Merge branch 'master' of git.semmle.com:Semmle/public-ql into imp/csharp

Author: pavgust

change-notes/1.18/analysis-javascript.md

@@ -0,0 +1,41 @@
+# Improvements to JavaScript analysis
+
+## General improvements
+
+* Additional heuristics have been added to `semmle.javascript.heuristics`. Add `import semmle.javascript.heuristics.all` to a query in order to activate all of the heuristics at once.
+
+* Modelling of data flow through destructuring assignments has been improved. This may give additional results for the security queries and other queries that rely on data flow.
+
+* Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following libraries:
+  - [browserid-crypto](https://github.com/mozilla/browserid-crypto)
+  - [cookie-parser](https://github.com/expressjs/cookie-parser)
+  - [cookie-session](https://github.com/expressjs/cookie-session)
+  - [crypto-js](https://github.com/https://github.com/brix/crypto-js)
+  - [express-jwt](https://github.com/auth0/express-jwt)
+  - [express-session](https://github.com/expressjs/session)
+  - [forge](https://github.com/digitalbazaar/forge)
+  - [MySQL2](https://github.com/sidorares/node-mysql2)
+
+## New queries
+
+| **Query**                   | **Tags**  | **Purpose**                                                        |
+|-----------------------------|-----------|--------------------------------------------------------------------|
+| Use of externally-controlled format string (`js/tainted-format-string`) | security, external/cwe/cwe-134 | Highlights format strings containing user-provided data, indicating a violation of [CWE-134](https://cwe.mitre.org/data/definitions/134.html). Results shown on lgtm by default. |
+
+## Changes to existing queries
+
+| **Query**                  | **Expected impact**    | **Change**                                                       |
+|----------------------------|------------------------|------------------------------------------------------------------|
+| Arguments redefined | Fewer results | This rule previously also flagged redefinitions of `eval`. This was an oversight that is now fixed. |
+| CORS misconfiguration for credentials transfer | More true-positive results | This rule now treats header names case-insensitively. |
+| Hard-coded credentials | More true-positive results | This rule now recognizes secret cryptographic keys. |
+| Insecure randomness | More true-positive results | This rule now recognizes secret cryptographic keys. |
+| Missing X-Frame-Options HTTP header | Fewer false-positive results | This rule now treats header names case-insensitively. |
+| Reflected cross-site scripting | Fewer false-positive results | This rule now treats header names case-insensitively. |
+| Server-side URL redirect | More true-positive results | This rule now treats header names case-insensitively. |
+| Uncontrolled command line | More true-positive results | This rule now recognizes indirect command injection through `sh -c` and similar. |
+| Unused variable | Fewer results | This rule no longer flags class expressions that could be made anonymous. While technically true, these results are not interesting. |
+
+## Changes to QL libraries
+
+* HTTP header names are now always normalized to lower case to reflect the fact that they are case insensitive. In particular, the result of `HeaderDefinition.getAHeaderName`, and the first parameter of `HeaderDefinition.defines`, `ExplicitHeaderDefinition.definesExplicitly` and `RouteHandler.getAResponseHeader` is now always a lower-case string.

javascript/config/suites/javascript/security

@@ -6,6 +6,7 @@
 + semmlecode-javascript-queries/Security/CWE-089/SqlInjection.ql: /Security/CWE/CWE-089
 + semmlecode-javascript-queries/Security/CWE-094/CodeInjection.ql: /Security/CWE/CWE-094
 + semmlecode-javascript-queries/Security/CWE-116/IncompleteSanitization.ql: /Security/CWE/CWE-116
++ semmlecode-javascript-queries/Security/CWE-134/TaintedFormatString.ql: /Security/CWE/CWE-134
 + semmlecode-javascript-queries/Security/CWE-209/StackTraceExposure.ql: /Security/CWE/CWE-209
 + semmlecode-javascript-queries/Security/CWE-312/CleartextStorage.ql: /Security/CWE/CWE-312
 + semmlecode-javascript-queries/Security/CWE-313/PasswordInConfigurationFile.ql: /Security/CWE/CWE-313

javascript/config/suites/lgtm/javascript-alerts-lgtm

@@ -0,0 +1,3 @@
+# DO NOT EDIT
+# This is a stub file. The actual suite of queries to run is generated
+# automatically based on query precision and severity.

javascript/config/suites/lgtm/javascript-lgtm

@@ -0,0 +1,3 @@
+@import "javascript-util-lgtm"
+@import "javascript-alerts-lgtm"
+@import "javascript-metrics-lgtm"

javascript/config/suites/lgtm/javascript-metrics-lgtm

@@ -0,0 +1,18 @@
++ semmlecode-javascript-queries/Comments/FCommentedOutCode.ql: /Metrics/Files
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/Metrics/FLinesOfCode.ql: /Metrics/Files
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/Metrics/FLinesOfComment.ql: /Metrics/Documentation
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/Metrics/FLinesOfDuplicatedCode.ql: /Metrics/Duplication
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/Metrics/FLinesOfSimilarCode.ql: /Metrics/Duplication
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/Metrics/FNumberOfTests.ql: /Metrics/Files
+    @_namespace com.lgtm/javascript-queries
+
++ semmlecode-javascript-queries/Metrics/Dependencies/ExternalDependencies.ql
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+    @_namespace com.lgtm/javascript-queries
+

javascript/config/suites/lgtm/javascript-util-lgtm

@@ -0,0 +1,6 @@
++ semmlecode-javascript-queries/definitions.ql
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/AlertSuppression.ql
+    @_namespace com.lgtm/javascript-queries
++ semmlecode-javascript-queries/filters/ClassifyFiles.ql
+    @_namespace com.lgtm/javascript-queries

javascript/ql/src/Security/CWE-078/CommandInjection.ql

@@ -15,6 +15,7 @@
 import javascript
 import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
 
-from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
-where cfg.hasFlow(source, sink)
-select sink, "This command depends on $@.", source, "a user-provided value"
+from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node highlight
+where cfg.hasFlow(source, sink) and
+      if cfg.isSink(sink, _) then cfg.isSink(sink, highlight) else highlight = sink
+select highlight, "This command depends on $@.", source, "a user-provided value"

javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql

@@ -15,5 +15,5 @@ import javascript
 import semmle.javascript.frameworks.HTTP
 
 from HTTP::ServerDefinition server
-where not exists(server.getARouteHandler().getAResponseHeader("X-Frame-Options"))
+where not exists(server.getARouteHandler().getAResponseHeader("x-frame-options"))
 select server, "This server never sets the 'X-Frame-Options' HTTP header."

javascript/ql/src/javascript.qll

@@ -48,6 +48,7 @@ import semmle.javascript.dataflow.TypeInference
 import semmle.javascript.frameworks.AngularJS
 import semmle.javascript.frameworks.AWS
 import semmle.javascript.frameworks.Azure
+import semmle.javascript.frameworks.Babel
 import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries
 import semmle.javascript.frameworks.DigitalOcean

javascript/ql/src/semmle/javascript/Concepts.qll

@@ -13,6 +13,12 @@ import javascript
 abstract class SystemCommandExecution extends DataFlow::Node {
   /** Gets an argument to this execution that specifies the command. */
   abstract DataFlow::Node getACommandArgument();
+
+  /**
+   * Gets an argument to this command execution that specifies the argument list
+   * to the command.
+   */
+  DataFlow::Node getArgumentList() { none() }
 }
 
 /**

javascript/ql/src/semmle/javascript/DataFlow.qll

@@ -239,6 +239,7 @@ private deprecated class IifeParameterFlow extends VarDefFlow {
   ImmediatelyInvokedFunctionExpr iife;
 
   IifeParameterFlow() {
+    this instanceof SimpleParameter and
     iife.argumentPassing(this, _)
   }
 

javascript/ql/src/semmle/javascript/Expr.qll

@@ -141,7 +141,7 @@ class Expr extends @expr, ExprOrStmt, ExprOrType, AST::ValueNode {
   /**
    * Holds if this expression may refer to the initial value of parameter `p`.
    */
-  predicate mayReferToParameter(SimpleParameter p) {
+  predicate mayReferToParameter(Parameter p) {
     flow().mayReferToParameter(p)
   }
 
@@ -1645,7 +1645,7 @@ class ImmediatelyInvokedFunctionExpr extends Function {
    * conversely, arguments after a spread element do not have a corresponding
    * parameter.
    */
-  predicate argumentPassing(SimpleParameter p, Expr arg) {
+  predicate argumentPassing(Parameter p, Expr arg) {
     exists (int parmIdx, int argIdx |
       p = getParameter(parmIdx) and not p.isRestParameter() and
       argIdx = parmIdx + getArgumentOffset() and arg = getArgument(argIdx) and

javascript/ql/src/semmle/javascript/Variables.qll

@@ -293,6 +293,8 @@ class VarRef extends @varref, Identifier, BindingPattern, LexicalRef {
   /** Gets the variable this identifier refers to. */
   Variable getVariable() { none() } // Overriden in VarAccess and VarDecl
 
+  override string getName() { result = Identifier.super.getName() }
+
   override VarRef getABindingVarRef() { result = this }
 
   override predicate isImpure() { none() }
@@ -398,6 +400,9 @@ class GlobalVarAccess extends VarAccess {
  * the ECMAScript standard for more details.
  */
 class BindingPattern extends @pattern, Expr {
+  /** Gets the name of this binding pattern if it is an identifier. */
+  string getName() { none() }
+
   /** Gets a variable reference in binding position within this pattern. */
   VarRef getABindingVarRef() { none() }
 
@@ -428,6 +433,8 @@ class BindingPattern extends @pattern, Expr {
 
 /** A destructuring pattern, that is, either an array pattern or an object pattern. */
 abstract class DestructuringPattern extends BindingPattern {
+  /** Gets the rest pattern of this destructuring pattern, if any. */
+  abstract Expr getRest();
 }
 
 /** An identifier that declares a variable. */
@@ -477,7 +484,7 @@ class ArrayPattern extends DestructuringPattern, @arraypattern {
   }
 
   /** Gets the rest pattern of this array pattern, if any. */
-  Expr getRest() {
+  override Expr getRest() {
     result = getChildExpr(-1)
   }
 
@@ -535,7 +542,7 @@ class ObjectPattern extends DestructuringPattern, @objectpattern {
   }
 
   /** Gets the rest property pattern of this object pattern, if any. */
-  Expr getRest() {
+  override Expr getRest() {
     result = getChildExpr(-1)
   }
 

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -400,7 +400,7 @@ private predicate callInputStep(Function f, DataFlow::Node invk,
                                 DataFlow::Configuration cfg) {
   isRelevant(pred, cfg) and
   (
-   exists (SimpleParameter parm |
+   exists (Parameter parm |
      argumentPassing(invk, pred, f, parm) and
      succ = DataFlow::parameterNode(parm)
    )