Merge pull request #2788 from erik-krogh/CVE42-sink

semmle-qlci · web-flow · commit 769dce511b2b · 2020-02-14T08:00:00.000Z
Approved by esbena
diff --git a/change-notes/1.24/analysis-javascript.md b/change-notes/1.24/analysis-javascript.md
@@ -47,6 +47,7 @@
 | Use of call stack introspection in strict mode (`js/strict-mode-call-stack-introspection`) | Fewer false positive results | The query no longer flags expression statements. |
 | Missing CSRF middleware (`js/missing-token-validation`) | Fewer false positive results | The query reports fewer duplicates and only flags handlers that explicitly access cookie data. |
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional ways dangerous paths can be constructed. |
+| Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional ways of constructing arguments to `cmd.exe` and `/bin/sh`. |
 
 ## Changes to libraries
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -271,67 +271,82 @@ module TaintTracking {
     ArrayFunctionTaintStep() { this = call }
 
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      // `array.map(function (elt, i, ary) { ... })`: if `array` is tainted, then so are
-      // `elt` and `ary`; similar for `forEach`
-      exists(string name, Function f, int i |
-        (name = "map" or name = "forEach") and
-        (i = 0 or i = 2) and
-        call.getArgument(0).analyze().getAValue().(AbstractFunction).getFunction() = f and
-        call.(DataFlow::MethodCallNode).getMethodName() = name and
-        pred = call.getReceiver() and
-        succ = DataFlow::parameterNode(f.getParameter(i))
-      )
-      or
-      // `array.map` with tainted return value in callback
-      exists(DataFlow::FunctionNode f |
-        call.(DataFlow::MethodCallNode).getMethodName() = "map" and
-        call.getArgument(0) = f and // Require the argument to be a closure to avoid spurious call/return flow
-        pred = f.getAReturn() and
-        succ = call
-      )
-      or
-      // `array.push(e)`, `array.unshift(e)`: if `e` is tainted, then so is `array`.
-      exists(string name |
-        name = "push" or
-        name = "unshift"
-      |
-        pred = call.getAnArgument() and
-        succ.(DataFlow::SourceNode).getAMethodCall(name) = call
-      )
-      or
-      // `array.push(...e)`, `array.unshift(...e)`: if `e` is tainted, then so is `array`.
-      exists(string name |
-        name = "push" or
-        name = "unshift"
-      |
-        pred = call.getASpreadArgument() and
-        // Make sure we handle reflective calls
-        succ = call.getReceiver().getALocalSource() and
-        call.getCalleeName() = name
-      )
-      or
-      // `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
-      exists(string name | name = "splice" |
-        pred = call.getArgument(2) and
-        succ.(DataFlow::SourceNode).getAMethodCall(name) = call
-      )
-      or
-      // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
-      exists(string name |
-        name = "pop" or
-        name = "shift" or
-        name = "slice" or
-        name = "splice"
-      |
-        call.(DataFlow::MethodCallNode).calls(pred, name) and
-        succ = call
-      )
-      or
-      // `e = Array.from(x)`: if `x` is tainted, then so is `e`.
-      call = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall() and
+      arrayFunctionTaintStep(pred, succ, call)
+    }
+  }
+
+  /**
+   * A taint propagating data flow edge from `pred` to `succ` caused by a call `call` to a builtin array functions.
+   */
+  predicate arrayFunctionTaintStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::CallNode call) {
+    // `array.map(function (elt, i, ary) { ... })`: if `array` is tainted, then so are
+    // `elt` and `ary`; similar for `forEach`
+    exists(string name, Function f, int i |
+      (name = "map" or name = "forEach") and
+      (i = 0 or i = 2) and
+      call.getArgument(0).analyze().getAValue().(AbstractFunction).getFunction() = f and
+      call.(DataFlow::MethodCallNode).getMethodName() = name and
+      pred = call.getReceiver() and
+      succ = DataFlow::parameterNode(f.getParameter(i))
+    )
+    or
+    // `array.map` with tainted return value in callback
+    exists(DataFlow::FunctionNode f |
+      call.(DataFlow::MethodCallNode).getMethodName() = "map" and
+      call.getArgument(0) = f and // Require the argument to be a closure to avoid spurious call/return flow
+      pred = f.getAReturn() and
+      succ = call
+    )
+    or
+    // `array.push(e)`, `array.unshift(e)`: if `e` is tainted, then so is `array`.
+    exists(string name |
+      name = "push" or
+      name = "unshift"
+    |
       pred = call.getAnArgument() and
+      succ.(DataFlow::SourceNode).getAMethodCall(name) = call
+    )
+    or
+    // `array.push(...e)`, `array.unshift(...e)`: if `e` is tainted, then so is `array`.
+    exists(string name |
+      name = "push" or
+      name = "unshift"
+    |
+      pred = call.getASpreadArgument() and
+      // Make sure we handle reflective calls
+      succ = call.getReceiver().getALocalSource() and
+      call.getCalleeName() = name
+    )
+    or
+    // `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
+    exists(string name | name = "splice" |
+      pred = call.getArgument(2) and
+      succ.(DataFlow::SourceNode).getAMethodCall(name) = call
+    )
+    or
+    // `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
+    exists(string name |
+      name = "pop" or
+      name = "shift" or
+      name = "slice" or
+      name = "splice"
+    |
+      call.(DataFlow::MethodCallNode).calls(pred, name) and
       succ = call
-    }
+    )
+    or
+    // `e = Array.from(x)`: if `x` is tainted, then so is `e`.
+    call = DataFlow::globalVarRef("Array").getAPropertyRead("from").getACall() and
+    pred = call.getAnArgument() and
+    succ = call
+    or
+    // `e = arr1.concat(arr2, arr3)`: if any of the `arr` is tainted, then so is `e`. 
+    call.(DataFlow::MethodCallNode).calls(pred, "concat") and
+    succ = call
+    or
+    call.(DataFlow::MethodCallNode).getMethodName() = "concat" and
+    succ = call and
+    pred = call.getAnArgument()
   }
 
   /**
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll b/javascript/ql/src/semmle/javascript/security/dataflow/IndirectCommandArgument.qll
@@ -30,9 +30,14 @@ private DataFlow::Node commandArgument(SystemCommandExecution sys, DataFlow::Typ
   t.start() and
   result = sys.getACommandArgument()
   or
-  exists(DataFlow::TypeBackTracker t2 |
-    t = t2.smallstep(result, commandArgument(sys, t2))
-  )
+  exists(DataFlow::TypeBackTracker t2 | t = t2.smallstep(result, commandArgument(sys, t2)))
+}
+
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the command argument in `sys`. 
+ */
+private DataFlow::Node commandArgument(SystemCommandExecution sys) {
+  result = commandArgument(sys, DataFlow::TypeBackTracker::end())
 }
 
 /**
@@ -43,11 +48,23 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
   t.start() and
   result = sys.getArgumentList().getALocalSource()
   or
-  exists(DataFlow::TypeBackTracker t2 |
-    result = argumentList(sys, t2).backtrack(t2, t)
+  exists(DataFlow::TypeBackTracker t2, DataFlow::SourceNode pred | 
+    pred = argumentList(sys, t2) 
+  |
+    result = pred.backtrack(t2, t)
+    or
+    t = t2.continue() and
+    TaintTracking::arrayFunctionTaintStep(result, pred, _)
   )
 }
 
+/**
+ * Gets a data-flow node whose value ends up being interpreted as the argument list in `sys`. 
+ */
+private DataFlow::SourceNode argumentList(SystemCommandExecution sys) {
+  result = argumentList(sys, DataFlow::TypeBackTracker::end())
+}
+
 /**
  * Holds if `source` contributes to the arguments of an indirect command execution `sys`.
  *
@@ -61,15 +78,22 @@ private DataFlow::SourceNode argumentList(SystemCommandExecution sys, DataFlow::
  * let args = ["-c", cmd];
  * childProcess.spawn(sh, args, cb);
  * ```
+ * or
+ * ```
+ * let cmd = getCommand();
+ * childProcess.spawn("cmd.exe", ["/c"].concat(cmd), cb);
+ * ```
  */
 predicate isIndirectCommandArgument(DataFlow::Node source, SystemCommandExecution sys) {
-  exists(
-    DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC
-  |
+  exists(DataFlow::ArrayCreationNode args, DataFlow::Node shell, string dashC |
     shellCmd(shell.asExpr(), dashC) and
-    shell = commandArgument(sys, DataFlow::TypeBackTracker::end()) and
-    args = argumentList(sys, DataFlow::TypeBackTracker::end()) and
+    shell = commandArgument(sys) and
     args.getAPropertyWrite().getRhs().mayHaveStringValue(dashC) and
-    source = args.getAPropertyWrite().getRhs()
+    args = argumentList(sys) and
+    (
+      source = argumentList(sys)
+      or
+      source = argumentList(sys).getAPropertyWrite().getRhs()
+    )
   )
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -22,12 +22,23 @@ nodes
 | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
 | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
 | child_process-test.js:25:21:25:23 | cmd |
+| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
+| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
 | child_process-test.js:39:26:39:28 | cmd |
 | child_process-test.js:39:26:39:28 | cmd |
 | child_process-test.js:43:15:43:17 | cmd |
 | child_process-test.js:43:15:43:17 | cmd |
 | child_process-test.js:50:15:50:17 | cmd |
 | child_process-test.js:50:15:50:17 | cmd |
+| child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) |
+| child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) |
+| child_process-test.js:53:46:53:57 | ["bar", cmd] |
+| child_process-test.js:53:46:53:57 | ["bar", cmd] |
+| child_process-test.js:53:54:53:56 | cmd |
+| child_process-test.js:53:54:53:56 | cmd |
+| child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) |
+| child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) |
+| child_process-test.js:54:46:54:48 | cmd |
 | execSeries.js:3:20:3:22 | arr |
 | execSeries.js:6:14:6:16 | arr |
 | execSeries.js:6:14:6:21 | arr[i++] |
@@ -100,13 +111,24 @@ edges
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:43:15:43:17 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:50:15:50:17 | cmd |
 | child_process-test.js:6:9:6:49 | cmd | child_process-test.js:50:15:50:17 | cmd |
+| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:53:54:53:56 | cmd |
+| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:53:54:53:56 | cmd |
+| child_process-test.js:6:9:6:49 | cmd | child_process-test.js:54:46:54:48 | cmd |
 | child_process-test.js:6:15:6:38 | url.par ... , true) | child_process-test.js:6:15:6:44 | url.par ... ).query |
 | child_process-test.js:6:15:6:44 | url.par ... ).query | child_process-test.js:6:15:6:49 | url.par ... ry.path |
 | child_process-test.js:6:15:6:49 | url.par ... ry.path | child_process-test.js:6:9:6:49 | cmd |
 | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
 | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
 | child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
 | child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
+| child_process-test.js:39:26:39:28 | cmd | child_process-test.js:39:18:39:30 | [ flag, cmd ] |
+| child_process-test.js:39:26:39:28 | cmd | child_process-test.js:39:18:39:30 | [ flag, cmd ] |
+| child_process-test.js:53:46:53:57 | ["bar", cmd] | child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) |
+| child_process-test.js:53:46:53:57 | ["bar", cmd] | child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) |
+| child_process-test.js:53:54:53:56 | cmd | child_process-test.js:53:46:53:57 | ["bar", cmd] |
+| child_process-test.js:53:54:53:56 | cmd | child_process-test.js:53:46:53:57 | ["bar", cmd] |
+| child_process-test.js:54:46:54:48 | cmd | child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) |
+| child_process-test.js:54:46:54:48 | cmd | child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) |
 | execSeries.js:3:20:3:22 | arr | execSeries.js:6:14:6:16 | arr |
 | execSeries.js:6:14:6:16 | arr | execSeries.js:6:14:6:21 | arr[i++] |
 | execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command |
@@ -165,10 +187,16 @@ edges
 | child_process-test.js:22:18:22:20 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:22:18:22:20 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:23:13:23:15 | cmd | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:23:13:23:15 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:39:5:39:31 | cp.spaw ...  cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:18:39:30 | [ flag, cmd ] | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:39:5:39:31 | cp.spaw ...  cmd ]) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:39:26:39:28 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:44:5:44:34 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | child_process-test.js:51:5:51:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
-| child_process-test.js:56:3:56:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:53:5:53:59 | cp.spaw ...  cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:25:53:58 | ['/C',  ... , cmd]) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:53:5:53:59 | cp.spaw ...  cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:46:53:57 | ["bar", cmd] | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:53:5:53:59 | cp.spaw ...  cmd])) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:53:54:53:56 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:54:5:54:50 | cp.spaw ... t(cmd)) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:54:25:54:49 | ['/C',  ... at(cmd) | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:59:5:59:39 | cp.exec ... , args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:50:15:50:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
+| child_process-test.js:64:3:64:21 | cp.spawn(cmd, args) | child_process-test.js:6:25:6:31 | req.url | child_process-test.js:43:15:43:17 | cmd | This command depends on $@. | child_process-test.js:6:25:6:31 | req.url | a user-provided value |
 | execSeries.js:14:41:14:47 | command | execSeries.js:18:34:18:40 | req.url | execSeries.js:14:41:14:47 | command | This command depends on $@. | execSeries.js:18:34:18:40 | req.url | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/child_process-test.js b/javascript/ql/test/query-tests/Security/CWE-078/child_process-test.js
@@ -50,6 +50,14 @@ var server = http.createServer(function(req, res) {
     args[1] = cmd;
     cp.execFile(`/bin` + "/bash", args); // NOT OK
 
+    cp.spawn('cmd.exe', ['/C', 'foo'].concat(["bar", cmd])); // NOT OK
+    cp.spawn('cmd.exe', ['/C', 'foo'].concat(cmd)); // NOT OK
+
+	let myArgs = [];
+    myArgs.push(`-` + "c");
+    myArgs.push(cmd);
+    cp.execFile(`/bin` + "/bash", args); // NOT OK
+
 });
 
 function run(cmd, args) {
