Multiple modules: extract deviceMemory / hardwareConcurrency to libra…

…ry, add codeQL warnings (prebid#12070) * Custom codeQL rules / hardwareConcurrency and deviceMemory * move deviceMemory / hardwareConcurrency to a library * reuse library code for deviceMemory & co
adhese · Aug 1, 2024 · c0d5658 · c0d5658
1 parent 2ada5d1
commit c0d5658
Show file tree

Hide file tree

Showing 10 changed files with 86 additions and 10 deletions.
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -2,3 +2,6 @@ paths:
   - src
   - modules
   - libraries
+queries:
+  - name: Prebid queries
+    uses: ./.github/codeql/queries
diff --git a/.github/codeql/queries/deviceMemory.ql b/.github/codeql/queries/deviceMemory.ql
@@ -0,0 +1,14 @@
+/**
+ * @id prebid/device-memory
+ * @name Access to navigator.deviceMemory
+ * @kind problem
+ * @problem.severity warning
+ * @description Finds uses of deviceMemory
+ */
+
+import prebid
+
+from SourceNode nav
+where
+ nav = windowPropertyRead("navigator")
+select nav.getAPropertyRead("deviceMemory"), "deviceMemory is an indicator of fingerprinting"
diff --git a/.github/codeql/queries/hardwareConcurrency.ql b/.github/codeql/queries/hardwareConcurrency.ql
@@ -0,0 +1,14 @@
+/**
+ * @id prebid/hardware-concurrency
+ * @name Access to navigator.hardwareConcurrency
+ * @kind problem
+ * @problem.severity warning
+ * @description Finds uses of hardwareConcurrency
+ */
+
+import prebid
+
+from SourceNode nav
+where
+ nav = windowPropertyRead("navigator")
+select nav.getAPropertyRead("hardwareConcurrency"), "hardwareConcurrency is an indicator of fingerprinting"
diff --git a/.github/codeql/queries/prebid.qll b/.github/codeql/queries/prebid.qll
@@ -0,0 +1,36 @@
+import javascript
+import DataFlow
+
+SourceNode otherWindow() {
+ result = globalVarRef("top") or
+ result = globalVarRef("self") or
+ result = globalVarRef("parent") or
+ result = globalVarRef("frames").getAPropertyRead() or
+ result = DOM::documentRef().getAPropertyRead("defaultView")
+}
+
+SourceNode connectedWindow(SourceNode win) {
+  result = win.getAPropertyRead("self") or
+  result = win.getAPropertyRead("top") or
+  result = win.getAPropertyRead("parent") or
+  result = win.getAPropertyRead("frames").getAPropertyRead() or
+  result = win.getAPropertyRead("document").getAPropertyRead("defaultView")
+}
+
+SourceNode relatedWindow(SourceNode win) {
+  result = connectedWindow(win) or
+  result = relatedWindow+(connectedWindow(win))
+}
+
+SourceNode anyWindow() {
+  result = otherWindow() or
+  result = relatedWindow(otherWindow())
+}
+
+/*
+ Matches uses of property `prop` done on any window object.
+*/
+SourceNode windowPropertyRead(string prop) {
+  result = globalVarRef(prop) or
+  result = anyWindow().getAPropertyRead(prop)
+}
diff --git a/.github/codeql/queries/qlpack.yml b/.github/codeql/queries/qlpack.yml
@@ -0,0 +1,8 @@
+---
+library: false
+warnOnImplicitThis: false
+name: queries
+version: 0.0.1
+dependencies:
+  codeql/javascript-all: ^1.1.1
+  codeql/javascript-queries: ^1.1.0
diff --git a/src/fpd/navigator.js → libraries/navigatorData/navigatorData.js b/src/fpd/navigator.js → libraries/navigatorData/navigatorData.js
@@ -26,4 +26,4 @@ export function getDM(win = window) {
     dm = undefined;
   }
   return dm;
-};
+}
diff --git a/modules/discoveryBidAdapter.js b/modules/discoveryBidAdapter.js
@@ -2,11 +2,11 @@ import * as utils from '../src/utils.js';
 import { getStorageManager } from '../src/storageManager.js';
 import { registerBidder } from '../src/adapters/bidderFactory.js';
 import { BANNER, NATIVE } from '../src/mediaTypes.js';
-import { getHLen, getHC, getDM } from '../src/fpd/navigator.js';
 import { getPageTitle, getPageDescription, getPageKeywords, getConnectionDownLink, getReferrer } from '../libraries/fpdUtils/pageInfo.js';
 import { getDevice, getScreenSize } from '../libraries/fpdUtils/deviceInfo.js';
 import { getBidFloor } from '../libraries/currencyUtils/floor.js';
 import { transformSizes, normalAdSize } from '../libraries/sizeUtils/tranformSize.js';
+import {getDM, getHC, getHLen} from '../libraries/navigatorData/navigatorData.js';
 
 /**
  * @typedef {import('../src/adapters/bidderFactory.js').BidRequest} BidRequest

diff --git a/modules/mediagoBidAdapter.js b/modules/mediagoBidAdapter.js
@@ -9,6 +9,7 @@ import { getPageTitle, getPageDescription, getPageKeywords, getConnectionDownLin
 import { getDevice } from '../libraries/fpdUtils/deviceInfo.js';
 import { getBidFloor } from '../libraries/currencyUtils/floor.js';
 import { transformSizes, normalAdSize } from '../libraries/sizeUtils/tranformSize.js';
+import {getDM, getHC, getHLen} from '../libraries/navigatorData/navigatorData.js';
 
 // import { config } from '../src/config.js';
 // import { isPubcidEnabled } from './pubCommonId.js';
@@ -230,7 +231,6 @@ function getParam(validBidRequests, bidderRequest) {
 
   const timeout = bidderRequest.timeout || 2000;
   const firstPartyData = bidderRequest.ortb2;
-  const topWindow = window.top;
   const title = getPageTitle();
   const desc = getPageDescription();
   const keywords = getPageKeywords();
@@ -267,12 +267,12 @@ function getParam(validBidRequests, bidderRequest) {
           title: title ? title.slice(0, 100) : undefined,
           desc: desc ? desc.slice(0, 300) : undefined,
           keywords: keywords ? keywords.slice(0, 100) : undefined,
-          hLen: topWindow.history?.length || undefined,
+          hLen: getHLen(),
         },
         device: {
           nbw: getConnectionDownLink(),
-          hc: topWindow.navigator?.hardwareConcurrency || undefined,
-          dm: topWindow.navigator?.deviceMemory || undefined,
+          hc: getHC(),
+          dm: getDM()
         }
       },
       user: {

diff --git a/modules/teadsBidAdapter.js b/modules/teadsBidAdapter.js
@@ -2,6 +2,7 @@ import {getValue, logError, deepAccess, parseSizesInput, isArray, getBidIdParame
 import {registerBidder} from '../src/adapters/bidderFactory.js';
 import {getStorageManager} from '../src/storageManager.js';
 import {isAutoplayEnabled} from '../libraries/autoplayDetection/autoplay.js';
+import {getDM, getHC, getHLen} from '../libraries/navigatorData/navigatorData.js';
 
 /**
  * @typedef {import('../src/adapters/bidderFactory.js').BidRequest} BidRequest
@@ -65,11 +66,11 @@ export const spec = {
       deviceHeight: screen.height,
       devicePixelRatio: topWindow.devicePixelRatio,
       screenOrientation: screen.orientation?.type,
-      historyLength: topWindow.history?.length,
+      historyLength: getHLen(),
       viewportHeight: topWindow.visualViewport?.height,
       viewportWidth: topWindow.visualViewport?.width,
-      hardwareConcurrency: topWindow.navigator?.hardwareConcurrency,
-      deviceMemory: topWindow.navigator?.deviceMemory,
+      hardwareConcurrency: getHC(),
+      deviceMemory: getDM(),
       hb_version: '$prebid.version$',
       ...getSharedViewerIdParameters(validBidRequests),
       ...getFirstPartyTeadsIdParameter(validBidRequests)

diff --git a/test/spec/modules/discoveryBidAdapter_spec.js b/test/spec/modules/discoveryBidAdapter_spec.js
@@ -10,7 +10,7 @@ import {
 } from 'modules/discoveryBidAdapter.js';
 import { getPageTitle, getPageDescription, getPageKeywords, getConnectionDownLink } from '../../../libraries/fpdUtils/pageInfo.js';
 import * as utils from 'src/utils.js';
-import { getHLen, getHC, getDM } from '../../../src/fpd/navigator.js';
+import {getDM, getHC, getHLen} from '../../../libraries/navigatorData/navigatorData.js';
 
 describe('discovery:BidAdapterTests', function () {
   let sandbox;
-Original file line number
+Diff line change
@@ Expand Up / @@ -26,4 +26,4 @@ export function getDM(win = window) { @@
         dm = undefined;
       }
       return dm;
-    };
+    }