JS: split InsecureRandomness.qll

2026-04-28 02:05:14 +02:00 · 2019-07-04 09:10:35 +02:00
parent b85d3756b0
commit efe7ba4f3d
2 changed files with 88 additions and 71 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll
@@ -1,25 +1,17 @@
 /**
- * Provides a taint tracking configuration for reasoning about random values that are not cryptographically secure.
+ * Provides a taint tracking configuration for reasoning about random
+ * values that are not cryptographically secure.
+ *
+ * Note, for performance reasons: only import this file if
+ * `InsecureRandomness::Configuration` is needed, otherwise
+ * `InsecureRandomnessCustomizations` should be imported instead.
 */

 import javascript
 private import semmle.javascript.security.SensitiveActions

 module InsecureRandomness {
-  /**
-   * A data flow source for random values that are not cryptographically secure.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for random values that are not cryptographically secure.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for random values that are not cryptographically secure.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import InsecureRandomnessCustomizations::InsecureRandomness

  /**
   * A taint tracking configuration for random values that are not cryptographically secure.
@@ -56,60 +48,4 @@ module InsecureRandomness {
      )
    }
  }
-
-  /**
-   * A simple random number generator that is not cryptographically secure.
-   */
-  class DefaultSource extends Source, DataFlow::ValueNode {
-    override InvokeExpr astNode;
-
-    DefaultSource() {
-      exists(DataFlow::ModuleImportNode mod, string name | mod.getPath() = name |
-        // require("random-number")();
-        name = "random-number" and
-        this = mod.getACall()
-        or
-        // require("random-int")();
-        name = "random-int" and
-        this = mod.getACall()
-        or
-        // require("random-float")();
-        name = "random-float" and
-        this = mod.getACall()
-        or
-        // require('random-seed').create()();
-        name = "random-seed" and
-        this = mod.getAMemberCall("create").getACall()
-        or
-        // require('unique-random')()();
-        name = "unique-random" and
-        this = mod.getACall().getACall()
-      )
-      or
-      // Math.random()
-      this = DataFlow::globalVarRef("Math").getAMemberCall("random")
-      or
-      // (new require('chance')).<name>()
-      this = DataFlow::moduleImport("chance").getAnInstantiation().getAMemberInvocation(_)
-      or
-      // require('crypto').pseudoRandomBytes()
-      this = DataFlow::moduleMember("crypto", "pseudoRandomBytes").getAnInvocation()
-    }
-  }
-
-  /**
-   * A sensitive write, considered as a sink for random values that are not cryptographically
-   * secure.
-   */
-  class SensitiveWriteSink extends Sink {
-    SensitiveWriteSink() { this instanceof SensitiveWrite }
-  }
-
-  /**
-   * A cryptographic key, considered as a sink for random values that are not cryptographically
-   * secure.
-   */
-  class CryptoKeySink extends Sink {
-    CryptoKeySink() { this instanceof CryptographicKey }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
@@ -0,0 +1,81 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * random values that are not cryptographically secure, as well as
+ * extension points for adding your own.
+ */
+
+import javascript
+private import semmle.javascript.security.SensitiveActions
+
+module InsecureRandomness {
+  /**
+   * A data flow source for random values that are not cryptographically secure.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for random values that are not cryptographically secure.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for random values that are not cryptographically secure.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A simple random number generator that is not cryptographically secure.
+   */
+  class DefaultSource extends Source, DataFlow::ValueNode {
+    override InvokeExpr astNode;
+
+    DefaultSource() {
+      exists(DataFlow::ModuleImportNode mod, string name | mod.getPath() = name |
+        // require("random-number")();
+        name = "random-number" and
+        this = mod.getACall()
+        or
+        // require("random-int")();
+        name = "random-int" and
+        this = mod.getACall()
+        or
+        // require("random-float")();
+        name = "random-float" and
+        this = mod.getACall()
+        or
+        // require('random-seed').create()();
+        name = "random-seed" and
+        this = mod.getAMemberCall("create").getACall()
+        or
+        // require('unique-random')()();
+        name = "unique-random" and
+        this = mod.getACall().getACall()
+      )
+      or
+      // Math.random()
+      this = DataFlow::globalVarRef("Math").getAMemberCall("random")
+      or
+      // (new require('chance')).<name>()
+      this = DataFlow::moduleImport("chance").getAnInstantiation().getAMemberInvocation(_)
+      or
+      // require('crypto').pseudoRandomBytes()
+      this = DataFlow::moduleMember("crypto", "pseudoRandomBytes").getAnInvocation()
+    }
+  }
+
+  /**
+   * A sensitive write, considered as a sink for random values that are not cryptographically
+   * secure.
+   */
+  class SensitiveWriteSink extends Sink {
+    SensitiveWriteSink() { this instanceof SensitiveWrite }
+  }
+
+  /**
+   * A cryptographic key, considered as a sink for random values that are not cryptographically
+   * secure.
+   */
+  class CryptoKeySink extends Sink {
+    CryptoKeySink() { this instanceof CryptographicKey }
+  }
+}