Merge pull request #8724 from erik-krogh/postMessage

JS: promote the `js/missing-origin-verification` query

Author: erik-krogh

javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll

@@ -1225,19 +1225,25 @@ module TaintTracking {
    * An equality test on `e.origin` or `e.source` where `e` is a `postMessage` event object,
    * considered as a sanitizer for `e`.
    */
-  private class PostMessageEventSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+  private class PostMessageEventSanitizer extends AdditionalSanitizerGuardNode {
     VarAccess event;
-    override EqualityTest astNode;
+    boolean polarity;
 
     PostMessageEventSanitizer() {
-      exists(string prop | prop = "origin" or prop = "source" |
-        astNode.getAnOperand().(PropAccess).accesses(event, prop) and
-        event.mayReferToParameter(any(PostMessageEventHandler h).getEventParameter())
+      event.mayReferToParameter(any(PostMessageEventHandler h).getEventParameter()) and
+      exists(DataFlow::PropRead read | read.accesses(event.flow(), ["origin", "source"]) |
+        exists(EqualityTest test | polarity = test.getPolarity() and this.getAstNode() = test |
+          test.getAnOperand().flow() = read
+        )
+        or
+        exists(InclusionTest test | polarity = test.getPolarity() and this = test |
+          test.getContainedNode() = read
+        )
       )
     }
 
     override predicate sanitizes(boolean outcome, Expr e) {
-      outcome = astNode.getPolarity() and
+      outcome = polarity and
       e = event
     }
 

javascript/ql/src/Security/CWE-020/MissingOriginCheck.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+
+<p>
+The <code>"message"</code> event is used to send messages between windows. 
+An untrusted window can send a message to a trusted window, and it is up to the receiver to verify the legitimacy of the message. One way of performing that verification is to check the <code>origin</code> of the message ensure that it originates from a trusted window.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Always verify the origin of incoming messages.
+</p>
+</recommendation>
+
+<example>
+<p>
+The example below uses a received message to execute some code. However, the 
+origin of the message is not checked, so it might be possible for an attacker
+to execute arbitrary code.
+</p>
+<sample src="examples/MissingOriginCheckBad.js" />
+
+<p>
+The example is fixed below, where the origin is checked to be trusted. 
+It is therefore not possible for a malicious user to perform an attack using an untrusted origin.
+</p>
+<sample src="examples/MissingOriginCheckGood.js" />
+
+</example>
+
+<references>
+
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage">Window.postMessage()</a>.</li>
+<li><a href="https://portswigger.net/web-security/dom-based/web-message-manipulation">Web message manipulation</a>.</li>
+<li><a href="https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/">The pitfalls of postMessage</a>.</li>
+
+</references>
+</qhelp>

javascript/ql/src/Security/CWE-020/MissingOriginCheck.ql

@@ -0,0 +1,83 @@
+/**
+ * @name Missing origin verification in `postMessage` handler
+ * @description Missing origin verification in a `postMessage` handler allows any windows to send arbitrary data to the handler.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5
+ * @precision medium
+ * @id js/missing-origin-check
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-020
+ */
+
+import javascript
+
+/** A function that handles "message" events. */
+class PostMessageHandler extends DataFlow::FunctionNode {
+  override PostMessageEventHandler astNode;
+
+  /** Gets the parameter that contains the event. */
+  DataFlow::ParameterNode getEventParameter() {
+    result = DataFlow::parameterNode(astNode.getEventParameter())
+  }
+}
+
+/** Gets a reference to the event from a postmessage `handler` */
+DataFlow::SourceNode event(DataFlow::TypeTracker t, PostMessageHandler handler) {
+  t.start() and
+  result = handler.getEventParameter()
+  or
+  exists(DataFlow::TypeTracker t2 | result = event(t2, handler).track(t2, t))
+}
+
+/** Gets a reference to the .origin from a postmessage event. */
+DataFlow::SourceNode origin(DataFlow::TypeTracker t, PostMessageHandler handler) {
+  t.start() and
+  result = event(DataFlow::TypeTracker::end(), handler).getAPropertyRead("origin")
+  or
+  result =
+    origin(t.continue(), handler)
+        .getAMethodCall([
+            "toString", "toLowerCase", "toUpperCase", "toLocaleLowerCase", "toLocaleUpperCase"
+          ])
+  or
+  exists(DataFlow::TypeTracker t2 | result = origin(t2, handler).track(t2, t))
+}
+
+/** Gets a reference to the .source from a postmessage event. */
+DataFlow::SourceNode source(DataFlow::TypeTracker t, PostMessageHandler handler) {
+  t.start() and
+  result = event(DataFlow::TypeTracker::end(), handler).getAPropertyRead("source")
+  or
+  exists(DataFlow::TypeTracker t2 | result = source(t2, handler).track(t2, t))
+}
+
+/** Gets a reference to the origin or the source of a postmessage event. */
+DataFlow::SourceNode sourceOrOrigin(PostMessageHandler handler) {
+  result = source(DataFlow::TypeTracker::end(), handler) or
+  result = origin(DataFlow::TypeTracker::end(), handler)
+}
+
+/** Holds if there exists a check of the .origin or .source of the postmessage `handler`. */
+predicate hasOriginCheck(PostMessageHandler handler) {
+  // event.origin === "constant"
+  exists(EqualityTest test | sourceOrOrigin(handler).flowsToExpr(test.getAnOperand()))
+  or
+  // set.includes(event.source)
+  exists(InclusionTest test | sourceOrOrigin(handler).flowsTo(test.getContainedNode()))
+  or
+  // "safeOrigin".startsWith(event.origin)
+  exists(StringOps::StartsWith starts |
+    origin(DataFlow::TypeTracker::end(), handler).flowsTo(starts.getSubstring())
+  )
+  or
+  // "safeOrigin".endsWith(event.origin)
+  exists(StringOps::EndsWith ends |
+    origin(DataFlow::TypeTracker::end(), handler).flowsTo(ends.getSubstring())
+  )
+}
+
+from PostMessageHandler handler
+where not hasOriginCheck(handler)
+select handler.getEventParameter(), "Postmessage handler has no origin check."

javascript/ql/src/experimental/Security/CWE-020/examples/postMessageNoOriginCheck.js renamed to javascript/ql/src/Security/CWE-020/examples/MissingOriginCheckBad.js

@@ -1,7 +1,7 @@
 function postMessageHandler(event) {
     console.log(event.origin)
     // GOOD: the origin property is checked
-    if (event.origin === 'www.example.com') {
+    if (event.origin === 'https://www.example.com') {
         // do something
     }
 }

javascript/ql/src/experimental/Security/CWE-020/examples/postMessageWithOriginCheck.js renamed to javascript/ql/src/Security/CWE-020/examples/MissingOriginCheckGood.js

@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* The `js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event.  
+  The query previously existed as the experimental `js/missing-postmessageorigin-verification` query.