Skip to content

Commit 25b988d

Browse files
authored
Merge pull request #10356 from erik-krogh/selRandom
JS: add taint-step in js/insecure-randomness for selecting a random element
2 parents 0feeafd + a21a427 commit 25b988d

File tree

3 files changed

+37
-0
lines changed

3 files changed

+37
-0
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/InsecureRandomnessCustomizations.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,12 @@ module InsecureRandomness {
104104
pred = mc.getAnArgument() and
105105
succ = mc
106106
)
107+
or
108+
// selecting a random element.
109+
exists(DataFlow::PropRead read | read = succ |
110+
read.getPropertyNameExpr() = pred.asExpr() and
111+
not exists(read.getPropertyName())
112+
)
107113
}
108114

109115
/**

javascript/ql/test/query-tests/Security/CWE-338/InsecureRandomness.expected

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,13 @@ nodes
9292
| tst.js:121:18:121:30 | Math.random() |
9393
| tst.js:121:18:121:30 | Math.random() |
9494
| tst.js:121:18:121:30 | Math.random() |
95+
| tst.js:136:9:136:67 | password |
96+
| tst.js:136:9:136:67 | password |
97+
| tst.js:136:21:136:67 | chars[M ... ength)] |
98+
| tst.js:136:27:136:66 | Math.fl ... length) |
99+
| tst.js:136:38:136:50 | Math.random() |
100+
| tst.js:136:38:136:50 | Math.random() |
101+
| tst.js:136:38:136:65 | Math.ra ... .length |
95102
edges
96103
| tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() |
97104
| tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() |
@@ -158,6 +165,12 @@ edges
158165
| tst.js:118:34:118:62 | Math.ra ... 000_000 | tst.js:118:23:118:63 | Math.fl ... 00_000) |
159166
| tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() |
160167
| tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() |
168+
| tst.js:136:21:136:67 | chars[M ... ength)] | tst.js:136:9:136:67 | password |
169+
| tst.js:136:21:136:67 | chars[M ... ength)] | tst.js:136:9:136:67 | password |
170+
| tst.js:136:27:136:66 | Math.fl ... length) | tst.js:136:21:136:67 | chars[M ... ength)] |
171+
| tst.js:136:38:136:50 | Math.random() | tst.js:136:38:136:65 | Math.ra ... .length |
172+
| tst.js:136:38:136:50 | Math.random() | tst.js:136:38:136:65 | Math.ra ... .length |
173+
| tst.js:136:38:136:65 | Math.ra ... .length | tst.js:136:27:136:66 | Math.fl ... length) |
161174
#select
162175
| tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | tst.js:2:20:2:32 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:2:20:2:32 | Math.random() | Math.random() |
163176
| tst.js:6:20:6:43 | "prefix ... andom() | tst.js:6:31:6:43 | Math.random() | tst.js:6:20:6:43 | "prefix ... andom() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:6:31:6:43 | Math.random() | Math.random() |
@@ -181,3 +194,4 @@ edges
181194
| tst.js:118:23:118:63 | Math.fl ... 00_000) | tst.js:118:34:118:46 | Math.random() | tst.js:118:23:118:63 | Math.fl ... 00_000) | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:118:34:118:46 | Math.random() | Math.random() |
182195
| tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | tst.js:120:16:120:28 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:120:16:120:28 | Math.random() | Math.random() |
183196
| tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | tst.js:121:18:121:30 | Math.random() | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:121:18:121:30 | Math.random() | Math.random() |
197+
| tst.js:136:9:136:67 | password | tst.js:136:38:136:50 | Math.random() | tst.js:136:9:136:67 | password | Cryptographically insecure random number is generated at $@ and used here in a security context. | tst.js:136:38:136:50 | Math.random() | Math.random() |

javascript/ql/test/query-tests/Security/CWE-338/tst.js

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,4 +119,21 @@ function uid() {
119119
var liquid = Math.random(); // OK
120120
var UUID = Math.random(); // NOT OK
121121
var MY_UID = Math.random(); // NOK OK
122+
}
123+
124+
function buildPass(opts, length) {
125+
const digits = '0123456789'.split('');
126+
const letters = 'abcdefghijklmnopqrstuvwxyz'.split('');
127+
const specials = '!@#$%^&*()_+{}|:"<>?[];\',./`~'.split('');
128+
129+
const chars = [];
130+
opts.digits && chars.push(...digits);
131+
opts.letters && chars.push(...letters);
132+
opts.specials && chars.push(...specials);
133+
134+
const password = "";
135+
for (let i = 0; i < length; i++) {
136+
password += chars[Math.floor(Math.random() * chars.length)]; // NOT OK
137+
}
138+
return password;
122139
}

0 commit comments

Comments
 (0)