move new secret key sinks to existing CredentialsNode class,

am0o0 · am0o0 · commit e1d42fad2cb3 · 2023-11-02T16:09:01.000+01:00
add new additional global taint and dataflow steps
update tests of CWE-798
add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll b/javascript/ql/lib/semmle/javascript/frameworks/JWT.qll
@@ -40,11 +40,163 @@ private module JsonWebToken {
   }
 
   /**
-   * The private key for a JWT as a `CredentialsNode`.
+   * The secret Or PublicKey for a JWT as a `CredentialsNode`.
    */
   private class JwtKey extends CredentialsNode {
-    JwtKey() { this = DataFlow::moduleMember("jsonwebtoken", "sign").getACall().getArgument(1) }
+    JwtKey() {
+      this =
+        API::moduleImport("jsonwebtoken").getMember(["sign", "verify"]).getParameter(1).asSink()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jose` library.
+ */
+private module Jose {
+  /**
+   * A taint-step for `succ = await jose.importSPKI(pred, 'RS256')`.
+   */
+  private class ImportSpkiStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node n | n = API::moduleImport("jose").getMember("importSPKI") |
+        pred = n.getACall().getArgument(0) and
+        succ = n.getReturn().getPromised().asSource()
+      )
+    }
+  }
+
+  /**
+   * A taint-step for `succ = jose.base64url.encode(pred)` or `succ = jose.base64url.decode(pred)`.
+   */
+  private class Base64urlStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::Node n |
+        n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
+      |
+        pred = n.getACall().getArgument(0) and
+        succ = n.getACall()
+      )
+    }
+  }
+
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jose").getMember("jwtVerify").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `jwt-simple` library.
+ */
+private module JwtSimple {
+  /**
+   * The asymmetric key or symmetric secret for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() { this = API::moduleImport("jwt-simple").getMember("decode").getParameter(1).asSink() }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `koa-jwt` library.
+ */
+private module KoaJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this = API::moduleImport("koa-jwt").getParameter(0).getMember("secret").asSink()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `express-jwt` library.
+ */
+private module ExpressJwt {
+  /**
+   * The shared secret for a JWT as a `CredentialsNode`.
+   */
+  private class SharedSecret extends CredentialsNode {
+    SharedSecret() {
+      this =
+        API::moduleImport("express-jwt")
+            .getMember("expressjwt")
+            .getParameter(0)
+            .getMember("secret")
+            .asSink()
+    }
+
+    override string getCredentialsKind() { result = "key" }
+  }
+}
+
+/**
+ * Provides classes and predicates modeling the `passport-jwt` library.
+ */
+private module PassportJwt {
+  /**
+   * The secret (symmetric) or PEM-encoded public key (asymmetric) for a JWT as a `CredentialsNode`.
+   */
+  private class JwtKey extends CredentialsNode {
+    JwtKey() {
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKey")
+            .asSink()
+      or
+      this =
+        API::moduleImport("passport-jwt")
+            .getMember("Strategy")
+            .getParameter(0)
+            .getMember("secretOrKeyProvider")
+            .getParameter(2)
+            .getParameter(1)
+            .asSink()
+    }
 
     override string getCredentialsKind() { result = "key" }
   }
 }
+
+/**
+ * A taint-step for `succ = new TextEncoder().encode(pred)`.
+ */
+private class TextEncoderStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode n, DataFlow::NewNode nn |
+      n.getCalleeName() = "encode" and
+      nn.flowsTo(n.getReceiver()) and
+      nn.getCalleeName() = "TextEncoder"
+    |
+      pred = n.getArgument(0) and
+      succ = n
+    )
+  }
+}
+
+/**
+ * A taint-step for `succ = Buffer.from(pred, "base64")`.
+ */
+private class BufferFromStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      pred = n.getArgument(0) and
+      succ = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+  }
+}
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -255,4 +255,20 @@ module NextJS {
           .getMember("router")
           .asSource()
   }
+
+  /**
+   * Provides classes and predicates modeling the `next-auth` library.
+   */
+  private module NextAuth {
+    /**
+     * A random string used to hash tokens, sign cookies and generate cryptographic keys as a `CredentialsNode`.
+     */
+    private class SecretKey extends CredentialsNode {
+      SecretKey() {
+        this = API::moduleImport("next-auth").getParameter(0).getMember("secret").asSink()
+      }
+
+      override string getCredentialsKind() { result = "key" }
+    }
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
@@ -32,6 +32,16 @@ module HardcodedCredentials {
     ConstantStringSource() { not astNode.getStringValue() = "" }
   }
 
+  class NonProductionFiles extends Sanitizer {
+    NonProductionFiles() {
+      this.getFile()
+          .getLocation()
+          .hasLocationInfo(any(string s |
+              s.regexpMatch(["/.*test[.].*", "/.*demo[.].*", "/.*example[.].*", "/.*sample[.].*"])
+            ), _, _, _, _)
+    }
+  }
+
   /**
    * A subclass of `Sink` that includes every `CredentialsNode`
    * as a credentials sink.
diff --git a/javascript/ql/test/query-tests/Security/CWE-347-HardCodedKey/jwtConstantKey.expected b/javascript/ql/test/query-tests/Security/CWE-347-HardCodedKey/jwtConstantKey.expected
@@ -1,109 +1,3 @@
 nodes
-| Config.js:2:12:2:19 | "secret" |
-| Config.js:2:12:2:19 | "secret" |
-| ExpressJWT.js:5:36:5:46 | getSecret() |
-| ExpressJWT.js:5:36:5:46 | getSecret() |
-| ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| ExpressJWT.js:12:25:12:35 | getSecret() |
-| jwtConstantKey.js:5:46:5:56 | getSecret() |
-| jwtConstantKey.js:5:46:5:56 | getSecret() |
-| jwtConstantKey.js:6:43:6:53 | getSecret() |
-| jwtConstantKey.js:6:43:6:53 | getSecret() |
-| jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:12:93:12:103 | getSecret() |
-| jwtConstantKey.js:21:7:29:25 | spki |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` |
-| jwtConstantKey.js:34:9:34:52 | publicKey |
-| jwtConstantKey.js:34:21:34:52 | await j ... i, alg) |
-| jwtConstantKey.js:34:43:34:46 | spki |
-| jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:51:42:51:52 | getSecret() |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" |
-| jwtNoVerification.js:5:46:5:56 | getSecret() |
-| jwtNoVerification.js:5:46:5:56 | getSecret() |
-| jwtNoVerification.js:19:26:19:36 | getSecret() |
-| jwtNoVerification.js:19:26:19:36 | getSecret() |
-| koaJWT.js:29:22:29:32 | getSecret() |
-| koaJWT.js:29:22:29:32 | getSecret() |
-| netxAuth.js:10:13:10:23 | getSecret() |
-| netxAuth.js:10:13:10:23 | getSecret() |
-| passportJWT.js:6:20:6:30 | getSecret() |
-| passportJWT.js:6:20:6:30 | getSecret() |
 edges
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:12:25:12:35 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | ExpressJWT.js:12:25:12:35 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:12:93:12:103 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:12:93:12:103 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:51:42:51:52 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:51:42:51:52 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() |
-| ExpressJWT.js:12:25:12:35 | getSecret() | ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| ExpressJWT.js:12:25:12:35 | getSecret() | ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") |
-| jwtConstantKey.js:12:93:12:103 | getSecret() | jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:12:93:12:103 | getSecret() | jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) |
-| jwtConstantKey.js:21:7:29:25 | spki | jwtConstantKey.js:34:43:34:46 | spki |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | jwtConstantKey.js:21:7:29:25 | spki |
-| jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | jwtConstantKey.js:21:7:29:25 | spki |
-| jwtConstantKey.js:34:9:34:52 | publicKey | jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:34:9:34:52 | publicKey | jwtConstantKey.js:35:65:35:73 | publicKey |
-| jwtConstantKey.js:34:21:34:52 | await j ... i, alg) | jwtConstantKey.js:34:9:34:52 | publicKey |
-| jwtConstantKey.js:34:43:34:46 | spki | jwtConstantKey.js:34:21:34:52 | await j ... i, alg) |
-| jwtConstantKey.js:51:42:51:52 | getSecret() | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:42:51:52 | getSecret() | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
-| jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" |
 #select
-| ExpressJWT.js:5:36:5:46 | getSecret() | Config.js:2:12:2:19 | "secret" | ExpressJWT.js:5:36:5:46 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") | Config.js:2:12:2:19 | "secret" | ExpressJWT.js:12:13:12:46 | Buffer. ... ase64") | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:5:46:5:56 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:5:46:5:56 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:6:43:6:53 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:6:43:6:53 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:12:68:12:104 | new Tex ... cret()) | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:35:65:35:73 | publicKey | jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | jwtConstantKey.js:35:65:35:73 | publicKey | this $@. is used as a secret key | jwtConstantKey.js:21:14:29:25 | `-----B ... Y-----` | Constant |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | Config.js:2:12:2:19 | "secret" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | jwtConstantKey.js:51:56:51:59 | "fj" | jwtConstantKey.js:51:42:51:59 | getSecret() + "fj" | this $@. is used as a secret key | jwtConstantKey.js:51:56:51:59 | "fj" | Constant |
-| jwtNoVerification.js:5:46:5:56 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:5:46:5:56 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| jwtNoVerification.js:19:26:19:36 | getSecret() | Config.js:2:12:2:19 | "secret" | jwtNoVerification.js:19:26:19:36 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| koaJWT.js:29:22:29:32 | getSecret() | Config.js:2:12:2:19 | "secret" | koaJWT.js:29:22:29:32 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| netxAuth.js:10:13:10:23 | getSecret() | Config.js:2:12:2:19 | "secret" | netxAuth.js:10:13:10:23 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
-| passportJWT.js:6:20:6:30 | getSecret() | Config.js:2:12:2:19 | "secret" | passportJWT.js:6:20:6:30 | getSecret() | this $@. is used as a secret key | Config.js:2:12:2:19 | "secret" | Constant |
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.expected
diff --git a/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js b/javascript/ql/test/query-tests/Security/CWE-798/HardcodedCredentials.js
