jorgectf
diff --git a/‎javascript/change-notes/2020-11-30-loginjection.md
Lines changed: 2 additions & 0 deletions b/‎javascript/change-notes/2020-11-30-loginjection.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.help renamed to ‎javascript/ql/src/Security/CWE-117/LogInjection.qhelp
Lines changed: 4 additions & 4 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.help renamed to ‎javascript/ql/src/Security/CWE-117/LogInjection.qhelp
Lines changed: 4 additions & 4 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.ql renamed to ‎javascript/ql/src/Security/CWE-117/LogInjection.ql
Lines changed: 3 additions & 3 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.ql renamed to ‎javascript/ql/src/Security/CWE-117/LogInjection.ql
Lines changed: 3 additions & 3 deletions
diff --git a/‎javascript/ql/src/Security/CWE-117/examples/logInjectionBad.js
Lines changed: 10 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-117/examples/logInjectionBad.js
Lines changed: 10 additions & 0 deletions
diff --git a/‎javascript/ql/src/Security/CWE-117/examples/logInjectionGood.js
Lines changed: 13 additions & 0 deletions b/‎javascript/ql/src/Security/CWE-117/examples/logInjectionGood.js
Lines changed: 13 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionBad.js
Lines changed: 0 additions & 68 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionBad.js
Lines changed: 0 additions & 68 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionGood.js
Lines changed: 0 additions & 51 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/examples/logInjectionGood.js
Lines changed: 0 additions & 51 deletions
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/Logging.qll
Lines changed: 28 additions & 13 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/Logging.qll
Lines changed: 28 additions & 13 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.qll renamed to ‎javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll
Lines changed: 4 additions & 35 deletions b/‎javascript/ql/src/experimental/Security/CWE-117/LogInjection.qll renamed to ‎javascript/ql/src/semmle/javascript/security/dataflow/LogInjection.qll
Lines changed: 4 additions & 35 deletions
diff --git a/‎javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
Lines changed: 53 additions & 0 deletions b/‎javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
Lines changed: 53 additions & 0 deletions
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `js/log-injection` query has been moved into non-experimental, and the precision of the query has been changed to medium.
@@ -18,20 +18,20 @@ arbitrary HTML may be included to spoof log entries.</p>
 User input should be suitably sanitized before it is logged.
 </p>
 <p>
-If the log entries are plain text then line breaks should be removed from user input, using
+If the log entries are in plain text then line breaks should be removed from user input, using
 <code>String.prototype.replace</code> or similar. Care should also be taken that user input is clearly marked
-in log entries, and that a malicious user cannot cause confusion in other ways.
+in log entries.
 </p>
 <p>
-For log entries that will be displayed in HTML, user input should be HTML encoded before being logged, to prevent forgery and
+For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and
 other forms of HTML injection.
 </p>
 
 </recommendation>
 
 <example>
 <p>In the first example, a username, provided by the user, is logged using `console.info`. In
-the first case, it is logged without any sanitization. In the second case the username is used to build an error that is logged using `console.error`.
+the first case, it is logged without any sanitization. In the second case, the username is used to build an error that is logged using `console.error`.
 If a malicious user provides `username=Guest%0a[INFO]+User:+Admin%0a` as a username parameter, 
 the log entry will be splitted in two different lines, where the second line will be `[INFO]+User:+Admin`.
 </p>
 
@@ -1,18 +1,18 @@
 /**
- * @name Log Injection
+ * @name Log injection
  * @description Building log entries from user-controlled sources is vulnerable to
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @precision high
+ * @precision medium
  * @id js/log-injection
  * @tags security
  *       external/cwe/cwe-117
  */
 
 import javascript
 import DataFlow::PathGraph
-import LogInjection::LogInjection
+import semmle.javascript.security.dataflow.LogInjection::LogInjection
 
 from LogInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 
@@ -0,0 +1,10 @@
+const http = require('http');
+const url = require('url');
+
+const server = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+
+    console.info(`[INFO] User: ${q.query.username}`); // BAD: User input logged as-is
+})
+
+server.listen(3000, '127.0.0.1', () => {});
@@ -0,0 +1,13 @@
+const http = require('http');
+const url = require('url');
+
+const server = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+
+    // GOOD: remove newlines from user controlled input before logging
+    let username = q.query.username.replace(/\n|\r/g, "");
+
+    console.info(`[INFO] User: ${username}`);
+});
+
+server.listen(3000, '127.0.0.1', () => {});
@@ -38,11 +38,22 @@ string getAStandardLoggerMethodName() {
  */
 private module Console {
   /**
-   * Gets a data flow source node for the console library.
+   * An API entrypoint for the global `console` variable.
    */
-  private DataFlow::SourceNode console() {
-    result = DataFlow::moduleImport("console") or
-    result = DataFlow::globalVarRef("console")
+  private class ConsoleGlobalEntry extends API::EntryPoint {
+    ConsoleGlobalEntry() { this = "ConsoleGlobalEntry" }
+
+    override DataFlow::SourceNode getAUse() { result = DataFlow::globalVarRef("console") }
+
+    override DataFlow::Node getARhs() { none() }
+  }
+
+  /**
+   * Gets a api node for the console library.
+   */
+  private API::Node console() {
+    result = API::moduleImport("console") or
+    result = API::root().getASuccessor(any(ConsoleGlobalEntry e))
   }
 
   /**
@@ -56,7 +67,7 @@ private module Console {
         name = getAStandardLoggerMethodName() or
         name = "assert"
       ) and
-      this = console().getAMemberCall(name)
+      this = console().getMember(name).getACall()
     }
 
     override DataFlow::Node getAMessageComponent() {
@@ -85,7 +96,7 @@ private module Loglevel {
    */
   class LoglevelLoggerCall extends LoggerCall {
     LoglevelLoggerCall() {
-      this = DataFlow::moduleMember("loglevel", getAStandardLoggerMethodName()).getACall()
+      this = API::moduleImport("loglevel").getMember(getAStandardLoggerMethodName()).getACall()
     }
 
     override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
@@ -102,9 +113,11 @@ private module Winston {
   class WinstonLoggerCall extends LoggerCall, DataFlow::MethodCallNode {
     WinstonLoggerCall() {
       this =
-        DataFlow::moduleMember("winston", "createLogger")
+        API::moduleImport("winston")
+            .getMember("createLogger")
+            .getReturn()
+            .getMember(getAStandardLoggerMethodName())
             .getACall()
-            .getAMethodCall(getAStandardLoggerMethodName())
     }
 
     override DataFlow::Node getAMessageComponent() {
@@ -125,9 +138,11 @@ private module log4js {
   class Log4jsLoggerCall extends LoggerCall {
     Log4jsLoggerCall() {
       this =
-        DataFlow::moduleMember("log4js", "getLogger")
+        API::moduleImport("log4js")
+            .getMember("getLogger")
+            .getReturn()
+            .getMember(getAStandardLoggerMethodName())
             .getACall()
-            .getAMethodCall(getAStandardLoggerMethodName())
     }
 
     override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
@@ -145,7 +160,7 @@ private module Npmlog {
     string name;
 
     Npmlog() {
-      this = DataFlow::moduleMember("npmlog", name).getACall() and
+      this = API::moduleImport("npmlog").getMember(name).getACall() and
       name = getAStandardLoggerMethodName()
     }
 
@@ -170,8 +185,8 @@ private module Fancylog {
    */
   class Fancylog extends LoggerCall {
     Fancylog() {
-      this = DataFlow::moduleMember("fancy-log", getAStandardLoggerMethodName()).getACall() or
-      this = DataFlow::moduleImport("fancy-log").getACall()
+      this = API::moduleImport("fancy-log").getMember(getAStandardLoggerMethodName()).getACall() or
+      this = API::moduleImport("fancy-log").getACall()
     }
 
     override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
 
@@ -4,6 +4,9 @@
 
 import javascript
 
+/**
+ * Provides default sources, sink, and sanitizers for reasoning about untrusted user input used in log entries.
+ */
 module LogInjection {
   /**
    * A data flow source for user input used in log entries.
@@ -40,45 +43,11 @@ module LogInjection {
     RemoteSource() { this instanceof RemoteFlowSource }
   }
 
-  /**
-   * An source node representing a logging mechanism.
-   */
-  class ConsoleSource extends DataFlow::SourceNode {
-    ConsoleSource() {
-      exists(DataFlow::SourceNode node |
-        node = this and this = DataFlow::moduleImport("console")
-        or
-        this = DataFlow::globalVarRef("console")
-      )
-    }
-  }
-
-  /**
-   * A call to a logging mechanism. For example, the call could be in the following forms:
-   * `console.log('hello')` or
-   *
-   * `let logger = console.log;`
-   * `logger('hello')` or
-   *
-   * `let logger = {info: console.log};`
-   * `logger.info('hello')`
-   */
-  class LoggingCall extends DataFlow::CallNode {
-    LoggingCall() {
-      exists(DataFlow::SourceNode node, string propName |
-        any(ConsoleSource console).getAPropertyRead() = node.getAPropertySource(propName) and
-        this = node.getAPropertyRead(propName).getACall()
-      )
-      or
-      this = any(LoggerCall call)
-    }
-  }
-
   /**
    * An argument to a logging mechanism.
    */
   class LoggingSink extends Sink {
-    LoggingSink() { this = any(LoggingCall console).getAnArgument() }
+    LoggingSink() { this = any(LoggerCall console).getAMessageComponent() }
   }
 
   /**
 
@@ -0,0 +1,53 @@
+nodes
+| logInjectionBad.js:19:9:19:36 | q |
+| logInjectionBad.js:19:13:19:36 | url.par ... , true) |
+| logInjectionBad.js:19:23:19:29 | req.url |
+| logInjectionBad.js:19:23:19:29 | req.url |
+| logInjectionBad.js:20:9:20:35 | username |
+| logInjectionBad.js:20:20:20:20 | q |
+| logInjectionBad.js:20:20:20:26 | q.query |
+| logInjectionBad.js:20:20:20:35 | q.query.username |
+| logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` |
+| logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` |
+| logInjectionBad.js:22:34:22:41 | username |
+| logInjectionBad.js:23:37:23:44 | username |
+| logInjectionBad.js:23:37:23:44 | username |
+| logInjectionBad.js:24:35:24:42 | username |
+| logInjectionBad.js:24:35:24:42 | username |
+| logInjectionBad.js:25:36:25:43 | username |
+| logInjectionBad.js:25:36:25:43 | username |
+| logInjectionBad.js:28:9:28:32 | exceptional return of check_u ... ername) |
+| logInjectionBad.js:28:24:28:31 | username |
+| logInjectionBad.js:29:14:29:18 | error |
+| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
+| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
+| logInjectionBad.js:30:42:30:46 | error |
+edges
+| logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
+| logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
+| logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:19:13:19:36 | url.par ... , true) |
+| logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:19:13:19:36 | url.par ... , true) |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:22:34:22:41 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:23:37:23:44 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:23:37:23:44 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:24:35:24:42 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:24:35:24:42 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:25:36:25:43 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:25:36:25:43 | username |
+| logInjectionBad.js:20:9:20:35 | username | logInjectionBad.js:28:24:28:31 | username |
+| logInjectionBad.js:20:20:20:20 | q | logInjectionBad.js:20:20:20:26 | q.query |
+| logInjectionBad.js:20:20:20:26 | q.query | logInjectionBad.js:20:20:20:35 | q.query.username |
+| logInjectionBad.js:20:20:20:35 | q.query.username | logInjectionBad.js:20:9:20:35 | username |
+| logInjectionBad.js:22:34:22:41 | username | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` |
+| logInjectionBad.js:22:34:22:41 | username | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` |
+| logInjectionBad.js:28:9:28:32 | exceptional return of check_u ... ername) | logInjectionBad.js:29:14:29:18 | error |
+| logInjectionBad.js:28:24:28:31 | username | logInjectionBad.js:28:9:28:32 | exceptional return of check_u ... ername) |
+| logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
+| logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
+| logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
+#select
+| logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
+| logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
+| logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
+| logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
+| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The `js/log-injection` query has been moved into non-experimental, and the precision of the query has been changed to medium.