Add Javascript packs

Author: Alvaro Muñoz

.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'cpp', 'csharp', 'go', 'java', 'python', 'ruby' ]
+        language: [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
 
     steps:
       - uses: actions/checkout@v3

.github/workflows/publish.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3
@@ -54,7 +54,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["cpp", "csharp", "go", "java", "python", "ruby"] 
+        language: ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] 
 
     steps:
       - uses: actions/checkout@v3

codeql-workspace.yml

@@ -3,6 +3,7 @@ provide:
 - csharp/**/qlpack.yml
 - go/**/qlpack.yml
 - java/**/qlpack.yml
+- javascript/**/qlpack.yml
 - python/**/qlpack.yml
 - ruby/**/qlpack.yml
 

javascript/lib/ResearchMode.qll

@@ -0,0 +1,7 @@
+//import semmle.javascript.heuristics.all
+import semmle.javascript.heuristics.AdditionalFrameworks
+import semmle.javascript.heuristics.AdditionalPromises
+import semmle.javascript.heuristics.AdditionalRouteHandlers
+import semmle.javascript.heuristics.AdditionalSources
+//import semmle.javascript.heuristics.AdditionalSinks
+import semmle.javascript.heuristics.AdditionalTaintSteps

javascript/lib/applications/.gitkeep

@@ -0,0 +1,16 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/javascript-all:
+    version: 0.7.4
+  codeql/mad:
+    version: 0.1.4
+  codeql/regex:
+    version: 0.1.4
+  codeql/tutorial:
+    version: 0.1.4
+  codeql/util:
+    version: 0.1.4
+  codeql/yaml:
+    version: 0.1.4
+compiled: false

javascript/lib/codeql-pack.lock.yml

@@ -0,0 +1,7 @@
+import semmle.javascript.dataflow.DataFlow
+
+class CommandLineArgument extends DataFlow::Node {
+    CommandLineArgument() {
+        this = DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyReference()
+    }
+}

javascript/lib/frameworks/.gitkeep

@@ -0,0 +1,113 @@
+import semmle.javascript.dataflow.TaintTracking
+
+import github.CommandLine
+
+class RandomTaintsSourceConfiguration extends TaintTracking::Configuration {
+    RandomTaintsSourceConfiguration() { this = "RandomTaintsSourceConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) {
+        isSecureRandom(source)
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+        not isSecureRandom(sink)
+    }
+}
+
+class InsecureIVConfiguration extends TaintTracking::Configuration {
+    InsecureIVConfiguration() { this = "InsecureIVConfiguration" }
+
+    override predicate isSource(DataFlow::Node source) {
+        exists(Literal literal|literal.flow() = source)
+        or
+        source instanceof DataFlow::ArrayLiteralNode
+        or
+        source instanceof RemoteFlowSource
+        or
+        source instanceof FileSystemReadAccess
+        or
+        source instanceof DatabaseAccess
+        or
+        source instanceof CommandLineArgument
+        or
+        // an external function that is not a known source of randomness
+        (
+            source instanceof ExternalCallWithOutput
+            and not source instanceof CreateIVArgument
+            and not source instanceof SecureRandomSource
+        )
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+        sink instanceof CreateIVArgument
+    }
+}
+
+class ExternalCallWithOutput extends DataFlow::Node {
+    CallExpr call;
+
+    ExternalCallWithOutput() {
+        not exists(MethodCallExpr method_call, ThisExpr this_expr| method_call = call and method_call.getReceiver() = this_expr )
+        and
+        this = call.flow()
+    }
+}
+
+class SecureRandomSource extends DataFlow::Node {
+    SecureRandomSource() {
+        isSecureRandom(this)
+    }
+}
+
+predicate isSecureRandom(DataFlow::Node node) {
+    exists(string name|
+        name in ["randomBytes", "getRandomValues"] and
+        DataFlow::moduleMember("crypto", name).getACall() = node
+    )
+    or
+    exists(string name|
+        name in ["randomFill", "randomFillSync"] and
+        DataFlow::moduleMember("crypto", name).getACall().getArgument(0) = node
+    )
+    or
+    exists(string name|
+        name in ["randomKey", "randomString"] and
+        DataFlow::moduleMember("crypto-extra", name).getACall() = node
+    )
+    or
+    exists(string name|
+        name in ["cryptoRandomString", "cryptoRandomStringAsync"] and
+        DataFlow::moduleMember("crypto-random-string", name).getACall() = node
+    )
+    or
+    exists(string name|
+        name in ["secureRandom", "randomArray", "randomUint8Array", "randomBuffer"] and
+        DataFlow::moduleMember("secure-random", name).getACall() = node
+    )
+}
+
+class CreateIVArgument extends DataFlow::Node {
+    CreateIVArgument() {
+        isCreateIV(this)
+    }
+}
+
+predicate isCreateIV(DataFlow::Node node) {
+    exists(string name|
+        name = "createCipheriv" and
+        DataFlow::moduleMember("crypto", name).getACall().getArgument(2) = node
+    )
+}
+
+predicate knownCryptTest(DataFlow::Node sink) {
+    sink.getFile().getRelativePath().matches(
+        [
+            "%/des.js/test/%",
+            "test/common/tls.js",
+            "test/%/test-crypto-%.js",
+            "%/browserify-aes/populateFixtures.js",
+            "%/evp_bytestokey%/test.js",
+            "%/sshpk/lib/formats/ssh-private.js"
+        ]
+    )
+}

javascript/lib/github/CommandLine.qll

@@ -0,0 +1,5 @@
+library: true 
+name: githubsecuritylab/codeql-javascript-libs
+version: 0.0.1
+dependencies:
+  codeql/javascript-all: '*'

javascript/lib/github/InsecureIV.qll

@@ -0,0 +1,32 @@
+/**
+ * @name Use of unsafe superjson parse or deserialize functions
+ * @description Specific versions of the superjson library are vulnerable to prototype pollution. Avoid calling
+ *              their parse() or deserialize() functions.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 10.0
+ * @precision high
+ * @id githubsecuritylab/cve-2022-23631
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cve/cve-2022-23631
+ */
+
+import javascript
+import semmle.javascript.dependencies.Dependencies
+import semmle.javascript.dependencies.SemVer
+
+class SuperJsonCalls extends DataFlow::CallNode {
+  SuperJsonCalls() {
+    // https://github.com/blitz-js/superjson/security/advisories/GHSA-5888-ffcr-r425
+    // https://github.com/blitz-js/superjson/commit/0d68cd51a430999b848f6da7af528ee02560c883
+    exists(NpmDependency dep |
+      dep.getNpmPackageName() = "superjson" and
+      dep.getVersion().(DependencySemVer).maybeBefore("1.8.1") and
+      this = DataFlow::dependencyModuleImport(dep).getAMemberCall(["parse", "deserialize"])
+    )
+  }
+}
+
+from SuperJsonCalls calls
+select calls, "Potential prototype pollution via superjson parse or deserialize functions!"

javascript/lib/qlpack.yml

@@ -0,0 +1,3 @@
+# Audit: Usage of Command Injection sink
+
+This query detects the use of command injection sinks. Command injection sinks are functions that execute commands and if the commands are constructed using user input, it may allow an attacker to execute arbitrary commands.

javascript/src/CVEs/CVE-2022-23631.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Audit: Usage of Command Injection sink
+ * @description A Command Injection sink is being used in your application, this can lead to remote code execution if user controled input comes into the sink
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 3.0
+ * @id githubsecuritylab/audit/command-injection
+ * @tags security
+ *       external/cwe/cwe-078
+ *       audit
+ */
+
+import javascript
+private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
+
+from DataFlow::Node sink
+where sink instanceof CommandInjection::Sink
+select sink, "Command Injection sink"

javascript/src/audit/CWE-078/CommandInjectionAudit.md

@@ -0,0 +1,3 @@
+# Audit: Possible Reflected Cross-Site Scripting
+
+This query detects the use of reflected cross-site scripting sinks. Reflected cross-site scripting sinks are functions that output user input without sanitizing it.

javascript/src/audit/CWE-078/CommandInjectionAudit.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Audit: Possible Reflected Cross-Site Scripting
+ * @description Insecure dangerouslySetInnerHTML() function can lead to reflected XSS.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 3.0
+ * @id githubsecuritylab/audit/reflected-xss
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ *       audit
+ */
+
+import javascript
+private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
+
+from DataFlow::Node sink
+where sink instanceof DomBasedXss::DangerouslySetInnerHtmlSink
+select sink, "React's dangerouslySetInnerHTML is being used."

javascript/src/audit/CWE-079/XSSAudit.md

@@ -0,0 +1,3 @@
+# Audit: Usage of Code Injection sink
+
+This query detects the usage of code injection sinks. Code injection sinks are functions that execute arbitrary JavaScript and if the commands are constructed using user input, it may allow an attacker to execute arbitrary JavaScript in the browser (XSS) or server-side code (Remote Code Execution).

javascript/src/audit/CWE-079/XSSAudit.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Audit: Usage of Code Injection sink
+ * @description Usage of Code Injection sink
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 3.0
+ * @id githubsecuritylab/audit/code-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ *       audit
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+
+from CodeInjection::Sink sinks
+select sinks, "Code Injection sink"

javascript/src/audit/CWE-094/CodeInjectionAudit.md

@@ -0,0 +1,3 @@
+# Audit: Usage of Unsafe Deserialize sink
+
+This query detects the use of unsafe deserialize sinks. Unsafe deserialize sinks are functions that deserialize data and if the data is constructed using user input, it may allow an attacker to execute arbitrary code.

javascript/src/audit/CWE-094/CodeInjectionAudit.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Audit: Usage of Unsafe Deserialize sink
+ * @description A Unsafe Deserialization sink is being used in your application, this can lead to remote code execution if user controled input comes into the sink
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 3.0
+ * @id githubsecuritylab/audit/unsafe-deserialization
+ * @tags security
+ *       external/cwe/cwe-503
+ *       audit
+ */
+
+import javascript
+private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations
+
+from DataFlow::Node sink
+where sink instanceof UnsafeDeserialization::Sink
+select sink, "Unsafe Deserialization sink"

javascript/src/audit/CWE-502/UnsafeDeserializationAudit.md

@@ -0,0 +1,3 @@
+# Audit: XML External Entity sink used
+
+This query detects the use of XML External Entity sinks. XML External Entity sinks are functions that parse XML documents and if the XML documents are constructed using user input, it may allow an attacker to perform XML External Entity attacks.

javascript/src/audit/CWE-502/UnsafeDeserializationAudit.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Audit: XML External Entity sink used
+ * @description A XML External Entity (XXE) sink is being used in your application
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 3.0
+ * @id githubsecuritylab/audit/xxe
+ * @tags security
+ *       external/cwe/cwe-611
+ *       audit
+ */
+
+import javascript
+private import semmle.javascript.security.dataflow.XxeCustomizations
+
+from DataFlow::Node sink
+where sink instanceof Xxe::Sink
+select sink, "XML External Entity sink"

javascript/src/audit/CWE-611/XXEAudit.md

@@ -0,0 +1,3 @@
+# Audit: Using JS Eval
+
+This query detects the use of `eval` and `Function` in JavaScript code. `eval` and `Function` are functions that execute code and if the code is constructed using user input, it may allow an attacker to execute arbitrary code.

javascript/src/audit/CWE-611/XXEAudit.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Audit: Using JS Eval
+ * @description Usage of eval in JavaScript / TypeScript can be dangerous
+ * @kind problem
+ * @problem.severity recommendation
+ * @security-severity 2.0
+ * @id githubsecuritylab/audit/using-eval
+ * @tags maintainability
+ *       external/cwe/cwe-676
+ *       audit
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.CodeInjectionCustomizations
+
+from CodeInjection::EvalJavaScriptSink eval
+select eval, "Using eval"

javascript/src/audit/CWE-676/UseOfEval.md

@@ -0,0 +1,19 @@
+/**
+ * @name External dependencies
+ * @description Count the number of dependencies that a Java project has on external packages.
+ * @kind treemap
+ * @id githubsecuritylab/external-dependencies
+ * @metricType externalDependency
+ * @tags audit
+ */
+
+import semmle.javascript.dependencies.Dependencies
+
+predicate externalDependencies(Dependency dep, string name, int ndeps) {
+  exists(string id, string v | dep.info(id, v) | name = id + "-" + v) and
+  ndeps = count(Locatable use | use = dep.getAUse(_))
+}
+
+from Dependency dep, string name, int ndeps
+where externalDependencies(dep, name, ndeps)
+select name, ndeps order by ndeps desc

javascript/src/audit/CWE-676/UseOfEval.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Files
+ * @description List of all files in the repository
+ * @kind table
+ * @id githubsecuritylab/files
+ * @tags audit
+ */
+
+import javascript
+
+from File f
+where f.getExtension() = ["js", "ts"] and not f.getRelativePath().matches("%/test/%")
+select f.getRelativePath()