github
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.qhelp
Lines changed: 57 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.qhelp
Lines changed: 57 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
Lines changed: 21 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
Lines changed: 21 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.qhelp
Lines changed: 44 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.qhelp
Lines changed: 44 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql
Lines changed: 33 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql
Lines changed: 33 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.qhelp
Lines changed: 57 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.qhelp
Lines changed: 57 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.ql
Lines changed: 24 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.ql
Lines changed: 24 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.qhelp
Lines changed: 62 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.qhelp
Lines changed: 62 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql
Lines changed: 30 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql
Lines changed: 30 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-094/CodeInjection.qhelp
Lines changed: 63 additions & 0 deletions b/‎javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-094/CodeInjection.qhelp
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Using unsanitized untrusted data in an external API can cause a variety of security issues. This query reports 
+external APIs that use untrusted data. The results are not filtered so that you can audit all examples. The query provides data for security reviews of the application and you can also use it to identify external APIs that should be modeled as either taint steps, or sinks for specific problems.</p>
+
+<p>An external API is defined as a method call to a method that is not defined in the source code, not overridden 
+in the source code, and is not modeled as a taint step in the default taint library. External APIs may be from the
+third-party dependencies or from internal dependencies. The query reports uses of 
+untrusted data one of the arguments of external API call or in the return value from a callback passed to an external API.</p>
+
+</overview>
+<recommendation>
+
+<p>For each result:</p>
+
+<ul>
+  <li>If the result highlights a known sink, confirm that the result is reported by the relevant query, or 
+  that the result is a false positive because this data is sanitized.</li>
+  <li>If the result highlights an unknown sink for a problem, then add modeling for the sink to the relevant query, 
+  and confirm that the result is either found, or is safe due to appropriate sanitization.</li>
+  <li>If the result represents a call to an external API that transfers taint, add the appropriate modeling, and 
+  re-run the query to determine what new results have appeared due to this additional modeling.</li>
+</ul>
+
+<p>Otherwise, the result is likely uninteresting. Custom versions of this query can extend the <code>SafeExternalAPIMethod</code> 
+class to exclude known safe external APIs from future analysis.</p>
+
+</recommendation>
+<example>
+
+<p>In this first example, a query parameter is read from the <code>req</code> parameter and then ultimately used in a call to the 
+<code>res.send</code> external API:</p>
+
+<sample src="ExternalAPISinkExample.js" />
+
+<p>This is a reflected XSS sink. The XSS query should therefore be reviewed to confirm that this sink is appropriately modeled, 
+and if it is, to confirm that the query reports this particular result, or that the result is a false positive due to 
+some existing sanitization.</p>
+
+<p>In this second example, again a query parameter is read from <code>req</code>.</p>
+
+<sample src="ExternalAPITaintStepExample.js" />
+
+<p>If the query reported the call to <code>path.join</code> on line 4, this would suggest that this external API is 
+not currently modeled as a taint step in the taint tracking library. The next step would be to model this as a taint step, then
+re-run the query to determine what additional results might be found. In this example, it seems the result of the
+<code>path.join</code> will be used as a file path, leading to a path traversal vulnerability.</p>
+
+<p>Note that both examples are correctly handled by the standard taint tracking library and security queries.</p>
+</example>
+<references>
+
+</references>
+</qhelp>
@@ -0,0 +1,21 @@
+/**
+ * @name Untrusted data passed to external API
+ * @description Data provided remotely is used in this external API without sanitization, which could be a security risk.
+ * @id js/untrusted-data-to-external-api
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
+ * @security-severity 7.8
+ * @tags security external/cwe/cwe-20
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedDataQuery
+import DataFlow::PathGraph
+import semmle.javascript.heuristics.AdditionalSources
+
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink, source, sink,
+  "Call to " + sink.getNode().(Sink).getApiName() + " with untrusted data from $@.", source,
+  source.toString()
@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Code that passes user input directly to
+<code>require('child_process').exec</code>, or some other library
+routine that executes a command, allows the user to execute malicious
+code.</p>
+
+</overview>
+<recommendation>
+
+<p>If possible, use hard-coded string literals to specify the command to run
+or library to load. Instead of passing the user input directly to the
+process or library function, examine the user input and then choose
+among hard-coded string literals.</p>
+
+<p>If the applicable libraries or commands cannot be determined at
+compile time, then add code to verify that the user input string is
+safe before using it.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows code that takes a shell script that can be changed
+maliciously by a user, and passes it straight to <code>child_process.exec</code>
+without examining it first.</p>
+
+<sample src="examples/command-injection.js" />
+
+</example>
+<references>
+
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>
@@ -0,0 +1,33 @@
+/**
+ * @name Uncontrolled command line
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id js/command-line-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.CommandInjectionQuery
+import DataFlow::PathGraph
+import semmle.javascript.heuristics.AdditionalSources
+
+from
+  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight,
+  Source sourceNode
+where
+  cfg.hasFlowPath(source, sink) and
+  (
+    if cfg.isSinkWithHighlight(sink.getNode(), _)
+    then cfg.isSinkWithHighlight(sink.getNode(), highlight)
+    else highlight = sink.getNode()
+  ) and
+  sourceNode = source.getNode()
+select highlight, source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -0,0 +1,57 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly writing user input (for example, a URL query parameter) to a webpage
+without properly sanitizing the input first, allows for a cross-site scripting vulnerability.
+</p>
+<p>
+This kind of vulnerability is also called <i>DOM-based</i> cross-site scripting, to distinguish
+it from other types of cross-site scripting.
+</p>
+</overview>
+
+<recommendation>
+<p>
+To guard against cross-site scripting, consider using contextual output encoding/escaping before
+writing user input to the page, or one of the other solutions that are mentioned in the
+references.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows part of the page URL being written directly to the document,
+leaving the website vulnerable to cross-site scripting.
+</p>
+<sample src="examples/Xss.js" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html">DOM based
+XSS Prevention Cheat Sheet</a>.
+</li>
+<li>
+OWASP:
+<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
+(Cross Site Scripting) Prevention Cheat Sheet</a>.
+</li>
+<li>
+OWASP
+<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
+</li>
+<li>
+OWASP
+<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
+Scripting</a>.
+</li>
+<li>
+Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
+</li>
+</references>
+</qhelp>
@@ -0,0 +1,24 @@
+/**
+ * @name Client-side cross-site scripting
+ * @description Writing user input directly to the DOM allows for
+ *              a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 6.1
+ * @precision high
+ * @id js/xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXssQuery
+import DataFlow::PathGraph
+import semmle.javascript.heuristics.AdditionalSources
+
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
+  "user-provided value"
@@ -0,0 +1,62 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+If a database query (such as a SQL or NoSQL query) is built from
+user-provided data without sufficient sanitization, a malicious user
+may be able to run malicious database queries.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Most database connector libraries offer a way of safely
+embedding untrusted data into a query by means of query parameters
+or prepared statements.
+</p>
+<p>
+to ensure that untrusted data is interpreted as a literal value and not as
+a query object.
+</p>
+</recommendation>
+
+<example>
+<p>
+In the following example, assume the function <code>handler</code> is
+an HTTP request handler in a web application, whose parameter
+<code>req</code> contains the request object.
+</p>
+
+<p>
+The handler constructs two copies of the same SQL query involving
+user input taken from the request object, once unsafely using
+string concatenation, and once safely using query parameters.
+</p>
+
+<p>
+In the first case, the query string <code>query1</code> is built by
+directly concatenating a user-supplied request parameter with some
+string literals. The parameter may include quote characters, so this
+code is vulnerable to a SQL injection attack.
+</p>
+
+<p>
+In the second case, the parameter is embedded into the query string
+<code>query2</code> using query parameters. In this example, we use
+the API offered by the <code>pg</code> Postgres database connector
+library, but other libraries offer similar features. This version is
+immune to injection attacks.
+</p>
+
+<sample src="examples/SqlInjection.js" />
+</example>
+
+<references>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
+<li>MongoDB: <a href="https://docs.mongodb.com/manual/reference/operator/query/eq">$eq operator</a>.</li>
+</references>
+</qhelp>
@@ -0,0 +1,30 @@
+/**
+ * @name Database query built from user-controlled sources
+ * @description Building a database query from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id js/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ *       external/cwe/cwe-090
+ *       external/cwe/cwe-943
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
+import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
+import DataFlow::PathGraph
+import semmle.javascript.heuristics.AdditionalSources
+
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  (
+    cfg instanceof SqlInjection::Configuration or
+    cfg instanceof NosqlInjection::Configuration
+  ) and
+  cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  "user-provided value"
@@ -0,0 +1,63 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Directly evaluating user input (for example, an HTTP request parameter) as code without properly
+sanitizing the input first allows an attacker arbitrary code execution. This can occur when user
+input is treated as JavaScript, or passed to a framework which interprets it as an expression to be
+evaluated. Examples include AngularJS expressions or JQuery selectors.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Avoid including user input in any expression which may be dynamically evaluated. If user input must
+be included, use context-specific escaping before
+including it. It is important that the correct escaping is used for the type of evaluation that will
+occur.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows part of the page URL being evaluated as JavaScript code. This allows an
+attacker to provide JavaScript within the URL. If an attacker can persuade a user to click on a link
+to such a URL, the attacker can evaluate arbitrary JavaScript in the browser of the user to,
+for example, steal cookies containing session information.
+</p>
+
+<sample src="examples/CodeInjection.js" />
+
+<p>
+The following example shows a Pug template being constructed from user input, allowing attackers to run
+arbitrary code via a payload such as <code>#{global.process.exit(1)}</code>.
+</p>
+
+<sample src="examples/ServerSideTemplateInjection.js" />
+
+<p>
+Below is an example of how to use a template engine without any risk of template injection.
+The user input is included via an interpolation expression <code>#{username}</code> whose value is provided
+as an option to the template, instead of being part of the template string itself:
+</p>
+
+<sample src="examples/ServerSideTemplateInjectionSafe.js" />
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Code_Injection">Code Injection</a>.
+</li>
+<li>
+Wikipedia: <a href="https://en.wikipedia.org/wiki/Code_injection">Code Injection</a>.
+</li>
+<li>
+PortSwigger Research Blog:
+<a href="https://portswigger.net/research/server-side-template-injection">Server-Side Template Injection</a>.
+</li>
+</references>
+</qhelp>