Skip to content

JS: add heuristic taint-step for potentially unmodelled libraries #9572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 21, 2022
Merged

JS: add heuristic taint-step for potentially unmodelled libraries #9572

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions javascript/ql/lib/semmle/javascript/heuristics/AdditionalTaintSteps.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,15 @@ private class HeuristicStringManipulationTaintStep extends TaintTracking::Shared
)
}
}

/** Any call to a library component where we assume taint from any argument to the result */
private class HeuristicLibraryCallTaintStep extends TaintTracking::SharedTaintStep {
override predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call |
pred = call.getAnArgument() or // the plain argument
pred = call.getAnArgument().(DataFlow::SourceNode).getAPropertyWrite().getRhs() // one property down
|
succ = call
)
}
}
42 changes: 42 additions & 0 deletions javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/**
* @name Unmodeled step
* @description A potential step from an argument to a return that has no data/taint step.
* @kind metric
* @metricType project
* @metricAggregate sum
* @tags meta
* @id js/meta/unmodeled-step
*/

import javascript
import meta.MetaMetrics
private import Expressions.ExprHasNoEffect
import meta.internal.TaintMetrics

predicate unmodeled(API::Node callee, API::CallNode call, DataFlow::Node pred, DataFlow::Node succ) {
callee.getACall() = call and
pred = call.getAnArgument() and
succ = call and
not inVoidContext(succ.asExpr()) and // void calls are irrelevant
not call.getAnArgument() = relevantTaintSink() and // calls with sinks are considered modeled
// we assume taint to the return value means the call is modeled
not (
TaintTracking::sharedTaintStep(_, succ)
or
DataFlow::SharedFlowStep::step(_, succ)
or
DataFlow::SharedFlowStep::step(_, succ, _, _)
or
DataFlow::SharedFlowStep::loadStep(_, succ, _)
or
DataFlow::SharedFlowStep::storeStep(_, succ, _)
or
DataFlow::SharedFlowStep::loadStoreStep(_, succ, _, _)
or
DataFlow::SharedFlowStep::loadStoreStep(_, succ, _)
) and
not pred.getFile() instanceof IgnoredFile and
not succ.getFile() instanceof IgnoredFile
}

select projectRoot(), count(DataFlow::Node pred, DataFlow::Node succ | unmodeled(_, _, pred, succ))