Refactor utils lib modelling

Author: knewbury01

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPPathInjectionQuery.qll

@@ -0,0 +1,231 @@
+/**
+ * Exported functions from CAP `cds.utils`.
+ * Functions described from:
+ * https://www.npmjs.com/package/@sap/cds?activeTab=code
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+
+/**
+ * An access to the `utils` module on a CDS facade.
+ */
+class CdsUtilsModuleAccess extends API::Node {
+  CdsUtilsModuleAccess() { exists(CdsFacade cds | this = cds.getMember("utils")) }
+}
+
+class PathConverters extends DataFlow::Node {
+  PathConverters() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["decodeURI", "decodeURIComponent", "local"]).getACall() = this
+    )
+  }
+
+  SourceNode pathConvertersUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = pathConvertersUtils(t2).track(t2, t))
+  }
+
+  SourceNode pathConvertersUtils() { result = pathConvertersUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() { pathConvertersUtils().(DataFlow::CallNode).getAnArgument() = result }
+}
+
+class PathPredicates extends DataFlow::Node {
+  PathPredicates() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["isdir", "isfile"]).getACall() = this)
+  }
+
+  SourceNode pathPredicateUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = pathPredicateUtils(t2).track(t2, t))
+  }
+
+  SourceNode pathPredicateUtils() { result = pathPredicateUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() { pathPredicateUtils().(DataFlow::CallNode).getAnArgument() = result }
+}
+
+class DirectoryReaders extends DataFlow::Node {
+  DirectoryReaders() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["find", "stat", "readdir"]).getACall() = this
+    )
+  }
+
+  SourceNode directoryReaderUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = directoryReaderUtils(t2).track(t2, t))
+  }
+
+  SourceNode directoryReaderUtils() { result = directoryReaderUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() { directoryReaderUtils().(DataFlow::CallNode).getAnArgument() = result }
+}
+
+class DirectoryWriters extends DataFlow::Node {
+  DirectoryWriters() {
+    exists(CdsUtilsModuleAccess utils |
+      utils.getMember(["mkdirp", "rmdir", "rimraf", "rm"]).getACall() = this
+    )
+  }
+
+  SourceNode directoryWriterUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = directoryWriterUtils(t2).track(t2, t))
+  }
+
+  SourceNode directoryWriterUtils() { result = directoryWriterUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() { directoryWriterUtils().(DataFlow::CallNode).getAnArgument() = result }
+}
+
+class FileReaders extends DataFlow::Node {
+  FileReaders() { exists(CdsUtilsModuleAccess utils | utils.getMember(["read"]).getACall() = this) }
+
+  SourceNode fileReaderUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = fileReaderUtils(t2).track(t2, t))
+  }
+
+  SourceNode fileReaderUtils() { result = fileReaderUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() { fileReaderUtils().(DataFlow::CallNode).getArgument(0) = result }
+}
+
+class FileWriters extends DataFlow::Node {
+  FileWriters() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["append", "write"]).getACall() = this)
+  }
+
+  SourceNode fileWriterUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = fileWriterUtils(t2).track(t2, t))
+  }
+
+  SourceNode fileWriterUtils() { result = fileWriterUtils(TypeTracker::end()) }
+
+  DataFlow::Node getData() {
+    exists(DataFlow::CallNode write |
+      write = fileWriterUtils() and
+      (
+        write.getNumArgument() = 1 and
+        write.getArgument(0) = result
+        or
+        write.getNumArgument() = 2 and
+        write.getArgument(1) = result
+      )
+    )
+  }
+
+  DataFlow::Node getPath() {
+    exists(DataFlow::CallNode write |
+      write = fileWriterUtils() and
+      (
+        write.getAMemberCall("to").getAnArgument() = result
+        or
+        write.getNumArgument() = 2 and
+        write.getArgument(0) = result
+      )
+    )
+  }
+}
+
+class FileReaderWriters extends DataFlow::Node {
+  FileReaderWriters() {
+    exists(CdsUtilsModuleAccess utils | utils.getMember(["copy"]).getACall() = this)
+  }
+
+  SourceNode fileReaderWriterUtils(TypeTracker t) {
+    t.start() and
+    result = this
+    or
+    exists(TypeTracker t2 | result = fileReaderWriterUtils(t2).track(t2, t))
+  }
+
+  SourceNode fileReaderWriterUtils() { result = fileReaderWriterUtils(TypeTracker::end()) }
+
+  DataFlow::Node getPath() {
+    exists(DataFlow::CallNode copy |
+      copy = fileReaderWriterUtils() and
+      (
+        copy.getAMemberCall("to").getArgument(_) = result
+        or
+        copy.getArgument(_) = result
+      )
+    )
+  }
+}
+
+abstract class UtilsSink extends DataFlow::Node { }
+
+abstract class UtilsExtraFlow extends DataFlow::Node { }
+
+/**
+ * This represents the data in calls as follows:
+ * ```javascript
+ * await write ({foo:'bar'}) .to ('some','file.json')
+ * ```
+ * sinks in this example are:
+ * ```javascript
+ * {foo:'bar'}
+ * ```
+ */
+class WrittenData extends UtilsSink {
+  WrittenData() { exists(FileWriters fw | fw.getData() = this) }
+}
+
+/**
+ * This represents the filepath in calls as follows:
+ * ```javascript
+ * await write ({foo:'bar'}) .to ('some','file.json')
+ * ```
+ * sinks in this example are:
+ * ```javascript
+ * 'some'
+ * 'file.json'
+ * ```
+ */
+class WrittenPath extends UtilsSink {
+  WrittenPath() {
+    exists(FileReaders fw | fw.getPath() = this)
+    or
+    exists(FileReaderWriters fw | fw.getPath() = this)
+    or
+    exists(FileWriters fw | fw.getPath() = this)
+    or
+    exists(DirectoryWriters dw | dw.getPath() = this)
+    or
+    exists(DirectoryReaders dr | dr.getPath() = this)
+  }
+}
+
+/**
+ * This represents calls where the taint flows through the call. e.g.
+ * ```javascript
+ * let dir = isdir ('app')
+ * ```
+ */
+class AdditionalFlowStep extends UtilsExtraFlow {
+  AdditionalFlowStep() {
+    exists(PathConverters pc | pc.getPath() = this)
+    or
+    exists(PathPredicates pr | pr.getPath() = this)
+  }
+
+  DataFlow::CallNode getOutgoingNode() { result = this }
+
+  DataFlow::Node getIngoingNode() { result = this.(DataFlow::CallNode).getAnArgument() }
+}

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -1040,81 +1040,3 @@ class CdsQlCall extends CqlClauseParserCall {
     )
   }
 }
-
-/**
- * Exported functions from CAP `cds.utils`.
- * Functions described from:
- * https://www.npmjs.com/package/@sap/cds?activeTab=code
- */
-module CdsUtils {
-  /**
-   * An access to the `utils` module on a CDS facade.
-   */
-  class CdsUtilsModuleAccess extends API::Node {
-    CdsUtilsModuleAccess() { exists(CdsFacade cds | this = cds.getMember("utils")) }
-
-    //additional flow steps
-    DataFlow::CallNode getThroughCall() {
-      result =
-        this.getMember(["decodeURI", "decodeURIComponent", "local", "isdir", "isfile"]).getACall()
-    }
-
-    //sinks
-    DataFlow::CallNode getSingleArgCalls() {
-      result =
-        this.getMember(["find", "stat", "read", "readdir", "mkdirp", "rmdir", "rimraf", "rm"])
-            .getACall()
-    }
-
-    DataFlow::CallNode getCopyWriteCall() {
-      result = this.getMember(["append", "copy", "write"]).getACall()
-    }
-  }
-
-  abstract class UtilsSink extends DataFlow::Node { }
-
-  abstract class UtilsExtraFlow extends DataFlow::Node { }
-
-  /**
-   * This represents both the data and the filename in calls as follows:
-   * ```javascript
-   * await write ({foo:'bar'}) .to ('some','file.json')
-   * ```
-   * sinks in this example are:
-   * ```javascript
-   * {foo:'bar'}
-   * 'some'
-   * 'file.json'
-   * ```
-   */
-  class SrcDstSink extends UtilsSink {
-    SrcDstSink() {
-      this = copyWriteUtils().(DataFlow::CallNode).getAnArgument() or
-      this = copyWriteUtils().getAMemberCall("to").getAnArgument()
-    }
-  }
-
-  /**
-   * This represents arguments to calls where the argument represents a path. e.g.
-   * ```javascript
-   * await rimraf('dist','db','data')
-   * ```
-   */
-  class SimpleSinks extends UtilsSink {
-    SimpleSinks() { this = singleArgCallsUtils().(DataFlow::CallNode).getAnArgument() }
-  }
-
-  /**
-   * This represents calls where the taint flows through the call. e.g.
-   * ```javascript
-   * let dir = isdir ('app')
-   * ```
-   */
-  class SimpleAdditionalFlowStep extends UtilsExtraFlow {
-    SimpleAdditionalFlowStep() { this = singleArgAdditionalFlowUtils() }
-
-    DataFlow::CallNode getOutgoingNode() { result = this }
-
-    DataFlow::Node getIngoingNode() { result = this.(DataFlow::CallNode).getAnArgument() }
-  }
-}

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/TypeTrackers.qll

@@ -39,32 +39,3 @@ private SourceNode cdsApplicationServiceInstantiation(TypeTracker t) {
 SourceNode cdsApplicationServiceInstantiation() {
   result = cdsApplicationServiceInstantiation(TypeTracker::end())
 }
-
-SourceNode copyWriteUtils(TypeTracker t) {
-  t.start() and
-  exists(CdsUtils::CdsUtilsModuleAccess mod | result = mod.getCopyWriteCall())
-  or
-  exists(TypeTracker t2 | result = copyWriteUtils(t2).track(t2, t))
-}
-
-SourceNode copyWriteUtils() { result = copyWriteUtils(TypeTracker::end()) }
-
-SourceNode singleArgCallsUtils(TypeTracker t) {
-  t.start() and
-  exists(CdsUtils::CdsUtilsModuleAccess mod | result = mod.getSingleArgCalls())
-  or
-  exists(TypeTracker t2 | result = singleArgCallsUtils(t2).track(t2, t))
-}
-
-SourceNode singleArgCallsUtils() { result = singleArgCallsUtils(TypeTracker::end()) }
-
-SourceNode singleArgAdditionalFlowUtils(TypeTracker t) {
-  t.start() and
-  exists(CdsUtils::CdsUtilsModuleAccess mod | result = mod.getThroughCall())
-  or
-  exists(TypeTracker t2 | result = singleArgAdditionalFlowUtils(t2).track(t2, t))
-}
-
-SourceNode singleArgAdditionalFlowUtils() {
-  result = singleArgAdditionalFlowUtils(TypeTracker::end())
-}

javascript/frameworks/cap/test/models/cds/utils/utils.expected

@@ -1,8 +1,8 @@
-| utils.js:5:11:5:31 | decodeU ... %A4%A") | decodeU ... %A4%A"): additional flow step |
-| utils.js:7:12:7:41 | decodeU ... %A4%A") | decodeU ... %A4%A"): additional flow step |
-| utils.js:9:12:9:28 | local("%E0%A4%A") | local("%E0%A4%A"): additional flow step |
-| utils.js:13:11:13:22 | isdir('app') | isdir('app'): additional flow step |
-| utils.js:15:12:15:33 | isfile( ... .json') | isfile( ... .json'): additional flow step |
+| utils.js:5:21:5:30 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
+| utils.js:7:31:7:40 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
+| utils.js:9:18:9:27 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
+| utils.js:13:17:13:21 | 'app' | 'app': additional flow step |
+| utils.js:15:19:15:32 | 'package.json' | 'package.json': additional flow step |
 | utils.js:17:22:17:35 | 'package.json' | 'package.json': sink |
 | utils.js:19:26:19:39 | 'package.json' | 'package.json': sink |
 | utils.js:21:20:21:33 | 'package.json' | 'package.json': sink |

javascript/frameworks/cap/test/models/cds/utils/utils.ql

@@ -1,9 +1,9 @@
 import javascript
-import advanced_security.javascript.frameworks.cap.CDS
+import advanced_security.javascript.frameworks.cap.CAPPathInjectionQuery
 
 from DataFlow::Node node, string str, string strfull
 where
-  node.(CdsUtils::UtilsSink).toString() = str and strfull = str + ": sink"
+  node.(UtilsSink).toString() = str and strfull = str + ": sink"
   or
-  node.(CdsUtils::UtilsExtraFlow).toString() = str and strfull = str + ": additional flow step"
+  node.(UtilsExtraFlow).toString() = str and strfull = str + ": additional flow step"
 select node, strfull