-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #629 from esben-semmle/js/persistent-read-taint
JS: add persistent storage taint steps
- Loading branch information
Showing
23 changed files
with
284 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
93 changes: 93 additions & 0 deletions
93
javascript/ql/src/semmle/javascript/frameworks/CookieLibraries.qll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
|
||
/** | ||
* Provides classes for reasoning about cookies. | ||
*/ | ||
|
||
import javascript | ||
|
||
/** | ||
* A model of the `js-cookie` library (https://github.com/js-cookie/js-cookie). | ||
*/ | ||
private module JsCookie { | ||
/** | ||
* Gets a function call that invokes method `name` of the `js-cookie` library. | ||
*/ | ||
DataFlow::CallNode libMemberCall(string name) { | ||
result = DataFlow::globalVarRef("Cookie").getAMemberCall(name) or | ||
result = DataFlow::globalVarRef("Cookie").getAMemberCall("noConflict").getAMemberCall(name) or | ||
result = DataFlow::moduleMember("js-cookie", name).getACall() | ||
} | ||
|
||
class ReadAccess extends PersistentReadAccess, DataFlow::CallNode { | ||
ReadAccess() { this = libMemberCall("get") } | ||
|
||
override PersistentWriteAccess getAWrite() { | ||
getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey()) | ||
} | ||
} | ||
|
||
class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode { | ||
WriteAccess() { this = libMemberCall("set") } | ||
|
||
string getKey() { getArgument(0).mayHaveStringValue(result) } | ||
|
||
override DataFlow::Node getValue() { result = getArgument(1) } | ||
} | ||
} | ||
|
||
/** | ||
* A model of the `browser-cookies` library (https://github.com/voltace/browser-cookies). | ||
*/ | ||
private module BrowserCookies { | ||
/** | ||
* Gets a function call that invokes method `name` of the `browser-cookies` library. | ||
*/ | ||
DataFlow::CallNode libMemberCall(string name) { | ||
result = DataFlow::moduleMember("browser-cookies", name).getACall() | ||
} | ||
|
||
class ReadAccess extends PersistentReadAccess, DataFlow::CallNode { | ||
ReadAccess() { this = libMemberCall("get") } | ||
|
||
override PersistentWriteAccess getAWrite() { | ||
getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey()) | ||
} | ||
} | ||
|
||
class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode { | ||
WriteAccess() { this = libMemberCall("set") } | ||
|
||
string getKey() { getArgument(0).mayHaveStringValue(result) } | ||
|
||
override DataFlow::Node getValue() { result = getArgument(1) } | ||
} | ||
} | ||
|
||
/** | ||
* A model of the `cookie` library (https://github.com/jshttp/cookie). | ||
*/ | ||
private module LibCookie { | ||
/** | ||
* Gets a function call that invokes method `name` of the `cookie` library. | ||
*/ | ||
DataFlow::CallNode libMemberCall(string name) { | ||
result = DataFlow::moduleMember("cookie", name).getACall() | ||
} | ||
|
||
class ReadAccess extends PersistentReadAccess { | ||
string key; | ||
ReadAccess() { this = libMemberCall("parse").getAPropertyRead(key) } | ||
|
||
override PersistentWriteAccess getAWrite() { | ||
key = result.(WriteAccess).getKey() | ||
} | ||
} | ||
|
||
class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode { | ||
WriteAccess() { this = libMemberCall("serialize") } | ||
|
||
string getKey() { getArgument(0).mayHaveStringValue(result) } | ||
|
||
override DataFlow::Node getValue() { result = getArgument(1) } | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
| persistence.js:3:5:3:33 | localSt ... prop1') | | ||
| persistence.js:6:5:6:35 | session ... prop2') | | ||
| persistence.js:10:5:10:33 | localSt ... prop4') | | ||
| persistence.js:13:5:13:35 | session ... prop5') | |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
import javascript | ||
|
||
from PersistentReadAccess read | ||
select read |
2 changes: 2 additions & 0 deletions
2
javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess_getAWrite.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
| persistence.js:3:5:3:33 | localSt ... prop1') | persistence.js:2:5:2:37 | localSt ... 1', v1) | | ||
| persistence.js:6:5:6:35 | session ... prop2') | persistence.js:5:5:5:39 | session ... 2', v2) | |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/Concepts/PersistentReadAccess_getAWrite.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
import javascript | ||
|
||
from PersistentReadAccess read | ||
select read, read.getAWrite() |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/Concepts/PersistentWriteAccess.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
| persistence.js:2:5:2:37 | localSt ... 1', v1) | persistence.js:2:35:2:36 | v1 | | ||
| persistence.js:5:5:5:39 | session ... 2', v2) | persistence.js:5:37:5:38 | v2 | | ||
| persistence.js:8:5:8:37 | localSt ... 3', v3) | persistence.js:8:35:8:36 | v3 | | ||
| persistence.js:12:5:12:37 | localSt ... 5', v5) | persistence.js:12:35:12:36 | v5 | |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/Concepts/PersistentWriteAccess.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
import javascript | ||
|
||
from PersistentWriteAccess write | ||
select write, write.getValue() |
14 changes: 14 additions & 0 deletions
14
javascript/ql/test/library-tests/frameworks/Concepts/persistence.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
(function(){ | ||
localStorage.setItem('prop1', v1); | ||
localStorage.getItem('prop1'); | ||
|
||
sessionStorage.setItem('prop2', v2); | ||
sessionStorage.getItem('prop2'); | ||
|
||
localStorage.setItem('prop3', v3); | ||
|
||
localStorage.getItem('prop4'); | ||
|
||
localStorage.setItem('prop5', v5); | ||
sessionStorage.getItem('prop5'); | ||
}); |
3 changes: 3 additions & 0 deletions
3
javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
| tst.js:7:2:7:21 | js_cookie.get('key') | | ||
| tst.js:12:2:12:27 | browser ... ('key') | | ||
| tst.js:18:2:18:22 | cookie. ... ['key'] | |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
import javascript | ||
|
||
from PersistentReadAccess read | ||
select read |
3 changes: 3 additions & 0 deletions
3
...ript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess_getAWrite.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
| tst.js:7:2:7:21 | js_cookie.get('key') | tst.js:6:2:6:30 | js_cook ... value') | | ||
| tst.js:12:2:12:27 | browser ... ('key') | tst.js:11:2:11:36 | browser ... value') | | ||
| tst.js:18:2:18:22 | cookie. ... ['key'] | tst.js:17:2:17:33 | cookie. ... value') | |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieReadAccess_getAWrite.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
import javascript | ||
|
||
from PersistentReadAccess read | ||
select read, read.getAWrite() |
3 changes: 3 additions & 0 deletions
3
javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieWriteAccess.expected
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
| tst.js:6:2:6:30 | js_cook ... value') | tst.js:6:23:6:29 | 'value' | | ||
| tst.js:11:2:11:36 | browser ... value') | tst.js:11:29:11:35 | 'value' | | ||
| tst.js:17:2:17:33 | cookie. ... value') | tst.js:17:26:17:32 | 'value' | |
4 changes: 4 additions & 0 deletions
4
javascript/ql/test/library-tests/frameworks/CookieLibraries/CookieWriteAccess.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
import javascript | ||
|
||
from PersistentWriteAccess write | ||
select write, write.getValue() |
19 changes: 19 additions & 0 deletions
19
javascript/ql/test/library-tests/frameworks/CookieLibraries/tst.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
const js_cookie = require('js-cookie'), | ||
browser_cookies = require('browser-cookies'), | ||
cookie = require('cookie'); | ||
|
||
(function() { | ||
js_cookie.set('key', 'value'); | ||
js_cookie.get('key'); | ||
}); | ||
|
||
(function() { | ||
browser_cookies.set('key', 'value'); | ||
browser_cookies.get('key'); | ||
}); | ||
|
||
|
||
(function() { | ||
cookie.serialize('key', 'value'); | ||
cookie.parse()['key']; | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
javascript/ql/test/query-tests/Security/CWE-079/stored-xss.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
(function() { | ||
sessionStorage.setItem('session', document.location.search); | ||
localStorage.setItem('local', document.location.search); | ||
|
||
$('myId').html(sessionStorage.getItem('session')); // NOT OK | ||
$('myId').html(localStorage.getItem('session')); // OK | ||
$('myId').html(sessionStorage.getItem('local')); // OK | ||
$('myId').html(localStorage.getItem('local')); // NOT OK | ||
}); |