tsm queries for sql, nosql, xss

javascript/ql/src/TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/TSM.ql

@@ -0,0 +1,20 @@
+/**
+ * @name General TSM query
+ * @description Checking unsanitized flows
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/tsm-query
+*/
+
+import tsm_config
+import DataFlow::PathGraph
+
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  (
+    cfg instanceof TSMConfig::Configuration
+  ) and
+  cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This query depends on $@.", source.getNode(),
+  "a user-provided value"

javascript/ql/src/TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/tsm.qll

@@ -0,0 +1,57 @@
+import javascript
+
+import TSM.NodeRepresentation
+import tsm_repr_pred
+
+module TSM {
+    private import TsmRepr
+
+    predicate isSourceCandidate(DataFlow::Node nd) {
+          nd instanceof DataFlow::CallNode or
+          nd instanceof DataFlow::PropRead or
+          nd instanceof DataFlow::ParameterNode
+      }
+
+      predicate isSanitizerCandidate(DataFlow::Node nd) {
+        nd instanceof DataFlow::CallNode
+      }
+
+      predicate isSinkCandidate(DataFlow::Node nd) {
+        (
+          exists(DataFlow::InvokeNode invk |
+            nd = invk.getAnArgument()
+            or
+            nd = invk.(DataFlow::MethodCallNode).getReceiver()
+          )
+          or
+          nd = any(DataFlow::PropWrite pw).getRhs()
+        )
+      }
+
+    string rep(DataFlow::Node node){
+        result = candidateRep(node, _)
+    }
+
+    predicate isSink(DataFlow::Node node, float score){
+        isSinkCandidate(node) and
+        (exists(rep(node)) and   score = sum(doGetReprScore(rep(node), "snk"))/count(rep(node)) or
+        not exists(rep(node)) and score = 0)
+    }
+
+    predicate isSource(DataFlow::Node node, float score){
+        isSourceCandidate(node) and
+        (exists(rep(node)) and   score = sum(doGetReprScore(rep(node), "src"))/count(rep(node)) or
+        not exists(rep(node)) and score = 0)
+    }
+
+    predicate isSanitizer(DataFlow::Node node, float score){
+        isSanitizerCandidate(node) and
+        (exists(rep(node)) and
+        score = sum(doGetReprScore(rep(node), "san"))/count(rep(node)) or
+        not exists(rep(node)) and score = 0)
+    }
+
+    float doGetReprScore(string repr, string t){
+        result = TsmRepr::getReprScore(repr, t)
+   }    
+}

javascript/ql/src/TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/tsm_config.qll

@@ -0,0 +1,40 @@
+/**
+ * Provides a taint tracking configuration for reasoning about Seldon's paper example 
+ *
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
+private float minScore_snk() { result = 0.1}
+private float minScore_src() { result = 0.1}
+// Score>1 to ignore sanitizers
+private float minScore_san() { result = 1.1}
+
+module TSMConfig {
+  import tsm
+
+  /**
+   * A taint-tracking configuration for reasoning about SQL injection vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "TSMConfig" }
+
+    override predicate isSource(DataFlow::Node source) { 
+      exists (float score |  TSM::isSource(source, score) and score>=minScore_src()) 
+      //or
+      //source instanceof NosqlInjection::Source
+    }
+
+    override predicate isSink(DataFlow::Node sink) { 
+      exists (float score | TSM::isSink(sink, score) and score>=minScore_snk()) 
+      //or
+      //sink instanceof NosqlInjection::Sink
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      exists (float score | TSM::isSanitizer(node, score) and score>=minScore_san()) 
+      or
+      node instanceof NosqlInjection::Sanitizer
+    }
+  }
+}

javascript/ql/src/TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/tsm_repr_pred.qll

@@ -0,0 +1,41 @@
+module TsmRepr {float getReprScore(string repr, string t){
+repr = "(member body (parameter req *))" and t = "src" and result = 1.0000000000  or 
+repr = "(return (member toUpperCase (member title *)))" and t = "san" and result = 0.4705882353  or 
+repr = "(return (member trim *))" and t = "san" and result = 1.0000000000  or 
+repr = "(member audio *)" and t = "src" and result = 1.0000000000  or 
+repr = "(member src (member query (parameter req *)))" and t = "src" and result = 1.0000000000  or 
+repr = "(member avatar (member query (parameter req *)))" and t = "src" and result = 1.0000000000  or 
+repr = "(member audio (member query (parameter req *)))" and t = "src" and result = 1.0000000000  or 
+repr = "(member _id *)" and t = "snk" and result = 1.0000000000  or 
+repr = "(member name (member query (parameter req *)))" and t = "src" and result = 1.0000000000  or 
+repr = "(member src (member query *))" and t = "src" and result = 1.0000000000  or 
+repr = "(member email (member query (parameter req *)))" and t = "src" and result = 1.0000000000  or 
+repr = "(member avatar (member query *))" and t = "src" and result = 1.0000000000  or 
+repr = "(parameter 1 (return (member findOneAndUpdate *)))" and t = "snk" and result = 0.2500000000  or 
+repr = "(member body (parameter req (parameter 1 (return (member post *)))))" and t = "src" and result = 1.0000000000  or 
+repr = "(member email *)" and t = "src" and result = 1.0000000000  or 
+repr = "(member from_id *)" and t = "snk" and result = 0.5000000000  or 
+repr = "(member src *)" and t = "src" and result = 1.0000000000  or 
+repr = "(parameter 0 (return (member find *)))" and t = "snk" and result = 1.0000000000  or 
+repr = "(member email (member query *))" and t = "src" and result = 1.0000000000  or 
+repr = "(return (member trim (member search *)))" and t = "san" and result = 1.0000000000  or 
+repr = "(return (member findOneAndUpdate *))" and t = "san" and result = 0.7500000000  or 
+repr = "(member audio (member query *))" and t = "src" and result = 1.0000000000  or 
+repr = "(member img *)" and t = "src" and result = 1.0000000000  or 
+repr = "(member img (member query (parameter req *)))" and t = "src" and result = 1.0000000000  or 
+repr = "(member body (parameter 0 (parameter 2 (return (member post *)))))" and t = "src" and result = 1.0000000000  or 
+repr = "(member body (parameter req (parameter 2 (return (member post *)))))" and t = "src" and result = 1.0000000000  or 
+repr = "(parameter 0 (return (member send (parameter res *))))" and t = "snk" and result = 0.5000000000  or 
+repr = "(member name (member query *))" and t = "src" and result = 1.0000000000  or 
+repr = "(member _id (parameter 0 (parameter 0 (return (member then *)))))" and t = "snk" and result = 1.0000000000  or 
+repr = "(parameter 0 (return (member findOne *)))" and t = "snk" and result = 0.2500000000  or 
+repr = "(member img (member query *))" and t = "src" and result = 1.0000000000  or 
+repr = "(member _id (parameter 0 (return (member findOne *))))" and t = "san" and result = 0.4705882353  or 
+repr = "(return (member findOne *))" and t = "san" and result = 0.7500000000  or 
+repr = "(member body (parameter 0 (parameter 1 (return (member post *)))))" and t = "src" and result = 1.0000000000  or 
+repr = "(member body *)" and t = "src" and result = 1.0000000000  or 
+repr = "(member avatar *)" and t = "src" and result = 1.0000000000  or 
+repr = "(member title *)" and t = "san" and result = 1.0000000000  or 
+repr = "(member email (parameter 0 (return (member findOne *))))" and t = "src" and result = 1.0000000000  or 
+repr = "(member name *)" and t = "src" and result = 1.0000000000
+}}

javascript/ql/src/TSM/query/NoSql/3dbeb41841bfbfcc24d55143816cf7f1_atl-wdi-10_2f0c30b/NosqlInjectionWorse-1602380390/TSM.ql

@@ -0,0 +1,20 @@
+/**
+ * @name General TSM query
+ * @description Checking unsanitized flows
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id js/tsm-query
+*/
+
+import tsm_config
+import DataFlow::PathGraph
+
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  (
+    cfg instanceof TSMConfig::Configuration
+  ) and
+  cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This query depends on $@.", source.getNode(),
+  "a user-provided value"

javascript/ql/src/TSM/query/NoSql/3dbeb41841bfbfcc24d55143816cf7f1_atl-wdi-10_2f0c30b/NosqlInjectionWorse-1602380390/tsm.qll

@@ -0,0 +1,57 @@
+import javascript
+
+import TSM.NodeRepresentation
+import tsm_repr_pred
+
+module TSM {
+    private import TsmRepr
+
+    predicate isSourceCandidate(DataFlow::Node nd) {
+          nd instanceof DataFlow::CallNode or
+          nd instanceof DataFlow::PropRead or
+          nd instanceof DataFlow::ParameterNode
+      }
+
+      predicate isSanitizerCandidate(DataFlow::Node nd) {
+        nd instanceof DataFlow::CallNode
+      }
+
+      predicate isSinkCandidate(DataFlow::Node nd) {
+        (
+          exists(DataFlow::InvokeNode invk |
+            nd = invk.getAnArgument()
+            or
+            nd = invk.(DataFlow::MethodCallNode).getReceiver()
+          )
+          or
+          nd = any(DataFlow::PropWrite pw).getRhs()
+        )
+      }
+
+    string rep(DataFlow::Node node){
+        result = candidateRep(node, _)
+    }
+
+    predicate isSink(DataFlow::Node node, float score){
+        isSinkCandidate(node) and
+        (exists(rep(node)) and   score = sum(doGetReprScore(rep(node), "snk"))/count(rep(node)) or
+        not exists(rep(node)) and score = 0)
+    }
+
+    predicate isSource(DataFlow::Node node, float score){
+        isSourceCandidate(node) and
+        (exists(rep(node)) and   score = sum(doGetReprScore(rep(node), "src"))/count(rep(node)) or
+        not exists(rep(node)) and score = 0)
+    }
+
+    predicate isSanitizer(DataFlow::Node node, float score){
+        isSanitizerCandidate(node) and
+        (exists(rep(node)) and
+        score = sum(doGetReprScore(rep(node), "san"))/count(rep(node)) or
+        not exists(rep(node)) and score = 0)
+    }
+
+    float doGetReprScore(string repr, string t){
+        result = TsmRepr::getReprScore(repr, t)
+   }    
+}

javascript/ql/src/TSM/query/NoSql/3dbeb41841bfbfcc24d55143816cf7f1_atl-wdi-10_2f0c30b/NosqlInjectionWorse-1602380390/tsm_config.qll

@@ -0,0 +1,40 @@
+/**
+ * Provides a taint tracking configuration for reasoning about Seldon's paper example 
+ *
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
+private float minScore_snk() { result = 0.1}
+private float minScore_src() { result = 0.1}
+// Score>1 to ignore sanitizers
+private float minScore_san() { result = 1.1}
+
+module TSMConfig {
+  import tsm
+
+  /**
+   * A taint-tracking configuration for reasoning about SQL injection vulnerabilities.
+   */
+  class Configuration extends TaintTracking::Configuration {
+    Configuration() { this = "TSMConfig" }
+
+    override predicate isSource(DataFlow::Node source) { 
+      exists (float score |  TSM::isSource(source, score) and score>=minScore_src()) 
+      //or
+      //source instanceof NosqlInjection::Source
+    }
+
+    override predicate isSink(DataFlow::Node sink) { 
+      exists (float score | TSM::isSink(sink, score) and score>=minScore_snk()) 
+      //or
+      //sink instanceof NosqlInjection::Sink
+    }
+
+    override predicate isSanitizer(DataFlow::Node node) {
+      exists (float score | TSM::isSanitizer(node, score) and score>=minScore_san()) 
+      or
+      node instanceof NosqlInjection::Sanitizer
+    }
+  }
+}