sec-proj1 README

A project for the Convergence Security Project 1 course

Overview

This project is a static analysis tool for Java and JavaScript, focused on detecting web application vulnerabilities such as XSS, and SQL Injection(SQLi). It uses the tree-sitter parser for fast and accurate AST parsing and includes taint tracking, sanitizer detection, and sink analysis.

Features

• Taint analysis for tracking untrusted input (user input, HTTP params, etc.)
• Sanitizer detection: recognizes and respects standard sanitization functions
• Sink analysis: detects dangerous flows to sensitive APIs (sinks) such as innerHTML, res.send, SQL queries, etc.
• Support for both Java and JavaScript (can be extended for other languages)
• Function-level summary and propagation for inter-procedural taint
• Inspired by Semgrep community rules

Project Structure

src/
  js/
    detectors/
      taintAnalyzer.ts        # Tracks tainted data flows (JS)
      sanitizer.ts            # Detects sanitizer functions (JS)
      sinkDetector.ts         # Detects dangerous sink usage (JS)
    jsAnalyzer.ts             # Main entry for JS analysis

  java/
    detectors/
      taintAnalyzer.ts        # Tracks tainted data flows (Java)
      sanitizer.ts            # Detects sanitizer functions (Java)
      sinkDetector.ts         # Detects dangerous sink usage (Java)
    javaAnalyzer.ts           # Main entry for Java analysis

  common/
    astUtils.ts               # AST traversal, snippet extraction, etc.
    functionCollector.ts      # Collects function definitions for summaries
    functionSummary.ts        # Analyzes which params flow to sinks

  types/
    tree-sitter.d.ts          # Custom TypeScript types for tree-sitter(for compatibility)
  
  extension.ts                # (If VSCode extension) main integration

TypeScript Compatibility Note

This project uses a custom types/tree-sitter.d.ts file to avoid TypeScript import/type errors for tree-sitter.
You can remove this file if upstream types become available.

Detection Rules (Example)

• XSS:

  • Assignment to innerHTML, outerHTML
  • document.write, res.send, element.insertAdjacentHTML
  • jQuery .html(), React dangerouslySetInnerHTML
  • Angular/JS/Java frameworks (ElementRef.nativeElement, $sce.trustAsHtml etc.)

• SQLi:

  • Direct/indirect user input to db.query, executeQuery, ORM queries (createQueryBuilder.where(), etc.)
  • Tainted template strings, concatenations

• Custom Rule Examples:

  • @Query annotation in Java with string concatenation
  • Function summaries: propagation of taint through parameters

How It Works

1. Parse source code using tree-sitter (JS or Java grammar)
2. Collect taint sources and propagate taint through dataflow
3. Skip propagation for known sanitizer functions
4. Check dangerous sinks: if tainted input reaches a sink (without sanitization), report a finding

Getting Started

npm install
npm run compile

Dev Mode

• Press F5 in VSCode to run Extension Development Host
• Use Ctrl+S to auto-scan file