Skip to content

JS: add initial version of ServerCrash.ql #3672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 12, 2020
Merged

JS: add initial version of ServerCrash.ql #3672

merged 4 commits into from
Jun 12, 2020

Conversation

esbena
Copy link
Contributor

@esbena esbena commented Jun 10, 2020
edited
Loading

CVE-2019-10775: TP/FP
CVE-2017-16014: FN

The FP can be addressed when the (hacky) Configuration part of the query is polished.

Generally, the alerts can be hard to understand since they talk about a (long) call chain from a route handler, to an asynchronous function invocation, to a line that causes an exception to be thrown. This can be remedied by presenting the remote flow path from the Configuration part of the query to the user, and then hacking up a pseudo path for the throw case.

Polish for later:

  • support call chains through asynchronous calls with callbacks
  • support call chains through promises
  • support non-async promises that may throw
  • support property accesses as sinks (see JS: remove speculative property access sink from js/server-crash)
  • consider displaying the exception path as a path problem

@esbena esbena added the JS label Jun 10, 2020
@esbena esbena requested review from mchammer01 and a team as code owners June 10, 2020 12:51
@esbena
Copy link
Contributor Author

esbena commented Jun 10, 2020

(ping me if more context is needed, this query is not trivial)

erik-krogh
erik-krogh reviewed Jun 10, 2020
View reviewed changes
javascript/ql/src/Security/CWE-730/ServerCrash.ql Outdated
Comment on lines 39 to 42
predicate isDangerousPropertyRead(DataFlow::PropRead read) {
// TODO use flow labels
exists(DataFlow::PropRead base |
base = read.getBase() and
Copy link
Contributor

@erik-krogh erik-krogh Jun 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about checking if the property-read is guarded.
E.g. the below is safe, and I think it will be flagged.

function handler(req, res) {
  var foo = req.body && req.body.foo && req.body.foo.bar;
}

flow-labels can maybe be used in some fancy way to achieve this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have removed that sink now, it was purely speculative. I have added a TODO note above.

@esbena esbena mentioned this pull request Jun 11, 2020
Draft
3 tasks
erik-krogh
erik-krogh reviewed Jun 11, 2020
View reviewed changes
javascript/ql/src/Security/CWE-730/ServerCrash.ql Outdated
Comment on lines 75 to 77
class ServerCrasher extends ExprOrStmt {
HTTP::RouteHandler routeHandler;
DataFlow::FunctionNode asyncFunction;
Copy link
Contributor

@erik-krogh erik-krogh Jun 11, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be a class? How about converting it to a predicate:

ExprOrStmt getAServerCrasherStmt(HTTP::RouteHandler routeHandler, DataFlow::FunctionNode asyncFunction)

Actually, how about spreading it into 2 predicates, the first returning Function throwingFunction, and the second predicate returning a ExprOrStmt crasher from that throwingFunction.

Rename suggestion: asyncFunction -> asyncCallback?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All done.

erik-krogh
erik-krogh approved these changes Jun 11, 2020
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing some qldoc.
And the Configration is hacky, but you've already noted that (maybe used type-tracking?).

But for the sprint: 👍

@esbena esbena merged commit 243e3ad into github:js-team-sprint Jun 12, 2020
esbena added a commit to esbena/codeql that referenced this pull request Jun 22, 2020
@esbena
Revert "Merge pull request github#3672 from esbena/js/server-crashing…
0a8d15c 
…-route-handler"

This reverts commit 243e3ad, reversing
changes made to df79f2a.
This was referenced Jun 22, 2020
Closed
Merged
@esbena esbena mentioned this pull request Jan 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh erik-krogh approved these changes

@mchammer01 mchammer01 Awaiting requested review from mchammer01

Assignees
No one assigned
Labels
JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@esbena @erik-krogh