JS: expand the js/exception-xss to handle more types of exceptional flow

[erik-krogh]

I expanded the scope of the js/exception-xss query.

The following new exceptional flows are considered:

• Accessing a tainted field name on null/undefined.
  E.g: try {null[tainted]} catch(err) {..}
• Callback functions with an error argument.
  E.g: foo(tainted, (err, v) => ..);
• Exceptional flow from promise executor to catch handler.
  E.g: new Promise((resolve, reject) => {throw tainted}).catch((err) => {..})

The results are still largely untested.
I'm decently confident in the performance of the current version, but I haven't tested it yet.

I put a cache modifier on the isAdditionalFlowStep predicate as I otherwise got a massive performance penalty on some benchmarks (oldj/SwitchHosts in particular).
For some reason the Configuration::BarrierGuardNode::internalBlocks_dispred#ffb predicate began taking a LOT of time (the query is 4X slower on some benchmarks without the cache modifier).

Additionally I've added (and used) the getEnclosingCall predicate.
This predicate allows me to support the following pattern where the tainted value is inside some object/array when it escapes to an unknown function.

try {
   unknown({foo: tainted});
} catch(err) {
   element.innerHtml = err;
}

[max-schaefer]

This doesn't immediately make sense to me: this predicate is only used in one query, so caching it is not useful. I suspect the performance benefits you were observing were due to cached preventing harmful magic. Could you try replacing this with pragma[nomagic]? If that has the same performance benefits, I would suggest using it instead since it more clearly communicates the intention.

[erik-krogh]

Adding pragma[nomagic] on isAdditionalFlowStep does not fix the performance.

I also tried to add pragma[nomagic] to internalBlocks, and that got me from a ~4X slowdown to a ~2X slowdown.

I'll experiment some more.

[max-schaefer]

OK, there are a few other pragmas that cached implies, notably pragma[noinline].

[erik-krogh]

After a whole lot of benchmarking I found that adding pragma[noinline,nomagic] on Configuration::internalBlocks fixes the performance.
Adding just pragma[noinline] or pragma[nomagic] is not enough, both are needed to avoid a performance regression on oldj/SwitchHosts.

But with this change we will need a larger performance evaluation before we can merge.

[esbena]

I am very uncertain about the getEnclosingCall predicate, both in terms of performance and precision. Can we perhaps delay merging that feature? It seems independent of the rest from the features of this PR.

[erik-krogh]

I got a performance result (that includes the now removed getEnclosingCall).
And performance looks somewhat OK.

[esbena]

Thanks, with getEnclosingCall gone, I have some hope that the pragma[xyz] can go away at the end of this PR. Lets iterate once more on the error parameter characteristic first though.

[erik-krogh]

Thanks, with getEnclosingCall gone, I have some hope that the pragma[xyz] can go away.

The pragma can go away now, I just did the experiment.

[esbena]

Sorry for pivoting and arguing with myself. I would like to get a second pair of eyes on the reachability analysis.

[esbena]

Getting close. My only comments now are about visibility, style and documentation.

[esbena]

Missing docstring.

[esbena]

Missing docstring.

[esbena]

This can be private.

This predicates makes up a verbose alias for getExceptionTarget.
How about renaming this predicate to getExceptionTarget, and explaining in the docstring how it adds additional cases to the builtin syntactic Expr::getExceptionTarget?
Alternatively we should just inline this predicate.

[erik-krogh]

I like the idea of renaming, and then explaining how it adds cases.

[esbena]

Minor.
This line is definitely not indented correctly.
The are other similar indentation inconsistencies in this file.

Can you autoformat the entire file, and update the expected output?

[esbena]

Is this step really feature complete enough yet? Perhaps we should just keep it private, and make a note of the features that we are aware that it is missing:

• support for flow of exceptions to the catch block of an await
• support for flow of exceptions to the first catch-handler in a chain of promise-steps: new Promise(res, rej).then(..).then(..).catch(e => FLOWS_HERE).then(...).catch(e => BUT_NOT_HERE)

Also, since this is a default taint step for all TaintTracking::Configuration, I want to make sure that we have done an evaluation with --suite security.

[erik-krogh]

I put in a comment about what is missing.
I'll maybe return to it at some and add more flow edges.

I'll get an evaluation going.

[max-schaefer]

A few minor suggestions, but overall this looks fairly uncontroversial. 👍

[max-schaefer]

This sounds like something that should be put into an issue, not a code comment.

[max-schaefer]

Hm, I'm not sure about this condition. Our type inference is very conservative, and in particular is likely to infer undefined as a possible type of just about everything (apart from constants and sometimes SSA variables).

I think you may want to strengthen this to forex(InferredType t | t = prop.getBase().analyze().getAType() | isNullOrUndefined(t)) to only cover those cases where we are quite sure the base is null-ish.

(Note that we don't want to use forall, since expressions in dead code sometimes don't have any types inferred for them.)

[max-schaefer]

This sentence is a bit repetitive. How about shortening to "Gets the data-flow node to which any exceptions thrown by this expression will propagate"?

[max-schaefer]

LGTM, but we should probably do another (small) performance evaluation.

[erik-krogh]

LGTM, but we should probably do another (small) performance evaluation.

I already had a larger performance evaluation running.
It looks somewhat OK to me.

[max-schaefer]

OK, that looks fairly healthy. Could you retry nuclide and JazminServer? Looks like that should be quick, and it should give us an idea of whether the reported slowdowns are likely to be flukes.

Also, what were the query failures on bwip-js about? And what about the build failures on babel?

[erik-krogh]

OK, that looks fairly healthy. Could you retry nuclide and JazminServer? Looks like that should be quick, and it should give us an idea of whether the reported slowdowns are likely to be flukes.

The slowdowns seem to be flukes.
https://git.semmle.com/erik/dist-compare-reports/tree/profiling-erik-krogh.northeurope.cloudapp.azure.com_1576690361008

Also, what were the query failures on bwip-js about?

CWE-807/DifferentKindsComparisonBypass.ql ran into a timeout.
But the exact same timeout happened on both master and moarExceptions.

And what about the build failures on babel?

That has nothing to do with this PR.
The build failure comes from a new file in babel that we cannot parse.
(I'm creating an issue).

The following exception is thrown:

Exception while extracting /home/erik/dev/dist-compare/working/repositories/babel/packages/babel-parser/test/fixtures/core/categorized/invalid-assignment-pattern-2/input.js.
com.semmle.util.exception.CatastrophicError: Assignment patterns should not appear in the AST.
   at com.semmle.js.ast.DefaultVisitor.visit(DefaultVisitor.java:101)

[max-schaefer]

CWE-807/DifferentKindsComparisonBypass.ql ran into a timeout.
But the exact same timeout happened on both master and moarExceptions.

That is very concerning. Can you file an issue please?

[erik-krogh]

@esbena can I get an approve?