
+    }
+  }
+
+  /** Gets a TemplateLiteral and check if first child is a template element */
+  private predicate isTaggedTemplateFirstChildAnElement(TemplateLiteral templateLit) {
+    exists(templateLit.getChildExpr(0).(TemplateElement))
+  }
+
+  /**
+   * Holds whether Execa has shell enabled options or not, get Parameter responsible for options
+   */
+  pragma[inline]
+  private predicate isExecaShellEnable(API::Node n) {
+    n.getMember("shell").asSink().asExpr().(BooleanLiteral).getValue() = "true"
+  }
+}

javascript/ql/src/experimental/semmle/javascript/FormParsers.qll

@@ -0,0 +1,179 @@
+/**
+ * Provides classes for modeling the server-side form/file parsing libraries.
+ */
+
+import javascript
+import experimental.semmle.javascript.ReadableStream
+
+/**
+ * A module for modeling [busboy](https://www.npmjs.com/package/busboy) package
+ */
+module BusBoy {
+  /**
+   * A source of remote flow from the `Busboy` library.
+   */
+  private class BusBoyRemoteFlow extends RemoteFlowSource {
+    BusBoyRemoteFlow() {
+      exists(API::Node busboyOnEvent |
+        busboyOnEvent = API::moduleImport("busboy").getReturn().getMember("on")
+      |
+        // Files
+        busboyOnEvent.getParameter(0).asSink().mayHaveStringValue("file") and
+        // second param of 'file' event is a Readable stream
+        this = readableStreamDataNode(busboyOnEvent.getParameter(1).getParameter(1))
+        or
+        // Fields
+        busboyOnEvent.getParameter(0).asSink().mayHaveStringValue(["file", "field"]) and
+        this =
+          API::moduleImport("busboy")
+              .getReturn()
+              .getMember("on")
+              .getParameter(1)
+              .getAParameter()
+              .asSource()
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Busbuy" }
+  }
+
+  /**
+   * A busboy file data step according to a Readable Stream type
+   */
+  private class AdditionalTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node busboyOnEvent |
+        busboyOnEvent = API::moduleImport("busboy").getReturn().getMember("on")
+      |
+        busboyOnEvent.getParameter(0).asSink().mayHaveStringValue("file") and
+        customStreamPipeAdditionalTaintStep(busboyOnEvent.getParameter(1).getParameter(1), pred,
+          succ)
+      )
+    }
+  }
+}
+
+/**
+ * A module for modeling [formidable](https://www.npmjs.com/package/formidable) package
+ */
+module Formidable {
+  /**
+   * A source of remote flow from the `Formidable` library parsing a HTTP request.
+   */
+  private class FormidableRemoteFlow extends RemoteFlowSource {
+    FormidableRemoteFlow() {
+      exists(API::Node formidable |
+        formidable = API::moduleImport("formidable").getReturn()
+        or
+        formidable = API::moduleImport("formidable").getMember("formidable").getReturn()
+        or
+        formidable =
+          API::moduleImport("formidable").getMember(["IncomingForm", "Formidable"]).getInstance()
+      |
+        this =
+          formidable.getMember("parse").getACall().getABoundCallbackParameter(1, any(int i | i > 0))
+        or
+        // if callback is not provide a promise will be returned,
+        // return values contains [fields,files] members
+        exists(API::Node parseMethod |
+          parseMethod = formidable.getMember("parse") and parseMethod.getNumParameter() = 1
+        |
+          this = parseMethod.getReturn().asSource()
+        )
+        or
+        // event handler
+        this = formidable.getMember("on").getParameter(1).getAParameter().asSource()
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Formidable" }
+  }
+}
+
+/**
+ * A module for modeling [multiparty](https://www.npmjs.com/package/multiparty) package
+ */
+module Multiparty {
+  /**
+   * A source of remote flow from the `Multiparty` library.
+   */
+  private class MultipartyRemoteFlow extends RemoteFlowSource {
+    MultipartyRemoteFlow() {
+      exists(API::Node form |
+        form = API::moduleImport("multiparty").getMember("Form").getInstance()
+      |
+        exists(API::CallNode parse | parse = form.getMember("parse").getACall() |
+          this = parse.getParameter(1).getParameter([1, 2]).asSource()
+        )
+        or
+        exists(API::Node on | on = form.getMember("on") |
+          (
+            on.getParameter(0).asSink().mayHaveStringValue(["file", "field"]) and
+            this = on.getParameter(1).getParameter([0, 1]).asSource()
+            or
+            on.getParameter(0).asSink().mayHaveStringValue("part") and
+            this = readableStreamDataNode(on.getParameter(1).getParameter(0))
+          )
+        )
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Multiparty" }
+  }
+
+  /**
+   * A multiparty part data step according to a Readable Stream type
+   */
+  private class AdditionalTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node multipartyOnEvent |
+        multipartyOnEvent =
+          API::moduleImport("multiparty").getMember("Form").getInstance().getMember("on")
+      |
+        multipartyOnEvent.getParameter(0).asSink().mayHaveStringValue("part") and
+        customStreamPipeAdditionalTaintStep(multipartyOnEvent.getParameter(1).getParameter(0), pred,
+          succ)
+      )
+    }
+  }
+}
+
+/**
+ * A module for modeling [dicer](https://www.npmjs.com/package/dicer) package
+ */
+module Dicer {
+  /**
+   * A source of remote flow from the `dicer` library.
+   */
+  private class DicerRemoteFlow extends RemoteFlowSource {
+    DicerRemoteFlow() {
+      exists(API::Node dicer | dicer = API::moduleImport("dicer").getInstance() |
+        exists(API::Node on | on = dicer.getMember("on") |
+          on.getParameter(0).asSink().mayHaveStringValue("part") and
+          this = readableStreamDataNode(on.getParameter(1).getParameter(0))
+          or
+          exists(API::Node onPart | onPart = on.getParameter(1).getParameter(0).getMember("on") |
+            onPart.getParameter(0).asSink().mayHaveStringValue("header") and
+            this = onPart.getParameter(1).getParameter(0).asSource()
+          )
+        )
+      )
+    }
+
+    override string getSourceType() { result = "parsed user value from Dicer" }
+  }
+
+  /**
+   * A dicer part data step according to a Readable Stream type
+   */
+  private class AdditionalTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node onEvent |
+        onEvent = API::moduleImport("dicer").getInstance().getMember("on")
+      |
+        onEvent.getParameter(0).asSink().mayHaveStringValue("part") and
+        customStreamPipeAdditionalTaintStep(onEvent.getParameter(1).getParameter(0), pred, succ)
+      )
+    }
+  }
+}

javascript/ql/src/experimental/semmle/javascript/ReadableStream.qll

@@ -0,0 +1,147 @@
+/**
+ * Provides helper predicates to work with any Readable Stream in dataflow queries
+ *
+ * main predicate in which you can use by passing a Readable Stream is `customStreamPipeAdditionalTaintStep`
+ */
+
+import javascript
+
+/**
+ * Holds if there is a step between `fs.createReadStream` and `stream.Readable.from` first parameters to all other piped parameters
+ *
+ * It can be global additional step too
+ */
+predicate readablePipeAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(API::Node receiver |
+    receiver =
+      [
+        API::moduleImport("fs").getMember("createReadStream"),
+        API::moduleImport("stream").getMember("Readable").getMember("from")
+      ]
+  |
+    customStreamPipeAdditionalTaintStep(receiver, pred, succ)
+    or
+    pred = receiver.getParameter(0).asSink() and
+    succ = receiver.getReturn().asSource()
+  )
+}
+
+/**
+ * additional taint steps for piped stream from `createReadStream` method of `fs/promises.open`
+ *
+ * It can be global additional step too
+ */
+predicate promisesFileHandlePipeAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(API::Node receiver | receiver = nodeJsPromisesFileSystem().getMember("open") |
+    customStreamPipeAdditionalTaintStep(receiver, pred, succ)
+    or
+    pred = receiver.getParameter(0).asSink() and
+    succ = receiver.getReturn().asSource()
+  )
+}
+
+/**
+ * Gets nodejs `fs` Promises API
+ */
+API::Node nodeJsPromisesFileSystem() {
+  result = [API::moduleImport("fs").getMember("promises"), API::moduleImport("fs/promises")]
+}
+
+/**
+ * Holds if
+ * or `receiver.pipe(pred).pipe(sth).pipe(succ)`
+ *
+ * or `receiver.pipe(sth).pipe(pred).pipe(succ)`
+ *
+ * or `receiver.pipe(succ)` and receiver is pred
+ *
+ * Receiver is a Readable Stream object
+ */
+predicate customStreamPipeAdditionalTaintStep(
+  API::Node receiver, DataFlow::Node pred, DataFlow::Node succ
+) {
+  // following connect the first pipe parameter to the last pipe parameter
+  exists(API::Node firstPipe | firstPipe = receiver.getMember("pipe") |
+    pred = firstPipe.getParameter(0).asSink() and
+    succ = firstPipe.getASuccessor*().getMember("pipe").getParameter(0).asSink()
+  )
+  or
+  // following connect a pipe parameter to the next pipe parameter
+  exists(API::Node cn | cn = receiver.getASuccessor+() |
+    pred = cn.getParameter(0).asSink() and
+    succ = cn.getReturn().getMember("pipe").getParameter(0).asSink()
+  )
+  or
+  // it is a function that its return value is a Readable stream object
+  pred = receiver.getReturn().asSource() and
+  succ = receiver.getReturn().getMember("pipe").getParameter(0).asSink()
+  or
+  // it is a Readable stream object
+  pred = receiver.asSource() and
+  succ = receiver.getMember("pipe").getParameter(0).asSink()
+}
+
+/**
+ * Holds if
+ *
+ * ```js
+ * await pipeline(
+ *        pred,
+ *        succ_or_pred,
+ *        succ
+ *    )
+ * ```
+ *
+ * It can be global additional step too
+ */
+predicate streamPipelineAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  // this step connect the a pipeline parameter to the next pipeline parameter
+  exists(API::CallNode cn, int i |
+    // we assume that there are maximum 10 pipes mostly or maybe less
+    i in [0 .. 10] and
+    cn = nodeJsStream().getMember("pipeline").getACall()
+  |
+    pred = cn.getParameter(i).asSink() and
+    succ = cn.getParameter(i + 1).asSink()
+  )
+  or
+  // this step connect the first pipeline parameter to the next parameters
+  exists(API::CallNode cn, int i |
+    // we assume that there are maximum 10 pipes mostly or maybe less
+    i in [1 .. 10] and
+    cn = nodeJsStream().getMember("pipeline").getACall()
+  |
+    pred = cn.getParameter(0).asSink() and
+    succ = cn.getParameter(i).asSink()
+  )
+}
+
+/**
+ * Gets `stream` Promises API
+ */
+API::Node nodeJsStream() {
+  result = [API::moduleImport("stream/promises"), API::moduleImport("stream").getMember("promises")]
+}
+
+/**
+ * Gets a Readable stream object,
+ * and returns all nodes responsible for a data read of this Readable stream
+ */
+DataFlow::Node readableStreamDataNode(API::Node stream) {
+  result = stream.asSource()
+  or
+  // 'data' event
+  exists(API::CallNode onEvent | onEvent = stream.getMember("on").getACall() |
+    result = onEvent.getParameter(1).getParameter(0).asSource() and
+    onEvent.getParameter(0).asSink().mayHaveStringValue("data")
+  )
+  or
+  // 'Readable' event
+  exists(API::CallNode onEvent | onEvent = stream.getMember("on").getACall() |
+    (
+      result = onEvent.getParameter(1).getReceiver().getMember("read").getReturn().asSource() or
+      result = stream.getMember("read").getReturn().asSource()
+    ) and
+    onEvent.getParameter(0).asSink().mayHaveStringValue("readable")
+  )
+}