JS: Add query for unsafe construction of code from library input

[erik-krogh]

CVE-2017-5954: TP/FP (conditional unsafety)
CVE-2019-5413: TP/TN
CVE-2020-28502: TP/TN
CVE-2020-7712: TP/TN
CVE-2021-23406: TP/TN
CVE-2021-23337: TP
CVE-2021-32831: TP
CVE-2021-23358: TP
CVE-2020-7640: TP/TN

A test run shows a lot of results, many of which just looks to be (very) bad style.
So I've set the severity to warning.

An evaluation looks good.. (The baseline is main + a where none() edition of the query).
The new results look reasonable to me, even though they're basically just bad style.
(I suppose there are performance reasons for implementing it in that style).

[esbena]

LGTM, but lets merge #5769 first, and then apply the teachings from that PR here.

[esbena]

Same formulation concerns as in #5769

[esbena]

Rebase on top of #5769 , and reuse the similar predicate from that PR

[esbena]

Suggested change

	not this.getName() = "code"
	// permit parameters that clearly are intended to contain executable code.
	not this.getName() = "code"

[esbena]

(go home diff, you are drunk :) )

[asgerf]

Sorry for leaving this PR hanging for so long. Looking at the evaluation results, it looks like all of them are FPs:

• The Angular results are in internal API. I've put up a PR to fix it here: JS: Restrict what PackageExports considers to be public #6789
• The result in Underscore is a template compiler, which by design can evaluate JS code. It's not bad style or a performance trick; these templates can contain JS code which should be evaluated as-is.

I'd say templating engines should be considered a well-known counter example, and an allow-list should be used to exclude methods with names like template or compile or perhaps even render.

[erik-krogh]

• The Angular results are in internal API. I've put up a PR to fix it here: JS: Restrict what PackageExports considers to be public #6789

I've rebased on top of that PR, and the angular results disappeared in a new evaluation.

• The result in Underscore is a template compiler, which by design can evaluate JS code. It's not bad style or a performance trick; these templates can contain JS code which should be evaluated as-is.

Yes, the text argument in the underscore template compiler is unsafe by design.
But the kind of code-injection that this query flags can happen in a template compiler (see CVE-2021-23337 and CVE-2021-23358, both of which we get a TP for).
So I think the noise in Underscore is something we can live with.

[esbena]

I'd say templating engines should be considered a well-known counter example, and an allow-list should be used to exclude methods with names like template or compile or perhaps even render.

I agree with this. Could we use a whitelist to avoid intentional APIs like those and otherwise merge this twice-stalled PR as is? We can then separately address the undesirable FNs the whitelist causes.

[erik-krogh]

I agree with this. Could we use a whitelist to avoid intentional APIs like those and otherwise merge this twice-stalled PR as is? We can then separately address the undesirable FNs the whitelist causes.

I took a look at the method-names in the CVEs currently flagged by this query:

CVE	method-name
CVE-2017-5954	deserialize
CVE-2019-5413	compile
CVE-2020-28502	send
CVE-2020-7712	parseLookup
CVE-2021-23406	compile
CVE-2021-23337	template
CVE-2021-32831	set
CVE-2021-23358	template
CVE-2020-7640	create

Adding a allow-list based on names that are template-engine-like would remove some of those TPs.
I would prefer we lower the precision of the query without an allow-list.

(I rebased the PR on main, and updated to the new change-note format).

[ethanpalm]

This looks good from a docs point of view. I am just making one small change to move the explanation of why the first example is a bad coding practice to the paragraph before the example rather than after the example ⚡