Added modeling of firebase-admin and some other functions.

Author: Napalys

javascript/ql/lib/ext/firebase.model.yml

@@ -7,14 +7,16 @@ extensions:
       - ["FirebaseDBRef", "FirebaseDBRef", "Member[once,on].Argument[1].Parameter[0]"]
       - ["FirebaseDBRef", "FirebaseDBRef", "Member[once,on].ReturnValue.Member[then].Argument[0].Parameter[0]"]
       - ["FirebaseDBRef", "FirebaseDBRef", "Member[ref,root,parent,before,after]"]
-      - ["FirebaseDBRef", "FirebaseDBRef", "Member[child].ReturnValue"]
-
+      - ["FirebaseDBRef", "FirebaseDBRef", "Member[child,once,on,orderByChild,equalTo,endAt,startAt,limitToLast,orderByKey].ReturnValue"]
       - ["FirebaseDBRef", "firebase-functions", "Member[database].Member[ref,refFromURL].ReturnValue"]
-      - ["FirebaseDBRef", "FirebaseDBRef", "Member[onCreate,onUpdate].Argument[0].Parameter[0]"]
+      - ["FirebaseDBRef", "FirebaseDBRef", "Member[onCreate,onUpdate,onWrite,onDelete,transaction].Argument[0].Parameter[0]"]
+      - ["FirebaseDBRef", "firebase-admin", "Member[database].ReturnValue.Member[ref,refFromURL].ReturnValue"]
+      - ["FirebaseApp", "firebase-admin", "Member[initializeApp,app].ReturnValue"]
+      - ["FirebaseDBRef", "FirebaseApp", "Member[database].ReturnValue.Member[ref,refFromURL].ReturnValue"]
+
   - addsTo:
       pack: codeql/javascript-all
       extensible: sourceModel
     data:
       - ["FirebaseDBRef", "Member[val,exportVal].ReturnValue", 'remote']
       - ["FirebaseDBRef", "Member[forEach].Argument[0].Parameter[0].Member[val,exportVal].ReturnValue", 'remote']
-  

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected

@@ -73,6 +73,7 @@
 | firebase-client.js:33:52:33:65 | snapshot.val() | firebase-client.js:33:52:33:65 | snapshot.val() | firebase-client.js:33:52:33:65 | snapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:33:52:33:65 | snapshot.val() | user-provided value |
 | firebase-client.js:38:56:38:67 | userData.bio | firebase-client.js:37:22:37:35 | snapshot.val() | firebase-client.js:38:56:38:67 | userData.bio | Cross-site scripting vulnerability due to $@. | firebase-client.js:37:22:37:35 | snapshot.val() | user-provided value |
 | firebase-client.js:44:55:44:74 | parentSnapshot.val() | firebase-client.js:44:55:44:74 | parentSnapshot.val() | firebase-client.js:44:55:44:74 | parentSnapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:44:55:44:74 | parentSnapshot.val() | user-provided value |
+| firebase-client.js:52:57:52:70 | snapshot.val() | firebase-client.js:52:57:52:70 | snapshot.val() | firebase-client.js:52:57:52:70 | snapshot.val() | Cross-site scripting vulnerability due to $@. | firebase-client.js:52:57:52:70 | snapshot.val() | user-provided value |
 | jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | jquery.js:8:18:8:34 | "XSS: " + tainted | jquery.js:2:17:2:40 | documen ... .search | jquery.js:8:18:8:34 | "XSS: " + tainted | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |
 | jquery.js:10:5:10:40 | "<b>" + ...  "</b>" | jquery.js:10:13:10:20 | location | jquery.js:10:5:10:40 | "<b>" + ...  "</b>" | Cross-site scripting vulnerability due to $@. | jquery.js:10:13:10:20 | location | user-provided value |
@@ -994,6 +995,7 @@ nodes
 | firebase-client.js:38:56:38:63 | userData | semmle.label | userData |
 | firebase-client.js:38:56:38:67 | userData.bio | semmle.label | userData.bio |
 | firebase-client.js:44:55:44:74 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-client.js:52:57:52:70 | snapshot.val() | semmle.label | snapshot.val() |
 | jquery.js:2:7:2:40 | tainted | semmle.label | tainted |
 | jquery.js:2:17:2:40 | documen ... .search | semmle.label | documen ... .search |
 | jquery.js:4:5:4:11 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected

@@ -174,6 +174,7 @@ nodes
 | firebase-client.js:38:56:38:63 | userData | semmle.label | userData |
 | firebase-client.js:38:56:38:67 | userData.bio | semmle.label | userData.bio |
 | firebase-client.js:44:55:44:74 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
+| firebase-client.js:52:57:52:70 | snapshot.val() | semmle.label | snapshot.val() |
 | hana.js:11:37:11:40 | rows | semmle.label | rows |
 | hana.js:11:37:11:51 | rows[0].comment | semmle.label | rows[0].comment |
 | hana.js:16:37:16:40 | rows | semmle.label | rows |

javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/firebase-client.js

@@ -49,7 +49,7 @@ function fun2(category){
     dbPath = 'users/' + firebase.auth().currentUser.uid;
     dbRef = firebase.database().ref(dbPath);
     dbRef.set({'test': randomString}).then(function() {return dbRef.once('value');}).then(function(snapshot) {
-        document.getElementById("userData").innerHTML = snapshot.val(); // $ MISSING: Alert
+        document.getElementById("userData").innerHTML = snapshot.val(); // $ Alert
         return dbRef.remove();
     }); 
 }

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -33,6 +33,13 @@
 | firebase-server.js:14:10:14:23 | x.before.val() | firebase-server.js:14:10:14:23 | x.before.val() | firebase-server.js:14:10:14:23 | x.before.val() | This code execution depends on a $@. | firebase-server.js:14:10:14:23 | x.before.val() | user-provided value |
 | firebase-server.js:15:10:15:22 | x.after.val() | firebase-server.js:15:10:15:22 | x.after.val() | firebase-server.js:15:10:15:22 | x.after.val() | This code execution depends on a $@. | firebase-server.js:15:10:15:22 | x.after.val() | user-provided value |
 | firebase-server.js:17:14:17:38 | grandPa ... t.val() | firebase-server.js:17:14:17:38 | grandPa ... t.val() | firebase-server.js:17:14:17:38 | grandPa ... t.val() | This code execution depends on a $@. | firebase-server.js:17:14:17:38 | grandPa ... t.val() | user-provided value |
+| firebase-server.js:21:10:21:27 | change.after.val() | firebase-server.js:21:10:21:27 | change.after.val() | firebase-server.js:21:10:21:27 | change.after.val() | This code execution depends on a $@. | firebase-server.js:21:10:21:27 | change.after.val() | user-provided value |
+| firebase-server.js:22:10:22:28 | change.before.val() | firebase-server.js:22:10:22:28 | change.before.val() | firebase-server.js:22:10:22:28 | change.before.val() | This code execution depends on a $@. | firebase-server.js:22:10:22:28 | change.before.val() | user-provided value |
+| firebase-server.js:26:10:26:21 | change.val() | firebase-server.js:26:10:26:21 | change.val() | firebase-server.js:26:10:26:21 | change.val() | This code execution depends on a $@. | firebase-server.js:26:10:26:21 | change.val() | user-provided value |
+| firebase-server.js:27:10:27:21 | change.val() | firebase-server.js:27:10:27:21 | change.val() | firebase-server.js:27:10:27:21 | change.val() | This code execution depends on a $@. | firebase-server.js:27:10:27:21 | change.val() | user-provided value |
+| firebase-server.js:33:25:33:44 | statusSnapshot.val() | firebase-server.js:33:25:33:44 | statusSnapshot.val() | firebase-server.js:33:25:33:44 | statusSnapshot.val() | This code execution depends on a $@. | firebase-server.js:33:25:33:44 | statusSnapshot.val() | user-provided value |
+| firebase-server.js:44:12:44:30 | childSnapshot.val() | firebase-server.js:44:12:44:30 | childSnapshot.val() | firebase-server.js:44:12:44:30 | childSnapshot.val() | This code execution depends on a $@. | firebase-server.js:44:12:44:30 | childSnapshot.val() | user-provided value |
+| firebase-server.js:55:10:55:19 | snap.val() | firebase-server.js:55:10:55:19 | snap.val() | firebase-server.js:55:10:55:19 | snap.val() | This code execution depends on a $@. | firebase-server.js:55:10:55:19 | snap.val() | user-provided value |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -156,6 +163,13 @@ nodes
 | firebase-server.js:14:10:14:23 | x.before.val() | semmle.label | x.before.val() |
 | firebase-server.js:15:10:15:22 | x.after.val() | semmle.label | x.after.val() |
 | firebase-server.js:17:14:17:38 | grandPa ... t.val() | semmle.label | grandPa ... t.val() |
+| firebase-server.js:21:10:21:27 | change.after.val() | semmle.label | change.after.val() |
+| firebase-server.js:22:10:22:28 | change.before.val() | semmle.label | change.before.val() |
+| firebase-server.js:26:10:26:21 | change.val() | semmle.label | change.val() |
+| firebase-server.js:27:10:27:21 | change.val() | semmle.label | change.val() |
+| firebase-server.js:33:25:33:44 | statusSnapshot.val() | semmle.label | statusSnapshot.val() |
+| firebase-server.js:44:12:44:30 | childSnapshot.val() | semmle.label | childSnapshot.val() |
+| firebase-server.js:55:10:55:19 | snap.val() | semmle.label | snap.val() |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -88,6 +88,13 @@ nodes
 | firebase-server.js:14:10:14:23 | x.before.val() | semmle.label | x.before.val() |
 | firebase-server.js:15:10:15:22 | x.after.val() | semmle.label | x.after.val() |
 | firebase-server.js:17:14:17:38 | grandPa ... t.val() | semmle.label | grandPa ... t.val() |
+| firebase-server.js:21:10:21:27 | change.after.val() | semmle.label | change.after.val() |
+| firebase-server.js:22:10:22:28 | change.before.val() | semmle.label | change.before.val() |
+| firebase-server.js:26:10:26:21 | change.val() | semmle.label | change.val() |
+| firebase-server.js:27:10:27:21 | change.val() | semmle.label | change.val() |
+| firebase-server.js:33:25:33:44 | statusSnapshot.val() | semmle.label | statusSnapshot.val() |
+| firebase-server.js:44:12:44:30 | childSnapshot.val() | semmle.label | childSnapshot.val() |
+| firebase-server.js:55:10:55:19 | snap.val() | semmle.label | snap.val() |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/firebase-server.js

@@ -18,19 +18,19 @@ functions.database.ref('x').onUpdate(x => {
     });
 });
 functions.database.ref('/messages/{messageId}').onWrite((change, context) => {
-    eval(change.after.val()); // $ MISSING: Alert[js/code-injection]
-    eval(change.before.val()); // $ MISSING: Alert[js/code-injection]
+    eval(change.after.val()); // $ Alert[js/code-injection]
+    eval(change.before.val()); // $ Alert[js/code-injection]
 });
 
 functions.database.ref('/messages/{messageId}').onDelete((change, context) => {
-    eval(change.val()); // $ MISSING: Alert[js/code-injection]
-    eval(change.val()); // $ MISSING: Alert[js/code-injection]
+    eval(change.val()); // $ Alert[js/code-injection]
+    eval(change.val()); // $ Alert[js/code-injection]
 });
 
 functions.database.ref('/status/{uid}').onUpdate(async (change, context) => {
     const eventStatus = change.after.val();
     const statusSnapshot = await change.after.ref.once('value');
-    const status = eval(statusSnapshot.val()); // $ MISSING: Alert[js/code-injection]
+    const status = eval(statusSnapshot.val()); // $ Alert[js/code-injection]
     return null;
 });
 
@@ -41,7 +41,7 @@ function fun(category){
     let messages = [];
     snapshot.forEach((childSnapshot) => {
       messages.push({key: childSnapshot.key, message: childSnapshot.val().message});
-      eval(childSnapshot.val()); // $ MISSING: Alert[js/code-injection]
+      eval(childSnapshot.val()); // $ Alert[js/code-injection]
     });
 }
 
@@ -52,5 +52,5 @@ async function fun3(uid, postId, size) {
     app = admin.initializeApp(config, uid);
     const imageUrlRef = app.database().ref(`/posts`);
     const snap = await imageUrlRef.once('value');
-    eval(snap.val()); // $ MISSING: Alert[js/code-injection]
+    eval(snap.val()); // $ Alert[js/code-injection]
 }