Merge pull request #8014 from kaeluka/js/functionality-from-untrusted-source

JS: Functionality from untrusted sources query (CWE-830)

Author: Stephan Brandauer

javascript/ql/lib/semmle/javascript/HTML.qll

@@ -173,6 +173,24 @@ module HTML {
     DocumentElement() { getName() = "html" }
   }
 
+  /**
+   * An HTML `<iframe>` element.
+   *
+   * Example:
+   *
+   * ```
+   * <iframe src="https://test.local/somepage.html"></iframe>
+   * ```
+   */
+  class IframeElement extends Element {
+    IframeElement() { getName() = "iframe" }
+
+    /**
+     * Gets the value of the `src` attribute.
+     */
+    string getSourcePath() { result = getAttributeByName("src").getValue() }
+  }
+
   /**
    * An HTML `<script>` element.
    *
@@ -207,6 +225,11 @@ module HTML {
      */
     string getSourcePath() { result = getAttributeByName("src").getValue() }
 
+    /**
+     * Gets the value of the `integrity` attribute.
+     */
+    string getIntegrityDigest() { result = getAttributeByName("integrity").getValue() }
+
     /**
      * Gets the folder relative to which the `src` attribute is resolved.
      */

javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.qhelp

@@ -0,0 +1,70 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+	<overview>
+		<p>
+			Including a resource from an untrusted source or using an untrusted channel may
+			allow an attacker to include arbitrary code in the response.
+			When including an external resource (for example, a <code>script</code> element or an
+			<code>iframe</code> element) on a page, it is important to ensure that the received
+			data is not malicious.
+		</p>
+
+		<p>
+			When including external resources, it is possible to verify that the responding server
+			is the intended one by using an <code>https</code> URL.
+			This prevents a MITM (man-in-the-middle) attack where an attacker might have been able
+			to spoof a server response.
+		</p>
+
+		<p>
+			Even when <code>https</code> is used, an attacker might still compromise the server.
+			When you use a <code>script</code> element, you can check for subresource integrity -
+			that is, you can check the contents of the data received by supplying a cryptographic
+			digest of the expected sources to the <code>script</code> element. The script will only
+			load sources that match the digest and an attacker will be unable to modify the script
+			even when the server is compromised.
+		</p>
+
+		<p>
+			Subresource integrity checking is commonly recommended when importing a fixed version of
+			a library - for example, from a CDN (content-delivery network). Then, the fixed digest
+			of that version of the library can easily be added to the <code>script</code> element's
+			<code>integrity</code> attribute.
+		</p>
+	</overview>
+
+	<recommendation>
+		<p>
+			When an <code>iframe</code> element is used to embed a page, it is important to use an
+			<code>https</code> URL.
+		</p>
+
+		<p>
+			When using a <code>script</code> element to load a script, it is important to use an
+			<code>https</code> URL and to consider checking subresource integrity.
+		</p>
+	</recommendation>
+
+	<example>
+		<p>
+			The following example loads the jQuery library from the jQuery CDN without using <code>https</code>
+			and without checking subresource integrity.
+		</p>
+
+		<sample src="jquery-http-nocheck.html" />
+
+		<p>
+			Instead, loading jQuery from the same domain using <code>https</code> and checking
+			subresource integrity is recommended, as in the next example.
+		</p>
+
+		<sample src="jquery-https-check.html" />
+	</example>
+
+	<references>
+		<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">Subresource Integrity</a></li>
+		<li>Smashing Magazine: <a href="https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/">Understanding Subresource Integrity</a></li>
+	</references>
+</qhelp>

javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedSource.ql

@@ -0,0 +1,169 @@
+/**
+ * @name Inclusion of functionality from an untrusted source
+ * @description Including functionality from an untrusted source may allow
+ *              an attacker to control the functionality and execute arbitrary code.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.0
+ * @precision high
+ * @id js/functionality-from-untrusted-source
+ * @tags security
+ *       external/cwe/cwe-830
+ */
+
+import javascript
+
+/** A location that adds a reference to an untrusted source. */
+abstract class AddsUntrustedUrl extends Locatable {
+  /** Gets an explanation why this source is untrusted. */
+  abstract string getProblem();
+}
+
+module StaticCreation {
+  /** Holds if `host` is an alias of localhost. */
+  bindingset[host]
+  predicate isLocalhostPrefix(string host) {
+    host.toLowerCase()
+        .regexpMatch([
+            "(?i)localhost(:[0-9]+)?/.*", "127.0.0.1(:[0-9]+)?/.*", "::1/.*", "\\[::1\\]:[0-9]+/.*"
+          ])
+  }
+
+  /** Holds if `url` is a url that is vulnerable to a MITM attack. */
+  bindingset[url]
+  predicate isUntrustedSourceUrl(string url) {
+    exists(string hostPath | hostPath = url.regexpCapture("(?i)http://(.*)", 1) |
+      not isLocalhostPrefix(hostPath)
+    )
+  }
+
+  /** Holds if `url` refers to a CDN that needs an integrity check - even with https. */
+  bindingset[url]
+  predicate isCdnUrlWithCheckingRequired(string url) {
+    // Some CDN URLs are required to have an integrity attribute. We only add CDNs to that list
+    // that recommend integrity-checking.
+    url.regexpMatch("(?i)^https?://" +
+        [
+          "code\\.jquery\\.com", //
+          "cdnjs\\.cloudflare\\.com", //
+          "cdnjs\\.com" //
+        ] + "/.*\\.js$")
+  }
+
+  /** A script element that refers to untrusted content. */
+  class ScriptElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::ScriptElement {
+    ScriptElementWithUntrustedContent() {
+      not exists(string digest | not digest = "" | super.getIntegrityDigest() = digest) and
+      isUntrustedSourceUrl(super.getSourcePath())
+    }
+
+    override string getProblem() { result = "Script loaded using unencrypted connection." }
+  }
+
+  /** A script element that refers to untrusted content. */
+  class CDNScriptElementWithUntrustedContent extends AddsUntrustedUrl, HTML::ScriptElement {
+    CDNScriptElementWithUntrustedContent() {
+      not exists(string digest | not digest = "" | this.getIntegrityDigest() = digest) and
+      isCdnUrlWithCheckingRequired(this.getSourcePath())
+    }
+
+    override string getProblem() {
+      result = "Script loaded from content delivery network with no integrity check."
+    }
+  }
+
+  /** An iframe element that includes untrusted content. */
+  class IframeElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::IframeElement {
+    IframeElementWithUntrustedContent() { isUntrustedSourceUrl(super.getSourcePath()) }
+
+    override string getProblem() { result = "Iframe loaded using unencrypted connection." }
+  }
+}
+
+module DynamicCreation {
+  /** Holds if `call` creates a tag of kind `name`. */
+  predicate isCreateElementNode(DataFlow::CallNode call, string name) {
+    call = DataFlow::globalVarRef("document").getAMethodCall("createElement") and
+    call.getArgument(0).getStringValue().toLowerCase() = name
+  }
+
+  DataFlow::Node getAttributeAssignmentRhs(DataFlow::CallNode createCall, string name) {
+    result = createCall.getAPropertyWrite(name).getRhs()
+    or
+    exists(DataFlow::InvokeNode inv | inv = createCall.getAMemberInvocation("setAttribute") |
+      inv.getArgument(0).getStringValue() = name and
+      result = inv.getArgument(1)
+    )
+  }
+
+  /**
+   * Holds if `createCall` creates a `<script ../>` element which never
+   * has its `integrity` attribute set locally.
+   */
+  predicate isCreateScriptNodeWoIntegrityCheck(DataFlow::CallNode createCall) {
+    isCreateElementNode(createCall, "script") and
+    not exists(getAttributeAssignmentRhs(createCall, "integrity"))
+  }
+
+  DataFlow::Node urlTrackedFromUnsafeSourceLiteral(DataFlow::TypeTracker t) {
+    t.start() and result.getStringValue().regexpMatch("(?i)http:.*")
+    or
+    exists(DataFlow::TypeTracker t2, DataFlow::Node prev |
+      prev = urlTrackedFromUnsafeSourceLiteral(t2)
+    |
+      not exists(string httpsUrl | httpsUrl.toLowerCase() = "https:" + any(string rest) |
+        // when the result may have a string value starting with https,
+        // we're most likely with an assignment like:
+        // e.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'
+        // these assignments, we don't want to fix - once the browser is using http,
+        // MITM attacks are possible anyway.
+        result.mayHaveStringValue(httpsUrl)
+      ) and
+      (
+        t2 = t.smallstep(prev, result)
+        or
+        TaintTracking::sharedTaintStep(prev, result) and
+        t = t2
+      )
+    )
+  }
+
+  DataFlow::Node urlTrackedFromUnsafeSourceLiteral() {
+    result = urlTrackedFromUnsafeSourceLiteral(DataFlow::TypeTracker::end())
+  }
+
+  /** Holds if `sink` is assigned to the attribute `name` of any HTML element. */
+  predicate isAssignedToSrcAttribute(string name, DataFlow::Node sink) {
+    exists(DataFlow::CallNode createElementCall |
+      sink = getAttributeAssignmentRhs(createElementCall, "src") and
+      (
+        name = "script" and
+        isCreateScriptNodeWoIntegrityCheck(createElementCall)
+        or
+        name = "iframe" and
+        isCreateElementNode(createElementCall, "iframe")
+      )
+    )
+  }
+
+  class IframeOrScriptSrcAssignment extends AddsUntrustedUrl {
+    string name;
+
+    IframeOrScriptSrcAssignment() {
+      name = ["script", "iframe"] and
+      exists(DataFlow::Node n | n.asExpr() = this |
+        isAssignedToSrcAttribute(name, n) and
+        n = urlTrackedFromUnsafeSourceLiteral()
+      )
+    }
+
+    override string getProblem() {
+      name = "script" and result = "Script loaded using unencrypted connection."
+      or
+      name = "iframe" and result = "Iframe loaded using unencrypted connection."
+    }
+  }
+}
+
+from AddsUntrustedUrl s
+select s, s.getProblem()

javascript/ql/src/Security/CWE-830/jquery-http-nocheck.html

@@ -0,0 +1,9 @@
+<html>
+    <head>
+        <title>jQuery demo</title>
+        <script src="http://code.jquery.com/jquery-3.6.0.slim.min.js" crossorigin="anonymous"></script>
+    </head>
+    <body>
+        ...
+    </body>
+</html>

javascript/ql/src/Security/CWE-830/jquery-https-check.html

@@ -0,0 +1,9 @@
+<html>
+    <head>
+        <title>jQuery demo</title>
+        <script src="https://code.jquery.com/jquery-3.6.0.slim.min.js" integrity="sha256-u7e5khyithlIdTpu22PHhENmPcRdFiHRjhAuHcs05RI=" crossorigin="anonymous"></script>
+    </head>
+    <body>
+        ...
+    </body>
+</html>

javascript/ql/src/change-notes/2022-02-14-functionality-from-untrusted-source.md

@@ -0,0 +1,6 @@
+---
+category: newQuery
+---
+* A new query, `js/functionality-from-untrusted-source`, has been added to the query suite. It finds DOM elements
+  that load functionality from untrusted sources, like `script` or `iframe` elements using `http` links.
+  The query is run by default.

javascript/ql/test/query-tests/Security/CWE-830/DynamicCreationOfUntrustedSourceUse.html

@@ -0,0 +1,49 @@
+<html>
+    <head>
+        <script type="text/javascript">
+            (function() {
+              // OK (we accept this, as a http document location is vulnerable anyway)
+              var scrpt = document.createElement('script');
+              scrpt.type = 'text/javascript';
+              scrpt.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.cdn.local/ga.js';
+
+              // OK (integrity digest present)
+              var scrpt2 = document.createElement('script');
+              scrpt2.type = 'text/javascript';
+              scrpt2.src = 'http://www.cdn.local/ga.js';
+              scrpt2.integrity = 'sha256-h0UuK3mE9taiYlB5u9vT9A0s/XDgkfVd+F4VhN/sky=';
+
+              // NOT OK (http + ternary)
+              var scrpt3 = document.createElement('script');
+              scrpt3.type = 'text/javascript';
+              scrpt3.src = ('https:' == document.location.protocol ? 'http://unsafe' : 'http://also-unsafe') + '.cdn.local/ga.js';
+
+              // NOT OK (http URL)
+              var ifrm = document.createElement('iframe');
+              ifrm.src = 'http://www.example.com/';
+
+              // OK (https URL)
+              var ifrm2 = document.createElement('iframe');
+              ifrm2.src = 'https://www.example.com/';
+
+              // NOT OK (http URL tracked through calls)
+              function getUrl(version) {
+                return 'http://www.cdn.local/'+version+'/ga.js';
+              }
+              var ifrm3 = document.createElement('iframe');
+              ifrm3.src = getUrl('v123');
+
+              // NOT OK (assignment of bad URL using setAttribute)
+              var ifrm4 = document.createElement('iframe');
+              ifrm4.setAttribute('src', 'http://www.example.local/page.html');
+
+              // OK (bad URL, but the attribute is not `src`)
+              var ifrm5 = document.createElement('iframe');
+              ifrm5.setAttribute('data-src', 'http://www.example.local/page.html');
+            })();
+          </script>
+    </head>
+    <body>
+        hello
+    </body>
+</html>

javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.expected

@@ -0,0 +1,7 @@
+| DynamicCreationOfUntrustedSourceUse.html:19:28:19:129 | ('https ... /ga.js' | Script loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:23:26:23:50 | 'http:/ ... e.com/' | Iframe loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:34:27:34:40 | getUrl('v123') | Iframe loaded using unencrypted connection. |
+| DynamicCreationOfUntrustedSourceUse.html:38:41:38:76 | 'http:/ ... e.html' | Iframe loaded using unencrypted connection. |
+| StaticCreationOfUntrustedSourceUse.html:6:9:6:56 | <script>...</> | Script loaded using unencrypted connection. |
+| StaticCreationOfUntrustedSourceUse.html:9:9:9:58 | <iframe>...</> | Iframe loaded using unencrypted connection. |
+| StaticCreationOfUntrustedSourceUse.html:21:9:21:155 | <script>...</> | Script loaded from content delivery network with no integrity check. |

javascript/ql/test/query-tests/Security/CWE-830/FunctionalityFromUntrustedSource.qlref

@@ -0,0 +1 @@
+Security/CWE-830/FunctionalityFromUntrustedSource.ql

javascript/ql/test/query-tests/Security/CWE-830/StaticCreationOfUntrustedSourceUse.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    </head>
+    <body>
+        <script src="http://test.local/foo.js"></script>> <!-- NOT OK -->
+        <script src="http://test.local/foo.js" integrity="some-integrity-hash"></script>>  <!-- OK (integrity digest present) -->
+        <script src="https://test.local/bar.js"></script>> <!-- OK (https) -->
+        <iframe src="http://test.local/foo.html"></iframe> <!-- NOT OK -->
+        <iframe src="https://test.local/foo.html"></iframe> <!-- OK (https) -->
+        <iframe src="//test.local/foo.html"></iframe> <!-- OK (protocol-relative url is allowed as a http url of 
+            the page is vulnerable in the first place) -->
+        <iframe src="http://::1/foo.html"></iframe> <!-- OK (localhost) -->
+        <iframe src="http://[::1]:80/foo.html"></iframe> <!-- OK (localhost) -->
+        <iframe src="http://127.0.0.1:444/foo.html"></iframe> <!-- OK (localhost) -->
+
+        <!-- Some CDNs recommend using the integrity attribute — for those, we demand it even with https links -->
+        <!-- OK (digest present) -->
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" integrity="sha512-7oYXeK0OxTFxndh0erL8FsjGvrl2VMDor6fVqzlLGfwOQQqTbYsGPv4ZZ15QHfSk80doyaM0ZJdvkyDcVO7KFA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+        <!-- NOT OK (digest missing) -->
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.2/angular.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
+    </body>
+</html>