JS: Add query for unsafe construction of code from library input#5841
Conversation
ed24fe9 to
9f2f022
Compare
|
|
||
| <overview> | ||
| <p> | ||
| Dynamically constructing code with inputs from exported functions |
| override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) { | ||
| super.hasFlowPath(source, sink) and | ||
| exists(DataFlow::MidPathNode mid | | ||
| source.getASuccessor*() = mid and | ||
| sink = mid.getASuccessor() and | ||
| mid.getPathSummary().hasReturn() = false | ||
| ) | ||
| } |
There was a problem hiding this comment.
Rebase on top of #5769 , and reuse the similar predicate from that PR
| class ExternalInputSource extends Source, DataFlow::ParameterNode { | ||
| ExternalInputSource() { | ||
| this = Exports::getALibraryInputParameter() and | ||
| not this.getName() = "code" |
There was a problem hiding this comment.
| not this.getName() = "code" | |
| // permit parameters that clearly are intended to contain executable code. | |
| not this.getName() = "code" |
There was a problem hiding this comment.
(go home diff, you are drunk :) )
|
Sorry for leaving this PR hanging for so long. Looking at the evaluation results, it looks like all of them are FPs:
I'd say templating engines should be considered a well-known counter example, and an allow-list should be used to exclude methods with names like |
I've rebased on top of that PR, and the angular results disappeared in a new evaluation.
Yes, the |
I agree with this. Could we use a whitelist to avoid intentional APIs like those and otherwise merge this twice-stalled PR as is? We can then separately address the undesirable FNs the whitelist causes. |
I took a look at the method-names in the CVEs currently flagged by this query:
Adding a allow-list based on names that are template-engine-like would remove some of those TPs. (I rebased the PR on |
ethanpalm
left a comment
There was a problem hiding this comment.
This looks good from a docs point of view. I am just making one small change to move the explanation of why the first example is a bad coding practice to the paragraph before the example rather than after the example ⚡
CVE-2017-5954: TP/FP (conditional unsafety)
CVE-2019-5413: TP/TN
CVE-2020-28502: TP/TN
CVE-2020-7712: TP/TN
CVE-2021-23406: TP/TN
CVE-2021-23337: TP
CVE-2021-32831: TP
CVE-2021-23358: TP
CVE-2020-7640: TP/TN
A test run shows a lot of results, many of which just looks to be (very) bad style.
So I've set the severity to
warning.An evaluation looks good.. (The baseline is
main+ awhere none()edition of the query).The new results look reasonable to me, even though they're basically just bad style.
(I suppose there are performance reasons for implementing it in that style).