-
Notifications
You must be signed in to change notification settings - Fork 1.9k
-
I faced an issue when creating a path query for the following JavaScript code:
const { execSync } = require('child_process'); test() { execSync(arguments[0]); }
Here is the query I wrote to detect the test -> execSync path:
import semmle.javascript.dataflow.TaintTracking import javascript class Config extends TaintTracking::Configuration { Config() { this = "config" } override predicate isSource(DataFlow::Node source) { exists(Function f | f.getName() = "test" and f.getAParameter() = source.asExpr() ) } override predicate isSink(DataFlow::Node sink) { DataFlow::moduleMember("child_process", "execSync").getACall().getArgument(0) = sink } } import DataFlow::PathGraph from Config dataflow, DataFlow::PathNode source, DataFlow::PathNode sink where dataflow.hasFlowPath(source, sink) select sink, source, sink, "This command depends on $@.", source.getNode(), ""
This query doesn’t return any paths because the test method takes no input, hence the isSource predicate fails because it relies on method parameters, which are absent in this case. Omitting the f.getAParameter() = source.asExpr() and replacing it with source.asExpr().getEnclosingFunction() = f clause would help, as it causes all calls in the source method to be marked as sources, which is overly broad. For example if the test method was changed to:
test() { execSync(arguments[0]); execSync("echo test"); }
it would also highlight the second call, which uncontrollable/ untainted data.
My questions:
What is the recommended approach to model accesses to arguments, this or super as tainted (similar to https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/dataflow/FlowSteps.qll/type.FlowSteps$TaintInheritingContent.html)?
What’s the best way to write a source predicate for methods with no parameters?
Many thanks in advance.
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 3 comments
-
Hi @dvec01,
Thanks for your question. It's not completely clear to me what you want your source to be. arguments is accessible through the getArgumentsVariable predicate of the Function class. I'm not sure if that helps?
Beta Was this translation helpful? Give feedback.
All reactions
-
Hi @jketema ,
here is an example that hopefully makes my problem more clear:
const child_process = require('child_process'); class Test { constructor(userInput) { this.userInput = userInput; } source() { this.sink(); } sink() { child_process.execSync(`${this.userInput}`, { stdio: 'inherit' }); } } new Test("/usr/bin/id").source();
In the above example the source is this.userInput, but I need the query to consider the paths that start at the source method (even if there are no dataflow/ taint steps), that is the sink should be reachable from this method. Is there a way to achieve this using the TaintTracking module?
Beta Was this translation helpful? Give feedback.
All reactions
-
What is the recommended approach to model accesses to arguments, this or super as tainted
Access toarguments:
DataFlow::FunctionNode testFunc() { result.getName() = "test" } predicate isSource(DataFlow::Node node) { // using 'arguments' as source node = testFunc().getFunction().getArgumentsVariable().getAnAccess().flow() or // using 'this' as source node = testFunc().getReceiver() }
What’s the best way to write a source predicate for methods with no parameters?
Using arguments or this methods above, depending on what contains the tainted data.
Note that there is currently no way to specify a source that is inside of a content, but if you treat this as a source it should consider all of its properties as tainted.
Beta Was this translation helpful? Give feedback.