|
| 1 | +/** |
| 2 | + * Provides default sources, sinks and sanitizers for reasoning about |
| 3 | + * download of sensitive file through unsecure connection, as well as |
| 4 | + * extension points for adding your own. |
| 5 | + */ |
| 6 | + |
| 7 | +import javascript |
| 8 | + |
| 9 | +module UnsecureDownload { |
| 10 | + /** |
| 11 | + * A data flow source for download of sensitive file through unsecure connection. |
| 12 | + */ |
| 13 | + abstract class Source extends DataFlow::Node { } |
| 14 | + |
| 15 | + /** |
| 16 | + * A data flow sink for download of sensitive file through unsecure connection. |
| 17 | + */ |
| 18 | + abstract class Sink extends DataFlow::Node { |
| 19 | + /** |
| 20 | + * Gets the call that downloads the sensitive file. |
| 21 | + */ |
| 22 | + abstract DataFlow::Node getDownloadCall(); |
| 23 | + } |
| 24 | + |
| 25 | + /** |
| 26 | + * A sanitizer for download of sensitive file through unsecure connection. |
| 27 | + */ |
| 28 | + abstract class Sanitizer extends DataFlow::Node { } |
| 29 | + |
| 30 | + /** |
| 31 | + * A HTTP or FTP URL that refers to a file with a sensitive file extension, |
| 32 | + * seen as a source for download of sensitive file through unsecure connection. |
| 33 | + */ |
| 34 | + class SensitiveFileUrl extends Source { |
| 35 | + SensitiveFileUrl() { |
| 36 | + exists(string str | str = this.getStringValue() | |
| 37 | + str.regexpMatch("http://.*|ftp://.'") and |
| 38 | + exists(string suffix | suffix = unsafeExtension() | |
| 39 | + str.suffix(str.length() - suffix.length() - 1).toLowerCase() = "." + suffix |
| 40 | + ) |
| 41 | + ) |
| 42 | + } |
| 43 | + } |
| 44 | + |
| 45 | + /** |
| 46 | + * Gets a file-extension that can potentially be dangerous. |
| 47 | + * |
| 48 | + * Archives are included, because they often contain source-code. |
| 49 | + */ |
| 50 | + string unsafeExtension() { |
| 51 | + result = |
| 52 | + ["exe", "dmg", "pkg", "tar.gz", "zip", "sh", "bat", "cmd", "app", "apk", "msi", "dmg", |
| 53 | + "tar.gz", "zip"] |
| 54 | + } |
| 55 | + |
| 56 | + /** |
| 57 | + * A url downloaded by a client-request, seen as a sink for download of |
| 58 | + * sensitive file through unsecure connection.a |
| 59 | + */ |
| 60 | + class ClientRequestURL extends Sink { |
| 61 | + ClientRequest request; |
| 62 | + ClientRequestURL() { |
| 63 | + this = request.getUrl() |
| 64 | + } |
| 65 | + |
| 66 | + override DataFlow::Node getDownloadCall() { |
| 67 | + result = request |
| 68 | + } |
| 69 | + } |
| 70 | +} |
0 commit comments