Add Browser Extensions Queries and Models

Author: Kwstubbs

javascript/browser-extension/codeql-pack.lock.yml

@@ -0,0 +1,24 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/dataflow:
+    version: 0.2.6
+  codeql/javascript-all:
+    version: 0.9.0
+  codeql/mad:
+    version: 0.2.15
+  codeql/regex:
+    version: 0.2.15
+  codeql/ssa:
+    version: 0.2.15
+  codeql/tutorial:
+    version: 0.2.15
+  codeql/typetracking:
+    version: 0.2.15
+  codeql/util:
+    version: 0.2.15
+  codeql/xml:
+    version: 0.0.2
+  codeql/yaml:
+    version: 0.2.15
+compiled: false

javascript/browser-extension/qlpack.yml

@@ -0,0 +1,6 @@
+library: false
+warnOnImplicitThis: false
+name: githubsecuritylab/browser-extension
+version: 0.0.1
+dependencies:
+  codeql/javascript-all: '*'

javascript/lib/browserextension/BothSidesRequestForgeryQuery.qll

@@ -0,0 +1,68 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about client-side
+ * request forgery.
+ *
+ * Note, for performance reasons: only import this file if
+ * the `Configuration` class is needed, otherwise
+ * `RequestForgeryCustomizations` should be imported instead.
+ */
+
+ import javascript
+ import semmle.javascript.security.dataflow.UrlConcatenation
+ import semmle.javascript.security.dataflow.RequestForgeryCustomizations::RequestForgery
+ import BrowserAPI
+ 
+ /**
+  * A taint tracking configuration for client-side request forgery.
+  * Server side is disabled since this is in the browser, but the extra models can be enabled for extra coverage
+  */
+ class Configuration extends TaintTracking::Configuration {
+   Configuration() { this = "ClientSideRequestForgery" }
+ 
+   override predicate isSource(DataFlow::Node source) {
+     exists(Source src |
+       source = src and
+       not src.isServerSide()
+     ) or 
+    source instanceof OnMessageExternal or source instanceof OnConnectExternal
+   }
+ 
+   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+ 
+   override predicate isSanitizer(DataFlow::Node node) {
+     super.isSanitizer(node) or
+     node instanceof Sanitizer
+   }
+ 
+   override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
+ 
+   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+     isAdditionalRequestForgeryStep(pred, succ)
+   }
+  }
+
+  class BrowserStep extends DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      (exists (DataFlow::ParameterNode p |
+        pred instanceof SendMessage and
+        succ = p and 
+           p.getParameter() instanceof AddListener
+      ))
+    }
+  }
+  
+  class ReturnStep extends DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      (exists (DataFlow::ParameterNode p |
+        succ instanceof SendMessageReturnValue and
+        pred = p.getAnInvocation().getArgument(0) and 
+           p.getParameter() instanceof AddListenerReturn
+      ))
+    }
+  }
+  
+  class AwaitStep extends DataFlow::SharedFlowStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ){
+      succ.asExpr() instanceof AwaitExpr and pred.asExpr() = succ.asExpr().(AwaitExpr).getOperand()
+    }
+  }