Javascript Taint Tracking

[DSimsek000]

I have the following code:

source.js:

function id(mod) {
    return mod;
}

function __importDefault(mod) {
    return mod && mod.__esModule
        ? mod
        : {
            default: mod,
        }
}
var sinkMod0 = __importDefault(require("./sink"))
var sinkMod1 = require("./sink")
var sinkMod2 = id(require("./sink"))
var sinkMod3 = unknown(require("./sink"))

function source(s) {
    sinkMod0.default(s)
    sinkMod1(s)
    sinkMod2(s)
    sinkMod3(s)
}

sink.js:

module.exports = function (data) {
    sink(data)
}

I am using the following query to get all calls to sink from the source function:

/**
 * @kind path-problem
 */

import javascript
import semmle.javascript.dataflow.TaintTracking

module Config implements DataFlow::ConfigSig {
  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

  predicate isSource(DataFlow::Node source) {
    exists(Function f |
      f.getName() = "source" and
      source.asExpr() = f.getAParameter()
    )
  }

  predicate isSink(DataFlow::Node node) {
    exists(DataFlow::CallNode cn |
      cn.getAnArgument() = node and
      cn.getCalleeName() = "sink"
    )
  }
}

module Flow = DataFlow::Global<Config>;

import Flow::PathGraph

from Flow::PathNode source, Flow::PathNode sink
where Flow::flowPath(source, sink)
select sink.getNode(), source, sink, ""

The above query doesnt find the flow through sinkMod3(s) . Is there a way to get codeQL to treat the unknown(..) function as an identity function?

[jketema]

Hi @DSimsek000,

To do this you could add a isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) predicate to your configuration that looks for calls to unknown functions where pred is an argument of the function and succ is its result.

[DSimsek000]

Please correct me if the below is not what you suggested, but what I attempted was:

predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(DataFlow::InvokeNode call |
      call.getAnArgument() = pred and
      call = succ
    )
  }

which didnt solve the issue.

I also encountered an issue when changing the definition of __importDefault to:

var __importDefault =
    (this && this.__importDefault) ||
    function (mod) {
        return mod && mod.__esModule
            ? mod
            : {
                default: mod,
            }
    }

[jketema]

predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(DataFlow::InvokeNode call |
      call.getAnArgument() = pred and
      call = succ
    )
  }

Did you look at the AST and confirm that unknown is actually an invoke?

[DSimsek000]

Hi @jketema,

Yes, take a look at the attached image. Wouldn't this only cause the taint to flow to var sinkMod3 = unknown(require("./sink")), whereas I want sinkMod3 to be treated simply as require("./sink")?

[jketema]

Hi @DSimsek000,

predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(DataFlow::InvokeNode call |
      call.getAnArgument() = pred and
      call = succ
    )
  }

If I quick evaluate this predicate on a test database build from your original example, I see a step from require("./sink") to unknown(require("./sink")), as expected.