JS: add query js/unclosed-stream

esbena · esbena · commit e592e2b64c5f · 2021-01-21T14:20:21.000+01:00
diff --git a/javascript/config/suites/javascript/security b/javascript/config/suites/javascript/security
@@ -49,6 +49,7 @@
 + semmlecode-javascript-queries/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql: /Security/CWE/CWE-640
 + semmlecode-javascript-queries/Security/CWE-643/XpathInjection.ql: /Security/CWE/CWE-643
 + semmlecode-javascript-queries/Security/CWE-730/RegExpInjection.ql: /Security/CWE/CWE-730
++ semmlecode-javascript-queries/Security/CWE-730/UnclosedStream.ql: /Security/CWE/CWE-730
 + semmlecode-javascript-queries/Security/CWE-754/UnvalidatedDynamicMethodCall.ql: /Security/CWE/CWE-754
 + semmlecode-javascript-queries/Security/CWE-770/MissingRateLimiting.ql: /Security/CWE/CWE-770
 + semmlecode-javascript-queries/Security/CWE-776/XmlBomb.ql: /Security/CWE/CWE-776
diff --git a/javascript/ql/src/Security/CWE-730/UnclosedStream.qhelp b/javascript/ql/src/Security/CWE-730/UnclosedStream.qhelp
@@ -0,0 +1,69 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+<overview>
+
+	<p>
+
+		Callback-based input streams generate calls until they are empty or
+		closed explicitly, and they will take up system resources until
+		that point in time.
+
+	</p>
+
+	<p>
+
+		Forgetting to close a stream that no longer is useful can cause
+		unnecessary exhaustion of system resources, which may cause the
+		application to be unresponsive or even crash.
+
+	</p>
+
+</overview>
+
+<recommendation>
+
+	<p>
+
+		Close input streams explicitly when there is no interest in their
+		remaining content.
+
+	</p>
+
+</recommendation>
+
+<example>
+
+	<p>
+
+In the following example, an array stores the content of a stream
+until the array becomes too big. When that happens, an error message
+is generated, and the stream processing is supposed to end.
+
+	</p>
+
+	<sample src="examples/UnclosedStream.js"/>
+
+	<p>
+
+The stream will however keep invoking the callback until it becomes
+empty, regardless of the programmers intention to not process
+additional content. This means that the array will grow indefinitely, if a malicious actor keep sending data.
+
+Close the stream to remedy this:
+
+	</p>
+
+	<sample src="examples/UnclosedStream_fixed.js"/>
+
+</example>
+
+<references>
+
+	<li>Node.js: <a href="https://nodejs.org/api/stream.html">Stream</a></li>
+
+</references>
+
+</qhelp>
diff --git a/javascript/ql/src/Security/CWE-730/UnclosedStream.ql b/javascript/ql/src/Security/CWE-730/UnclosedStream.ql
@@ -0,0 +1,128 @@
+/**
+ * @name Unclosed stream
+ * @description A stream that is not closed may leak system resources.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/unclosed-stream
+ * @tags security
+ *       external/cwe/cwe-730
+ *       external/cwe/cwe-404
+ */
+
+import javascript
+
+/**
+ * Gets a function that `caller` invokes directly or indirectly as a callback to a library function.
+ */
+Function getACallee(Function caller) {
+  exists(DataFlow::InvokeNode invk | invk.getEnclosingFunction() = caller |
+    result = invk.getACallee()
+    or
+    not exists(invk.getACallee()) and
+    result = invk.getCallback(invk.getNumArgument()).getFunction()
+  )
+}
+
+/**
+ * A function that can be terminated meaningfully in an asynchronous context.
+ */
+abstract class AsyncTerminatableFunction extends DataFlow::FunctionNode {
+  /**
+   * Gets a node where this function terminates.
+   *
+   * It can be expected that no further expressions in this function will be evaluated after the evaluation of this node.
+   */
+  abstract DataFlow::Node getTermination();
+
+  /**
+   * Gets a brief description of this function.
+   */
+  abstract string getKind();
+}
+
+/**
+ * A promise executor as a function that can be terminated in an asynchronous context.
+ */
+class PromiseExecutor extends AsyncTerminatableFunction {
+  PromiseDefinition def;
+
+  PromiseExecutor() { this = def.getExecutor() }
+
+  override DataFlow::CallNode getTermination() {
+    result = [def.getRejectParameter(), def.getResolveParameter()].getACall()
+  }
+
+  override string getKind() { result = "promise" }
+}
+
+/**
+ * A callback-invoking function heuristic as a function that can be terminated in an asynchronous context.
+ */
+class FunctionWithCallback extends AsyncTerminatableFunction {
+  DataFlow::ParameterNode callbackParameter;
+
+  FunctionWithCallback() {
+    // the last parameter is the callback
+    callbackParameter = this.getLastParameter() and
+    // simple escape analysis
+    not exists(DataFlow::Node escape | callbackParameter.flowsTo(escape) |
+      escape = any(DataFlow::PropWrite w).getRhs() or
+      escape = any(DataFlow::CallNode c).getAnArgument()
+    ) and
+    // no return value
+    (this.getFunction() instanceof ArrowFunctionExpr or not exists(this.getAReturn())) and
+    // all callback invocations are terminal (note that this permits calls in closures)
+    forex(DataFlow::CallNode termination | termination = callbackParameter.getACall() |
+      termination.asExpr() = any(Function f).getExit().getAPredecessor()
+    ) and
+    // avoid confusion with promises
+    not this instanceof PromiseExecutor and
+    not exists(PromiseCandidate c | this.flowsTo(c.getAnArgument()))
+  }
+
+  override DataFlow::CallNode getTermination() { result = callbackParameter.getACall() }
+
+  override string getKind() { result = "asynchronous function" }
+}
+
+/**
+ * A data stream.
+ */
+class Stream extends DataFlow::SourceNode {
+  DataFlow::FunctionNode processor;
+
+  Stream() {
+    exists(DataFlow::CallNode onData |
+      this instanceof EventEmitter and
+      onData = this.getAMethodCall(EventEmitter::on()) and
+      onData.getArgument(0).mayHaveStringValue("data") and
+      processor = onData.getCallback(1)
+    )
+  }
+
+  /**
+   * Gets a call that closes thes stream.
+   */
+  DataFlow::Node getClose() { result = this.getAMethodCall("destroy") }
+
+  /**
+   * Gets a function that processes the content of the stream.
+   */
+  DataFlow::FunctionNode getProcessor() { result = processor }
+}
+
+from
+  AsyncTerminatableFunction terminatable, DataFlow::CallNode termination, Stream stream,
+  Function processor
+where
+  stream.getAstNode().getContainer() = getACallee*(terminatable.getFunction()) and
+  termination = terminatable.getTermination() and
+  processor = stream.getProcessor().getFunction() and
+  termination.asExpr().getEnclosingFunction() = getACallee*(processor) and
+  not exists(Function destroyFunction |
+    destroyFunction = getACallee*(processor) and
+    stream.getClose().asExpr().getEnclosingFunction() = destroyFunction
+  )
+select processor, "This stream processor $@ the enclosing $@ without closing the stream.",
+  termination, "terminates", terminatable, terminatable.getKind()
diff --git a/javascript/ql/src/Security/CWE-730/examples/UnclosedStream.js b/javascript/ql/src/Security/CWE-730/examples/UnclosedStream.js
@@ -0,0 +1,16 @@
+var https = require("https");
+
+new Promise(function dispatchHttpRequest(resolve, reject) {
+  https.request(options, function(stream) {
+    var responseBuffer = [];
+    stream.on("data", function(chunk) {
+      responseBuffer.push(chunk);
+
+      if (responseBuffer.length > 1024) {
+        reject("Input size of 1024 exceeded."); // BAD
+      }
+    });
+
+    stream.on("end", () => resolve(responseBuffer));
+  });
+});
diff --git a/javascript/ql/src/Security/CWE-730/examples/UnclosedStream_fixed.js b/javascript/ql/src/Security/CWE-730/examples/UnclosedStream_fixed.js
@@ -0,0 +1,17 @@
+var https = require("https");
+
+new Promise(function dispatchHttpRequest(resolve, reject) {
+  https.request(options, function(stream) {
+    var responseBuffer = [];
+    stream.on("data", function(chunk) {
+      responseBuffer.push(chunk);
+
+      if (responseBuffer.length > 1024) {
+        stream.destroy();
+        reject("Input size of 1024 exceeded."); // GOOD
+      }
+    });
+
+    stream.on("end", () => resolve(responseBuffer));
+  });
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/UnclosedStream.expected b/javascript/ql/test/query-tests/Security/CWE-730/UnclosedStream.expected
@@ -0,0 +1,5 @@
+| unclosed-stream.js:9:23:9:50 | d => re ... silly") | This stream processor $@ the enclosing $@ without closing the stream. | unclosed-stream.js:9:28:9:50 | resolve ... silly") | terminates | unclosed-stream.js:3:13:46:1 | functio ...   });\\n} | promise |
+| unclosed-stream.js:11:23:11:49 | d => re ... silly") | This stream processor $@ the enclosing $@ without closing the stream. | unclosed-stream.js:11:28:11:49 | rejectP ... silly") | terminates | unclosed-stream.js:3:13:46:1 | functio ...   });\\n} | promise |
+| unclosed-stream.js:13:23:13:50 | d => re ... silly") | This stream processor $@ the enclosing $@ without closing the stream. | unclosed-stream.js:5:5:5:24 | rejectPromise(value) | terminates | unclosed-stream.js:3:13:46:1 | functio ...   });\\n} | promise |
+| unclosed-stream.js:35:23:35:50 | d => re ... silly") | This stream processor $@ the enclosing $@ without closing the stream. | unclosed-stream.js:35:28:35:50 | resolve ... silly") | terminates | unclosed-stream.js:3:13:46:1 | functio ...   });\\n} | promise |
+| unclosed-stream.js:43:23:43:50 | d => re ... silly") | This stream processor $@ the enclosing $@ without closing the stream. | unclosed-stream.js:43:28:43:50 | resolve ... silly") | terminates | unclosed-stream.js:3:13:46:1 | functio ...   });\\n} | promise |
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/UnclosedStream.qlref b/javascript/ql/test/query-tests/Security/CWE-730/UnclosedStream.qlref
@@ -0,0 +1 @@
+Security/CWE-730/UnclosedStream.ql
diff --git a/javascript/ql/test/query-tests/Security/CWE-730/unclosed-stream.js b/javascript/ql/test/query-tests/Security/CWE-730/unclosed-stream.js
@@ -0,0 +1,46 @@
+var http = require("http");
+
+new Promise(function(resolvePromise, rejectPromise) {
+  function rejectIndirect(value) {
+    rejectPromise(value);
+  }
+
+  http.request({}, function(stream) {
+    stream.on("data", d => resolvePromise("silly")); // NOT OK
+
+    stream.on("data", d => rejectPromise("silly")); // NOT OK
+
+    stream.on("data", d => rejectIndirect("silly")); // NOT OK
+
+    stream.on(
+      "error",
+      e => rejectIndirect(e) // OK
+    );
+
+    stream.on(
+      "end",
+      e => resolvePromise(e) // OK
+    );
+  });
+
+  http.request({}, function(stream) {
+    stream.on("data", d => {
+      // OK
+      stream.destroy();
+      resolvePromise("silly");
+    });
+  });
+
+  http.request({}, function(stream) {
+    stream.on("data", d => resolvePromise("silly")); // OK [INCONSISTENCY]: the other data handler closes the stream
+    stream.on("data", d => {
+      // OK
+      stream.destroy();
+      resolvePromise("silly");
+    });
+  });
+  http.request({}, function(stream) {
+    stream.on("data", d => resolvePromise("silly")); // OK [INCONSISTENCY]: the stream is closed automatically
+    setTimeout(100, () => stream.destroy());
+  });
+});
