Merge pull request #207 from advanced-security/knewbury01/cap-sensitive-sources

Add sensitive exposure split query

Author: knewbury01

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.md

@@ -0,0 +1,44 @@
+# CAP Insertion of Sensitive Information into Log File
+
+If sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.
+
+Data that may expose system information such as full path names, system information, usernames and passwords should not be logged.
+
+This query is similar to `js/cap-sensitive-log` in that the sinks are CAP logging facilities. The sources however are the same (exclusively) as the out of the box CodeQL query for [clear text logging](https://codeql.github.com/codeql-query-help/javascript/js-clear-text-logging/).
+
+## Recommendation
+
+CAP applications should not log sensitive information. Sensitive information can include: full path names, system information, usernames, passwords or any personally identifiable information. Make sure to log only information that is not sensitive, or obfuscate/encrypt sensitive information any time that it is logged.
+
+## Examples
+
+This CAP service directly logs the sensitive information. Potential attackers may gain access to this sensitive information when the log output is displayed or when the attacker gains access to the log, and the info is not obfuscated or encrypted.
+
+``` javascript
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+        LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+        var obj = {
+            x: password
+        };
+
+        LOG.info(obj); // CAP log exposure alert
+
+        LOG.info(obj.x.replace(/./g, "*")); // NO CAP log exposure alert - replace call acts as sanitizer 
+
+        var user = {
+            password: encryptLib.encryptPassword(password)
+        };
+        LOG.info(user); // NO CAP log exposure alert - the data is encrypted
+    }
+}
+```
+
+## References
+
+- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).
+- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).
+- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposureHeuristicSource.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Insertion of sensitive information into log files
+ * @description Writing heuristically sensitive information to log files can allow that
+ *              information to be leaked to an attacker more easily.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision low
+ * @id js/cap-sensitive-log-heurisitic-source
+ * @tags security
+ *       external/cwe/cwe-532
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
+private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
+
+module SensitiveLogExposureConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof CleartextLogging::Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
+    CleartextLogging::isAdditionalTaintStep(src, trg)
+  }
+
+  predicate isBarrier(DataFlow::Node sink) { sink instanceof CleartextLogging::Barrier }
+
+  /**
+   * This predicate is an intentional cartesian product of any sink node and any content that represents a property.
+   * Normally Cartesian products are bad but in this case it is what we want, to capture all properties of objects that make their way to sinks.
+   */
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
+    // Assume all properties of a logged object are themselves logged.
+    contents = DataFlow::ContentSet::anyProperty() and
+    isSink(node)
+  }
+}
+
+module SensitiveLogExposureFlow = TaintTracking::Global<SensitiveLogExposureConfig>;
+
+import SensitiveLogExposureFlow::PathGraph
+
+from SensitiveLogExposureFlow::PathNode source, SensitiveLogExposureFlow::PathNode sink
+where SensitiveLogExposureFlow::flowPath(source, sink)
+select sink, source, sink, "This logs sensitive data returned by $@ as clear text.",
+  source.getNode(), source.getNode().(CleartextLogging::Source).describe()

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.expected

@@ -0,0 +1,18 @@
+edges
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | provenance |  |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | provenance |  |
+| sensitive-exposure-heuristic-source.js:8:13:10:9 | obj [x] | sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | provenance |  |
+| sensitive-exposure-heuristic-source.js:8:19:10:9 | {\\n      ...       } [x] | sensitive-exposure-heuristic-source.js:8:13:10:9 | obj [x] | provenance |  |
+| sensitive-exposure-heuristic-source.js:9:16:9:23 | password | sensitive-exposure-heuristic-source.js:8:19:10:9 | {\\n      ...       } [x] | provenance |  |
+nodes
+| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | semmle.label | `[INFO] ... .env)}` |
+| sensitive-exposure-heuristic-source.js:6:41:6:67 | JSON.st ... ss.env) | semmle.label | JSON.st ... ss.env) |
+| sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | semmle.label | process.env |
+| sensitive-exposure-heuristic-source.js:8:13:10:9 | obj [x] | semmle.label | obj [x] |
+| sensitive-exposure-heuristic-source.js:8:19:10:9 | {\\n      ...       } [x] | semmle.label | {\\n      ...       } [x] |
+| sensitive-exposure-heuristic-source.js:9:16:9:23 | password | semmle.label | password |
+| sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | semmle.label | obj |
+subpaths
+#select
+| sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | sensitive-exposure-heuristic-source.js:6:18:6:69 | `[INFO] ... .env)}` | This logs sensitive data returned by $@ as clear text. | sensitive-exposure-heuristic-source.js:6:56:6:66 | process.env | process environment |
+| sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | sensitive-exposure-heuristic-source.js:9:16:9:23 | password | sensitive-exposure-heuristic-source.js:11:18:11:20 | obj | This logs sensitive data returned by $@ as clear text. | sensitive-exposure-heuristic-source.js:9:16:9:23 | password | an access to password |

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.js

@@ -0,0 +1,20 @@
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+        LOG.info(`[INFO] Environment: ${JSON.stringify(process.env)}`); // CAP log exposure alert
+
+        var obj = {
+            x: password
+        };
+        LOG.info(obj); // CAP log exposure alert
+
+        LOG.info(obj.x.replace(/./g, "*")); // NO CAP log exposure alert - replace as sanitizer 
+
+        var user = {
+            password: encryptLib.encryptPassword(password)
+        };
+        LOG.info(user); // NO CAP log exposure alert - encrypted data is fine
+    }
+}

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure-js-all-sinks/sensitive-exposure-heuristic-source.qlref

@@ -0,0 +1 @@
+sensitive-exposure/SensitiveExposureHeuristicSource.ql