Skip to content

JS: Add query to detect bad code sanitizers #3680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 12, 2020
Merged

JS: Add query to detect bad code sanitizers #3680

merged 6 commits into from
Jun 12, 2020

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jun 10, 2020
edited
Loading

CVE-2019-13506: TP/TN
CVE-2018-18282: TP/TN

Seems to easy.

The CVEs are both described as XSS, but I think that is because XSS is a catch-all for "the attacker can run some code".
In both CVEs the issue is a function () {..} being constructed as a string and run, so that seems more like code-injection, which is why the query is in the CWE-094 folder.

No results on our standard 236 benchmarks.

TODO:

  • qhelp
  • customizations module
  • qldoc on predicates
  • performance
  • make the String.prototype.replace sanitizer more precise?
  • more type tracking of remote-flow (link)

@erik-krogh erik-krogh added the JS label Jun 10, 2020
@erik-krogh erik-krogh requested a review from a team June 10, 2020 18:20
esbena
esbena requested changes Jun 10, 2020
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. I wonder if we can pull in some of the closed issues for safe-eval and friends. The exact CVEs escapes me at the moment.

I have one suggestion for getting a few more results out of this.

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql Outdated
// TODO: Proper customizations module, Source class Sink class etc.
import javascript
import DataFlow::PathGraph
private import semmle.javascript.heuristics.AdditionalSinks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can wait with the following suggestion, but we must not forget about it.

AdditionalSinks.qll is designed to have the giant side effect of enabling all kinds of new sinks, and I think it is a footgun to import that library by default in any checked-in query - even if it doesn't hurt right here.

Can you pull out the relevant sink from AdditionalSinks.qll? AdditionalSinks.qll can then pull it back in and extend the right sink for the side effect.

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql Outdated
exists(StringOps::ConcatenationRoot root, int i |
root.getOperand(i) = result and
not exists(result.getStringValue()) and
not root = endsInCodeInjectionSink()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, my suggestion for this filter was not completely thought through. This line alone will cause us to miss completely out on the cases where we do not detect a remote-flow input to the source. That is not a trade-off I am willing to make in order to avoid duplicate alerts.

Could we perhaps check in the where clause below that there also isn't taint-type-tracking flow to the source from a remote-flow source? That won't cost us any results.

Please include a test case too.

@erik-krogh erik-krogh marked this pull request as ready for review June 11, 2020 09:17
@erik-krogh erik-krogh requested a review from mchammer01 as a code owner June 11, 2020 09:17
@erik-krogh erik-krogh removed the request for review from mchammer01 June 11, 2020 09:17
esbena
esbena approved these changes Jun 12, 2020
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I think the master-merge requires a bit more type tracking to avoid double alerts, see inline comment.

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
t.start() and
result instanceof RemoteFlowSource
or
exists(DataFlow::TypeTracker t2 | result = remoteFlow(t2).track(t2, t))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See

codeql/javascript/ql/src/semmle/javascript/Regexp.qll

Lines 893 to 898 in cafbe14

exists(DataFlow::TypeBackTracker t2, DataFlow::Node succ | succ = regExpSource(re, t2) |
t2 = t.smallstep(result, succ)
or
any(TaintTracking::AdditionalTaintStep dts).step(result, succ) and
t = t2
)
for some additional (backwards) steps

@erik-krogh erik-krogh merged commit 01c51ee into github:js-team-sprint Jun 12, 2020
This was referenced Jun 22, 2020
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erik-krogh @esbena