Adds support for npm and xsjslib modules

javascript/frameworks/xsjs/ext/xsjs.model.yml

@@ -68,4 +68,5 @@ extensions:
       pack: codeql/javascript-all
       extensible: summaryModel
     data:
-      - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint]
+      - [global, "Member[JSON].Member[parse]", "Argument[0]", "ReturnValue", taint]
+      - ["@sap/xss-secure", "Member[encodeCSS,encodeHTML,encodeJS,encodeURL,encodeXML]", "Argument[0]", "ReturnValue", "taint"]

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/AsyncXSJS.qll

@@ -1,23 +1,24 @@
 import javascript
 import DataFlow
+import XSJSLibModules
 
 /**
  * The root XSJS namespace, accessed as a dollar sign (`$`) symbol.
  */
-class XSJSDollarNamespace extends GlobalVarRefNode {
-  XSJSDollarNamespace() {
-    this = globalVarRef("$") and
-    this.getFile().getExtension() = "xsjs"
+class XSJSDollarNode extends DataFlow::SourceNode {
+  XSJSDollarNode() {
+    this.accessesGlobal("$") and
+    this.getFile().getExtension() = ["xsjs", "xsjslib"]
   }
 }
 
 /**
- * `TypeModel` for `XSJSDollarNamespace`.
+ * `TypeModel` for `XSJSDollarNode`.
  */
 class XSJSDollarTypeModel extends ModelInput::TypeModel {
   override DataFlow::Node getASource(string type) {
     type = "XsjsDollar" and
-    result = any(XSJSDollarNamespace dollar)
+    result = any(XSJSDollarNode dollar)
   }
 
   /**
@@ -37,9 +38,9 @@ class XSJSRequestOrResponse extends SourceNode instanceof PropRef {
   XSJSRequestOrResponse() {
     fieldName = ["request", "response"] and
     (
-      exists(XSJSDollarNamespace dollar | this = dollar.getAPropertyReference(fieldName))
+      exists(XSJSDollarNode dollar | this = dollar.getAPropertyReference(fieldName))
       or
-      exists(XSJSDollarNamespace dollar |
+      exists(XSJSDollarNode dollar |
         this =
           dollar
               .getAPropertyReference(fieldName)
@@ -171,7 +172,7 @@ class XSJSDatabaseConnectionReference extends MethodCallNode {
   string subNamespace;
 
   XSJSDatabaseConnectionReference() {
-    exists(XSJSDollarNamespace dollar |
+    exists(XSJSDollarNode dollar |
       this.getMethodName() = "getConnection" and
       this.getReceiver().getALocalSource() = dollar.getAPropertyReference(subNamespace)
     )
@@ -211,7 +212,7 @@ class XSJSHDBConnectionReference extends XSJSDatabaseConnectionReference {
 
 class XSJSUtilNamespace extends SourceNode instanceof PropRef {
   XSJSUtilNamespace() {
-    exists(XSJSDollarNamespace dollar | this = dollar.getAPropertyReference("util"))
+    exists(XSJSDollarNode dollar | this = dollar.getAPropertyReference("util"))
   }
 }
 

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSLibModules.qll

@@ -0,0 +1,59 @@
+/** Provides classes for working with XSJSLib modules. */
+
+import javascript
+
+/**
+ * An XSJS module.
+ */
+class XSJSModule extends Module {
+  XSJSModule() { this.getFile().getExtension() = ["xsjs", "xsjslib"] }
+
+  override XSJSImportExpr getAnImport() { result.getTopLevel() = this }
+
+  /** Gets a module from which this module imports. */
+  override XSJSModule getAnImportedModule() { result = this.getAnImport().getImportedModule() }
+
+  override DataFlow::ValueNode getAnExportedValue(string name) {
+    result.getFile() = this.getFile() and
+    exists(FunctionDeclStmt fds | fds = result.getAstNode() |
+      fds.getParent() instanceof TopLevel and
+      name = fds.getName()
+    )
+  }
+}
+
+/**
+ * An import declaration.
+ *
+ * Example:
+ *
+ * ```
+ * $.import("module.xsjslib");
+ * ```
+ */
+class XSJSImportExpr extends CallExpr, Import {
+  XSJSImportExpr() {
+    this.getReceiver().(GlobalVarAccess).getName() = "$" and
+    this.getFile().getExtension() = ["xsjs", "xsjslib"] and
+    this.getCalleeName() = "import" and
+    this.getNumArgument() = 1
+  }
+
+  override Module getEnclosingModule() { result = this.getTopLevel() }
+
+  override XSJSLiteralImportPath getImportedPath() { result = this.getArgument(0) }
+
+  override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) }
+}
+
+/** A literal path expression appearing in an `import` declaration. */
+private class XSJSLiteralImportPath extends PathExpr, ConstantString {
+  XSJSLiteralImportPath() { exists(XSJSImportExpr req | this = req.getArgument(0)) }
+
+  override Folder getAdditionalSearchRoot(int priority) {
+    priority = 0 and
+    result = this.getFile().getParentContainer()
+  }
+
+  override string getValue() { result = this.getStringValue() }
+}

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll

@@ -35,4 +35,14 @@ class Configuration extends TaintTracking::Configuration {
       )
     )
   }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node)
+    or
+    node instanceof DomBasedXss::Sanitizer
+    or
+    node =
+      DataFlow::moduleMember("@sap/xss-secure",
+        ["encodeCSS", "encodeHTML", "encodeJS", "encodeURL", "encodeXML"]).getACall().getArgument(0)
+  }
 }

javascript/frameworks/xsjs/test/models/modules/npm/npm.expected

@@ -0,0 +1,2 @@
+| npm.xsjs:3:14:3:71 | crypto. ... 1024 }) |
+| npm.xsjs:5:15:5:72 | crypto. ... 4096 }) |

javascript/frameworks/xsjs/test/models/modules/npm/npm.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from CryptographicKeyCreation crypto
+select crypto

javascript/frameworks/xsjs/test/models/modules/npm/npm.xsjs

@@ -0,0 +1,5 @@
+const crypto = $.require("crypto");
+
+const bad1 = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 }); // NOT OK
+
+const good1 = crypto.generateKeyPairSync("rsa", { modulusLength: 4096 }); // OK

javascript/frameworks/xsjs/test/models/modules/xsjslib/xsjslib.expected

@@ -0,0 +1,2 @@
+| xsjslib.xsjs:1:1:4:0 | <toplevel> |
+| xsjslib.xsjslib:1:1:15:2 | <toplevel> |

javascript/frameworks/xsjs/test/models/modules/xsjslib/xsjslib.ql

@@ -0,0 +1,4 @@
+import javascript
+import advanced_security.javascript.frameworks.xsjs.XSJSLibModules
+
+select any(Module m)

javascript/frameworks/xsjs/test/models/modules/xsjslib/xsjslib.xsjs

@@ -0,0 +1,3 @@
+var injection1=$.import("xsjslib.xsjslib");
+
+injection1.test1(requestParameters);

javascript/frameworks/xsjs/test/models/modules/xsjslib/xsjslib.xsjslib

@@ -0,0 +1,15 @@
+/**
+ * True positive case: Sink being `$.db.Connection.prepareStatement(query, arguments...)`,
+ * the API in the older namespace. The remote value is concatenated raw into the query.
+ */
+ function test1(requestParameters) {
+    let someParameterValue1 = JSON.parse(requestParameters.get("someParameter1"));
+    let someParameterValue2 = JSON.parse(requestParameters.get("someParameter2"));
+    let query = "INSERT INTO " + someParameterValue1 + ".ENTITY (COL1) VALUES (" + someParameterValue2 + ")";
+
+    let dbConnection = $.db.getConnection();
+    let preparedStatement = dbConnection.prepareStatement(query);
+    preparedStatement.executeUpdate();
+    dbConnection.commit();
+  }
+

javascript/frameworks/xsjs/test/queries/XSJSLibSqlInjection/XSJSLibSqlInjection.expected

@@ -0,0 +1,32 @@
+nodes
+| lib/injection1.xsjslib:6:7:6:79 | someParameterValue1 |
+| lib/injection1.xsjslib:6:29:6:79 | JSON.pa ... ter1")) |
+| lib/injection1.xsjslib:6:40:6:78 | request ... eter1") |
+| lib/injection1.xsjslib:6:40:6:78 | request ... eter1") |
+| lib/injection1.xsjslib:7:7:7:79 | someParameterValue2 |
+| lib/injection1.xsjslib:7:29:7:79 | JSON.pa ... ter2")) |
+| lib/injection1.xsjslib:7:40:7:78 | request ... eter2") |
+| lib/injection1.xsjslib:7:40:7:78 | request ... eter2") |
+| lib/injection1.xsjslib:8:7:8:106 | query |
+| lib/injection1.xsjslib:8:15:8:106 | "INSERT ... 2 + ")" |
+| lib/injection1.xsjslib:8:32:8:50 | someParameterValue1 |
+| lib/injection1.xsjslib:8:82:8:100 | someParameterValue2 |
+| lib/injection1.xsjslib:11:57:11:61 | query |
+| lib/injection1.xsjslib:11:57:11:61 | query |
+edges
+| lib/injection1.xsjslib:6:7:6:79 | someParameterValue1 | lib/injection1.xsjslib:8:32:8:50 | someParameterValue1 |
+| lib/injection1.xsjslib:6:29:6:79 | JSON.pa ... ter1")) | lib/injection1.xsjslib:6:7:6:79 | someParameterValue1 |
+| lib/injection1.xsjslib:6:40:6:78 | request ... eter1") | lib/injection1.xsjslib:6:29:6:79 | JSON.pa ... ter1")) |
+| lib/injection1.xsjslib:6:40:6:78 | request ... eter1") | lib/injection1.xsjslib:6:29:6:79 | JSON.pa ... ter1")) |
+| lib/injection1.xsjslib:7:7:7:79 | someParameterValue2 | lib/injection1.xsjslib:8:82:8:100 | someParameterValue2 |
+| lib/injection1.xsjslib:7:29:7:79 | JSON.pa ... ter2")) | lib/injection1.xsjslib:7:7:7:79 | someParameterValue2 |
+| lib/injection1.xsjslib:7:40:7:78 | request ... eter2") | lib/injection1.xsjslib:7:29:7:79 | JSON.pa ... ter2")) |
+| lib/injection1.xsjslib:7:40:7:78 | request ... eter2") | lib/injection1.xsjslib:7:29:7:79 | JSON.pa ... ter2")) |
+| lib/injection1.xsjslib:8:7:8:106 | query | lib/injection1.xsjslib:11:57:11:61 | query |
+| lib/injection1.xsjslib:8:7:8:106 | query | lib/injection1.xsjslib:11:57:11:61 | query |
+| lib/injection1.xsjslib:8:15:8:106 | "INSERT ... 2 + ")" | lib/injection1.xsjslib:8:7:8:106 | query |
+| lib/injection1.xsjslib:8:32:8:50 | someParameterValue1 | lib/injection1.xsjslib:8:15:8:106 | "INSERT ... 2 + ")" |
+| lib/injection1.xsjslib:8:82:8:100 | someParameterValue2 | lib/injection1.xsjslib:8:15:8:106 | "INSERT ... 2 + ")" |
+#select
+| lib/injection1.xsjslib:11:57:11:61 | query | lib/injection1.xsjslib:6:40:6:78 | request ... eter1") | lib/injection1.xsjslib:11:57:11:61 | query | This query depends on a $@. | lib/injection1.xsjslib:6:40:6:78 | request ... eter1") | user-provided value |
+| lib/injection1.xsjslib:11:57:11:61 | query | lib/injection1.xsjslib:7:40:7:78 | request ... eter2") | lib/injection1.xsjslib:11:57:11:61 | query | This query depends on a $@. | lib/injection1.xsjslib:7:40:7:78 | request ... eter2") | user-provided value |

javascript/frameworks/xsjs/test/queries/XSJSLibSqlInjection/XSJSLibSqlInjection.qlref

@@ -0,0 +1 @@
+XSJSSqlInjection/XSJSSqlInjection.ql

javascript/frameworks/xsjs/test/queries/XSJSLibSqlInjection/XSJSLibSqlInjection.xsjs

@@ -0,0 +1,9 @@
+$.import("lib/injection1.xsjslib");
+let t1=$.import("lib/injection2.xsjslib");
+$.import("lib/injection3.xsjslib");
+$.import("lib/injection4.xsjslib");
+
+var requestParameters = $.request.parameters;
+
+test1(requestParameters);
+t1.test1(requestParameters);

javascript/frameworks/xsjs/test/queries/XSJSLibSqlInjection/lib/injection1.xsjslib

@@ -0,0 +1,14 @@
+/**
+ * True positive case: Sink being `$.db.Connection.prepareStatement(query, arguments...)`,
+ * the API in the older namespace. The remote value is concatenated raw into the query.
+ */
+function test1(requestParameters) {
+  let someParameterValue1 = JSON.parse(requestParameters.get("someParameter1"));
+  let someParameterValue2 = JSON.parse(requestParameters.get("someParameter2"));
+  let query = "INSERT INTO " + someParameterValue1 + ".ENTITY (COL1) VALUES (" + someParameterValue2 + ")";
+
+  let dbConnection = $.db.getConnection();
+  let preparedStatement = dbConnection.prepareStatement(query);
+  preparedStatement.executeUpdate();
+  dbConnection.commit();
+}

javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs

@@ -36,3 +36,16 @@ function test3(requestParameters) {
 test1(requestParameters);
 test2(requestParameters);
 test3(requestParameters);
+
+/**
+ * False positive case: the value is sanitized
+ */
+var xssSecure = $.require('@sap/xss-secure');
+function test4(requestParameters) {
+  let someParameterValue4 = requestParameters.get("someParameter4");
+  $.response.contentType = "text/html";
+  $.response.setBody(requestParameterHandler(xssSecure.encodeHTML(someParameterValue4)));
+  $.response.status = $.net.http.OK;
+}
+
+test4(requestParameters);