-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathUI5LogsToHttp.ql
More file actions
101 lines (89 loc) · 3.51 KB
/
UI5LogsToHttp.ql
File metadata and controls
101 lines (89 loc) · 3.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
/**
* @name UI5 Log injection in outbound network request
* @description Building log entries from user-controlled sources is vulnerable to
* insertion of forged log entries by a malicious user.
* @kind path-problem
* @problem.severity warning
* @security-severity 6.5
* @precision medium
* @id js/ui5-log-injection-to-http
* @tags security
* external/cwe/cwe-117
*/
import javascript
import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
import semmle.javascript.frameworks.data.internal.ApiGraphModels
import advanced_security.javascript.frameworks.ui5.UI5LogInjectionQuery
import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow::UI5PathGraph
class ClientRequestInjectionVector extends DataFlow::Node {
ClientRequestInjectionVector() {
exists(ClientRequest req |
this = req.getUrl() or
this = req.getADataNode()
)
}
}
class UI5LogEntryFlowState extends DataFlow::FlowLabel {
UI5LogEntryFlowState() {
this = ["not-logged-not-accessed", "logged-not-accessed", "logged-and-accessed"]
}
}
class UI5LogEntryToHttp extends TaintTracking::Configuration {
UI5LogEntryToHttp() { this = "UI5 Log Entry included in an outbound HTTP request" }
override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel state) {
node instanceof RemoteFlowSource and
state = "not-logged-not-accessed"
}
override predicate isAdditionalFlowStep(
DataFlow::Node start, DataFlow::Node end, DataFlow::FlowLabel preState,
DataFlow::FlowLabel postState
) {
exists(UI5LogInjectionConfiguration cfg |
cfg.isAdditionalFlowStep(start, end) and
preState = postState
)
or
/*
* NOTE: This disjunct is a labeled version of LogArgumentToListener in
* FlowSteps.qll, a DataFlow::SharedFlowStep. As the class is considered
* legacy on version 2.4.0, we leave the two here (labeled) and there
* (unlabeled). This is something we should also tidy up when we migrate
* to the newer APIs.
*/
inSameWebApp(start.getFile(), end.getFile()) and
start =
ModelOutput::getATypeNode("SapLogger")
.getMember(["debug", "error", "fatal", "info", "trace", "warning"])
.getACall()
.getAnArgument() and
end = ModelOutput::getATypeNode("SapLogEntries").asSource() and
preState = "not-logged-not-accessed" and
postState = "logged-and-accessed"
}
override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel state) {
node instanceof ClientRequestInjectionVector and
state = "logged-and-accessed"
}
}
/**
* Config without states for sanity check
*/
module UI5LogEntryToHttp implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
inSameWebApp(start.getFile(), end.getFile()) and
start =
ModelOutput::getATypeNode("SapLogger")
.getMember(["debug", "error", "fatal", "info", "trace", "warning"])
.getACall()
.getAnArgument() and
end = ModelOutput::getATypeNode("SapLogEntries").asSource()
}
predicate isSink(DataFlow::Node node) { node instanceof ClientRequestInjectionVector }
}
from UI5LogEntryToHttp cfg, UI5PathNode source, UI5PathNode sink, UI5PathNode primarySource
where
cfg.hasFlowPath(source.getPathNode(), sink.getPathNode()) and
primarySource = source.getAPrimarySource()
select sink, primarySource, sink, "Outbound network request depends on $@ log data.", primarySource,
"user-provided"