-
Notifications
You must be signed in to change notification settings - Fork 1.9k
JS: add typeof sanitizer to js/shell-command-constructed-from-input #4862
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
esbena
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea seems fine, I have a few suggestions.
.../ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll
Outdated
Show resolved
Hide resolved
| * A check of the form `type x === "X"`, where x is "number", or "boolean", | ||
| * which sanitized `x` in its "then" branch. | ||
| */ | ||
| class TypeOfSanitizer extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(It could be useful to have this as a public class in TaintTracking.qll, perhaps configurable. UnsafeJQueryPluginCustomizations could also use it in its treatment of typeof guards.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turns out we have a lot of places with a typeof guard.
I made a TaintTracking::isTypeofGuard predicate, and used that throughout our project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great initiative. Lets wait proper performance evaluation of that change then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| exists(StringLiteral str, TypeofExpr typeof | astNode.hasOperands(str, typeof) | | ||
| str.getValue() = ["number", "boolean"] and // "undefined" is already handled in TaintTracking.qll | ||
| typeof.getOperand() = x |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A slightly more general and robust formulation is found here:
codeql/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
Lines 137 to 140 in 0c78fb2
| exists(Expr op1, Expr op2 | test.hasOperands(op1, op2) | | |
| read.asExpr() = op1.(TypeofExpr).getOperand() and | |
| op2.mayHaveStringValue(any(InferredType t | t = TTUndefined()).getTypeofTag()) | |
| ) |
…ellCommandConstructionCustomizations.qll Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
| str.getValue() = ["number", "boolean"] and // "undefined" is already handled in TaintTracking.qll | ||
| exists(Expr str, TypeofExpr typeof | astNode.hasOperands(str, typeof) | | ||
| str.mayHaveStringValue(any(InferredType t | | ||
| t = TTUndefined() or t = TTNumber() or t = TTBoolean() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TTUndefined causes this to be out of sync with the qldoc above - I will let you decide on the solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed it from the list.
TaintTracking::TypeOfUndefinedSanitizer takes care of that case.
009afa7 to
530a4ae
Compare
|
Minor: the many string constants that f7f8868 motivates seem a bit dangerous, the stringiness of |
I want to keep the string constants. |
|
Looks fine https://git.semmle.com/erik/dist-compare-reports/tree/eriks-profile-machine_1608843110557 |
Fixes an FP that was found while looking into CVE-2020-7781.