add sanitizer step for .length in js/resource-exhaustion

erik-krogh · erik-krogh · commit 8e47a9b2421a · 2022-04-13T09:30:09.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
@@ -37,6 +37,10 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof LoopBoundInjection::LengthCheckSanitizerGuard or
     guard instanceof UpperBoundsCheckSanitizerGuard
   }
+
+  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+    succ.(DataFlow::PropRead).accesses(pred, "length")
+  }
 }
 
 predicate isRestrictedAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
@@ -50,7 +54,7 @@ predicate isRestrictedAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst
  */
 predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) {
   // steps that introduce or preserve a number
-  dst.(DataFlow::PropRead).accesses(src, ["length", "size"])
+  dst.(DataFlow::PropRead).accesses(src, ["size"])
   or
   exists(DataFlow::CallNode c |
     c = dst and
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
@@ -82,4 +82,6 @@ var server = http.createServer(function(req, res) {
   setTimeout(f, s); // NOT OK
   setInterval(f, n); // NOT OK
   setInterval(f, s); // NOT OK
+
+  Buffer.alloc(n.length); // OK - only allocing as much as the length of the input.
 });
