[JavaScript] Can I find out all the intermediate nodes on the paths from Source to Sink through CodeQL?

[HJX-zhanS]

I am currently using CodeQL to achieve the following goals:

Analyze the data flow of the JavaScript code and extract the data dependencies of all exec methods. Where the Source is set to all variable definitions and assignment expressions. In this process, I need to extract all intermediate nodes on all paths from Source to Sink, and extract all string constants.

Here is my query:

/**
@kind path-problem
@id javascript/execdataflowanalysis
*/

import javascript
import semmle.javascript.dataflow.TaintTracking
import DataFlow::PathGraph

class ExecDataFlowConfig extends TaintTracking::Configuration {
  ExecDataFlowConfig() { this = "ExecDataFlowConfig" }
  
  override predicate isSource(DataFlow::Node source) {
    exists(VariableDeclarator v |
      source.asExpr() = v.getAChild*()
    ) or
    exists(AssignExpr a |
      source.asExpr() = a.getAChild*()
    ) or
    exists(CallExpr c |
      source.asExpr() = c.getAChild*()
    )
  }

  // override predicate isSource(DataFlow::Node source) {
  //   exists(ExprOrStmt exprostmt | 
  //     source.asExpr() = exprostmt.getAChild*()
  //   )
  // }


  override predicate isSink(DataFlow::Node sink) {
    exists(CallExpr execCall |
      execCall.getCalleeName() = "exec" and
      exists(int i |
        i < execCall.getNumArgument() and
        sink.asExpr() = execCall.getArgument(i) or 
        sink.asExpr() = execCall.getArgument(i).getAChild*()
      )
    )
  }
}

from ExecDataFlowConfig cfg, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, DataFlow::MidPathNode midNode
where
  cfg.hasFlowPath(sourceNode, sinkNode)
select sourceNode.getNode(), sourceNode, sinkNode, ""

However, I found that I didn't find all the string constants.

[ginsbach]

Thank you for the question. Do you have an example JavaScrip snippet where you would expect to find a result but currently don't?

[HJX-zhanS]

@ginsbach Hello, here is my demo:

require.paths.unshift(__dirname + "/../lib");

var backends = {
  postgres: require('persistence/postgres'),
  sqlite: require('persistence/sqlite'),
  memory: require('persistence/memory')
};

function connect(driver/*, *args */) {
  var path,
      args = Array.prototype.slice.call(arguments, 1);
  return backends[driver].new_connection.apply(this, args);
}

exports.connect = connect;


// puts and family are nice to have
process.mixin(exports, require("sys"));

// preload the assert library.
exports.assert = require('assert');


exports.configs = {
  sqlite: "/tmp/test.db",
  postgres: {
    host: "localhost",
    database: "test",
    username: "test",
    password: "password"
  },
  memory: "/tmp/test.json"
};

// Alias process.nextTick
var defer = exports.defer = process.nextTick;

var before_execs = {
  postgres: "/usr/local/bin/dropdb " + exports.configs.postgres.database + "; /usr/local/bin/createdb -O " + exports.configs.postgres.username + " " + exports.configs.postgres.database,
  sqlite: "rm -f " + exports.configs.sqlite,
  memory: "rm -f " + exports.configs.memory
}

// Call these before each test to clean the slate
exports.before = function (type, callback) {
  var done = function () {
    db = connect(type, configs[type]);
    callback(db);
    defer(function () {
      db.close();
    });
  }
  if (before_execs[type]) {
    exports.exec(before_execs[type], function (err) {
      if (err) {
        debug(err);
      }
      // Wait to lessen chance of race condition happening
      // TODO: real async trigger
      setTimeout(done, 200);
    });
  } else {
    defer(function () {
      done();
    });
  }
};

I need to find all the data dependencies of the exec method calls.

However, I cannot get this node:

exports.configs = {
  sqlite: "/tmp/test.db",
  postgres: {
    host: "localhost",
    database: "test",
    username: "test",
    password: "password"
  },
  memory: "/tmp/test.json"
};

At the same time, I tried to use this query for source definition. Unfortunately, it still has no effect.

override predicate isSource(DataFlow::Node source) {
  exists(ExprOrStmt exprostmt | 
     source.asExpr() = exprostmt.getAChild*()
  )
}

[erik-krogh]

I'm not sure I quite get what you're trying to do (or why).
But I still think I can help.

The problem (I think) is that the dataflow configuration tracks back to the before_execs, but not its properties.

If you add isAdditionalTaintStep like I've done below, then you'll track taint from any property-write into the object that's being written to.
This is not a pretty solution, and it might cause a lot of imprecision, but it could get you started.

import javascript
import DataFlow::PathGraph

class ExecDataFlowConfig extends TaintTracking::Configuration {
  ExecDataFlowConfig() { this = "ExecDataFlowConfig" }

  override predicate isSource(DataFlow::Node source) { any() }

  override predicate isSink(DataFlow::Node sink) {
    exists(DataFlow::CallNode execCall |
      execCall.getCalleeName() = "exec" and
      sink = execCall.getAnArgument()
    )
  }

  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    exists(DataFlow::PropWrite write |
      write.getRhs() = pred and
      write.getBase() = succ
    ) and
    not pred.asExpr().getTopLevel().isExterns()
  }
}

from ExecDataFlowConfig cfg, DataFlow::PathNode sourceNode
where cfg.hasFlowPath(sourceNode, _)
select sourceNode.getNode()

---

An additional note. You should not use .getAChild*() as much as you are.
E.g. in your isSink() predicate you're selecting all nodes in the AST that are children of the exec() call, which is definitely not what you want. (Your isSink() is e.g. selecting the setTimeout() call inside the callback that's given to exec(..)).
I simplified your isSink() predicate in the above accordingly.

[HJX-zhanS]

Thanks a lot. Your answer is helpful.