Merge pull request #10356 from erik-krogh/selRandom

erik-krogh · web-flow · commit 25b988d17902 · 2022-09-09T09:59:25.000+02:00
JS: add taint-step in js/insecure-randomness for selecting a random element
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll
@@ -104,6 +104,12 @@ module InsecureRandomness {
       pred = mc.getAnArgument() and
       succ = mc
     )
+    or
+    // selecting a random element.
+    exists(DataFlow::PropRead read | read = succ |
+      read.getPropertyNameExpr() = pred.asExpr() and
+      not exists(read.getPropertyName())
+    )
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected b/javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected
@@ -92,6 +92,13 @@ nodes
 | tst.js:121:18:121:30 | Math.random() |
 | tst.js:121:18:121:30 | Math.random() |
 | tst.js:121:18:121:30 | Math.random() |
+| tst.js:136:9:136:67 | password |
+| tst.js:136:9:136:67 | password |
+| tst.js:136:21:136:67 | chars[M ... ength)] |
+| tst.js:136:27:136:66 | Math.fl ... length) |
+| tst.js:136:38:136:50 | Math.random() |
+| tst.js:136:38:136:50 | Math.random() |
+| tst.js:136:38:136:65 | Math.ra ... .length |
 edges
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() |
 | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() |
@@ -158,6 +165,12 @@ edges
 | tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
 | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() |
 | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() |
+| tst.js:136:21:136:67 | chars[M ... ength)] | tst.js:136:9:136:67 | password |
+| tst.js:136:21:136:67 | chars[M ... ength)] | tst.js:136:9:136:67 | password |
+| tst.js:136:27:136:66 | Math.fl ... length) | tst.js:136:21:136:67 | chars[M ... ength)] |
+| tst.js:136:38:136:50 | Math.random() | tst.js:136:38:136:65 | Math.ra ... .length |
+| tst.js:136:38:136:50 | Math.random() | tst.js:136:38:136:65 | Math.ra ... .length |
+| tst.js:136:38:136:65 | Math.ra ... .length | tst.js:136:27:136:66 | Math.fl ... length) |
 #select
 | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:2:20:2:32 | Math.random() | Math.random() |
 | tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:6:31:6:43 | Math.random() | Math.random() |
@@ -181,3 +194,4 @@ edges
 | tst.js:118:23:118:63 | Math.fl ... 00_000) | tst.js:118:34:118:46 | Math.random() | tst.js:118:23:118:63 | Math.fl ... 00_000) | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:118:34:118:46 | Math.random() | Math.random() |
 | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:120:16:120:28 | Math.random() | Math.random() |
 | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:121:18:121:30 | Math.random() | Math.random() |
+| tst.js:136:9:136:67 | password | tst.js:136:38:136:50 | Math.random() | tst.js:136:9:136:67 | password | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:136:38:136:50 | Math.random() | Math.random() |
diff --git a/javascript/ql/test/query-tests/Security/CWE-338/tst.js b/javascript/ql/test/query-tests/Security/CWE-338/tst.js
@@ -119,4 +119,21 @@ function uid() {
     var liquid = Math.random(); // OK
     var UUID = Math.random(); // NOT OK
     var MY_UID = Math.random(); // NOK OK
+}
+
+function buildPass(opts, length) {
+    const digits = '0123456789'.split('');
+    const letters = 'abcdefghijklmnopqrstuvwxyz'.split('');
+    const specials = '!@#$%^&*()_+{}|:"<>?[];\',./`~'.split('');
+
+    const chars = [];
+    opts.digits && chars.push(...digits);
+    opts.letters && chars.push(...letters);
+    opts.specials && chars.push(...specials);
+
+    const password = "";
+    for (let i = 0; i < length; i++) {
+        password += chars[Math.floor(Math.random() * chars.length)]; // NOT OK
+    }
+    return password;
 }

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,12 @@ module InsecureRandomness {`
`104`	`104`	`pred = mc.getAnArgument() and`
`105`	`105`	`succ = mc`
`106`	`106`	`)`
	`107`	`+ or`
	`108`	`+ // selecting a random element.`
	`109`	`+ exists(DataFlow::PropRead read \| read = succ \|`
	`110`	`+ read.getPropertyNameExpr() = pred.asExpr() and`
	`111`	`+ not exists(read.getPropertyName())`
	`112`	`+ )`
`107`	`113`	`}`
`108`	`114`
`109`	`115`	`/**`