remove property reads on process.env as a taint step, and add a barrier for masking replace calls

erik-krogh · erik-krogh · commit 4ec2070e487a · 2019-11-16T15:20:42.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -34,20 +34,10 @@ module CleartextLogging {
 
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
 
-    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl) {
-      // Only unknown property reads on sensitive objects propagate taint.
-      (not lbl instanceof PartiallySensitiveMap or exists(succ.(DataFlow::PropRead).getPropertyName())) and 
+    override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
       succ.(DataFlow::PropRead).getBase() = pred
     }
        
-    override predicate isAdditionalFlowStep(
-      DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
-    ) {
-      trg.(DataFlow::PropRead).getBase() = src and
-      inlbl instanceof PartiallySensitiveMap and 
-      outlbl.isData() 
-    }
-    
     override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
       // A taint propagating data flow edge through objects: a tainted write taints the entire object.
       exists(DataFlow::PropWrite write |
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -32,6 +32,22 @@ module CleartextLogging {
    * A barrier for clear-text logging of sensitive information.
    */
   abstract class Barrier extends DataFlow::Node { }
+  
+  /**
+   * A call to `.replace()` that seems to mask 
+   */
+  class MaskingReplacer extends Barrier, DataFlow::MethodCallNode {
+  	MaskingReplacer() {
+  	  this.getCalleeName() = "replace" and
+  	  exists(RegExpLiteral reg| 
+  	    reg = this.getArgument(0).getALocalSource().asExpr() and
+  	    reg.getFlags().regexpMatch("(?i).*g.*") and
+  	    reg.getRoot().getRawValue().regexpMatch(".*\\..*")
+  	  ) 
+  	  and
+  	  this.getArgument(1).asExpr() instanceof StringLiteral
+  	}
+  }
 
   /**
    * An argument to a logging mechanism.
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -105,27 +105,16 @@ nodes
 | passwords.js:137:17:137:24 | config.y |
 | passwords.js:137:17:137:24 | config.y |
 | passwords.js:142:26:142:34 | arguments |
-<<<<<<< HEAD
-| passwords.js:147:12:147:19 | password |
-| passwords.js:149:21:149:28 | config.x |
-| passwords.js:150:21:150:31 | process.env |
-=======
 | passwords.js:142:26:142:34 | arguments |
 | passwords.js:147:12:147:19 | password |
 | passwords.js:147:12:147:19 | password |
 | passwords.js:149:21:149:28 | config.x |
 | passwords.js:150:21:150:31 | process.env |
 | passwords.js:150:21:150:31 | process.env |
->>>>>>> remove type cast, and fix expected test results
 | passwords.js:152:9:152:63 | procdesc |
 | passwords.js:152:20:152:44 | Util.in ... ss.env) |
 | passwords.js:152:20:152:63 | Util.in ... /g, '') |
 | passwords.js:152:33:152:43 | process.env |
-<<<<<<< HEAD
-| passwords.js:154:21:154:28 | procdesc |
-| passwords.js:156:17:156:27 | process.env |
-| passwords.js:158:17:158:27 | process.env |
-=======
 | passwords.js:152:33:152:43 | process.env |
 | passwords.js:154:21:154:28 | procdesc |
 | passwords.js:156:17:156:27 | process.env |
@@ -134,7 +123,6 @@ nodes
 | passwords.js:158:17:158:27 | process.env |
 | passwords.js:158:17:158:27 | process.env |
 | passwords.js:158:17:158:42 | process ...  "bar"] |
->>>>>>> remove type cast, and fix expected test results
 | passwords.js:158:17:158:42 | process ...  "bar"] |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -272,10 +260,6 @@ edges
 | passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
 | passwords.js:154:21:154:28 | procdesc | passwords.js:142:26:142:34 | arguments |
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env |
-| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] |
-| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] |
-| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] |
-| passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] |
 | passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -317,7 +301,6 @@ edges
 | passwords.js:142:26:142:34 | arguments | passwords.js:150:21:150:31 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:150:21:150:31 | process.env | process environment |
 | passwords.js:142:26:142:34 | arguments | passwords.js:152:33:152:43 | process.env | passwords.js:142:26:142:34 | arguments | Sensitive data returned by $@ is logged here. | passwords.js:152:33:152:43 | process.env | process environment |
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
-| passwords.js:158:17:158:42 | process ...  "bar"] | passwords.js:158:17:158:27 | process.env | passwords.js:158:17:158:42 | process ...  "bar"] | Sensitive data returned by $@ is logged here. | passwords.js:158:17:158:27 | process.env | process environment |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/passwords.js b/javascript/ql/test/query-tests/Security/CWE-312/passwords.js
@@ -155,5 +155,5 @@ var Util = require('util');
 
     console.log(process.env); // NOT OK
     console.log(process.env.PATH); // OK.
-    console.log(process.env["foo" + "bar"]); // NOT OK.
+    console.log(process.env["foo" + "bar"]); // OK.
 });
