mirror of
https://github.com/github/codeql.git
synced 2026-04-29 18:55:14 +02:00
Merge pull request #3680 from erik-krogh/bad-code-sanitizer
JS: Add query to detect bad code sanitizers
This commit is contained in:
Erik Krogh Kristensen
@@ -64,6 +64,11 @@ nodes
|
||||
| angularjs.js:53:32:53:39 | location |
|
||||
| angularjs.js:53:32:53:46 | location.search |
|
||||
| angularjs.js:53:32:53:46 | location.search |
|
||||
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:44:7:62 | req.param("wobble") |
|
||||
@@ -193,6 +198,10 @@ edges
|
||||
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
|
||||
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
|
||||
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
|
||||
| express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" |
|
||||
@@ -261,6 +270,7 @@ edges
|
||||
| angularjs.js:47:16:47:30 | location.search | angularjs.js:47:16:47:23 | location | angularjs.js:47:16:47:30 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:47:16:47:23 | location | User-provided value |
|
||||
| angularjs.js:50:22:50:36 | location.search | angularjs.js:50:22:50:29 | location | angularjs.js:50:22:50:36 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:50:22:50:29 | location | User-provided value |
|
||||
| angularjs.js:53:32:53:46 | location.search | angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search | $@ flows to here and is interpreted as code. | angularjs.js:53:32:53:39 | location | User-provided value |
|
||||
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` | $@ flows to here and is interpreted as code. | bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | User-provided value |
|
||||
| express.js:7:24:7:69 | "return ... + "];" | express.js:7:44:7:62 | req.param("wobble") | express.js:7:24:7:69 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:7:44:7:62 | req.param("wobble") | User-provided value |
|
||||
| express.js:9:34:9:79 | "return ... + "];" | express.js:9:54:9:72 | req.param("wobble") | express.js:9:34:9:79 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:9:54:9:72 | req.param("wobble") | User-provided value |
|
||||
| express.js:12:8:12:53 | "return ... + "];" | express.js:12:28:12:46 | req.param("wobble") | express.js:12:8:12:53 | "return ... + "];" | $@ flows to here and is interpreted as code. | express.js:12:28:12:46 | req.param("wobble") | User-provided value |
|
||||
|
||||
@@ -64,6 +64,11 @@ nodes
|
||||
| angularjs.js:53:32:53:39 | location |
|
||||
| angularjs.js:53:32:53:46 | location.search |
|
||||
| angularjs.js:53:32:53:46 | location.search |
|
||||
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") |
|
||||
| eslint-escope-build.js:20:22:20:22 | c |
|
||||
| eslint-escope-build.js:20:22:20:22 | c |
|
||||
| eslint-escope-build.js:21:16:21:16 | c |
|
||||
@@ -197,6 +202,10 @@ edges
|
||||
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
|
||||
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
|
||||
| angularjs.js:53:32:53:39 | location | angularjs.js:53:32:53:46 | location.search |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:14:54:67 | `(funct ... "))}))` |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:44:54:62 | req.param("wobble") | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
|
||||
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
|
||||
| eslint-escope-build.js:20:22:20:22 | c | eslint-escope-build.js:21:16:21:16 | c |
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
nodes
|
||||
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
|
||||
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
|
||||
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
|
||||
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
|
||||
| bad-code-sanitization.js:6:11:6:25 | statements |
|
||||
| bad-code-sanitization.js:6:24:6:25 | [] |
|
||||
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
|
||||
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
|
||||
| bad-code-sanitization.js:8:27:8:36 | statements |
|
||||
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
|
||||
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
|
||||
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
|
||||
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
|
||||
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
|
||||
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
edges
|
||||
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
|
||||
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
|
||||
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
|
||||
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
|
||||
| bad-code-sanitization.js:6:11:6:25 | statements | bad-code-sanitization.js:8:27:8:36 | statements |
|
||||
| bad-code-sanitization.js:6:24:6:25 | [] | bad-code-sanitization.js:6:11:6:25 | statements |
|
||||
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | bad-code-sanitization.js:6:24:6:25 | [] |
|
||||
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) | bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
|
||||
| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
|
||||
| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
|
||||
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
|
||||
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
|
||||
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
|
||||
#select
|
||||
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | $@ flows to here and is used to construct code. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | Improperly sanitized value |
|
||||
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | $@ flows to here and is used to construct code. | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | Improperly sanitized value |
|
||||
@@ -0,0 +1 @@
|
||||
Security/CWE-094/ImproperCodeSanitization.ql
|
||||
@@ -0,0 +1,55 @@
|
||||
function safeProp(key) {
|
||||
return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`;
|
||||
}
|
||||
|
||||
function test1() {
|
||||
const statements = [];
|
||||
statements.push(`${name}${safeProp(key)}=${stringify(thing[key])}`);
|
||||
return `(function(){${statements.join(';')}})` // NOT OK
|
||||
}
|
||||
|
||||
import htmlescape from 'htmlescape'
|
||||
|
||||
function test2(props) {
|
||||
const pathname = props.data.pathname;
|
||||
return `function(){return new Error('${htmlescape(pathname)}')}`; // NOT OK
|
||||
}
|
||||
|
||||
function test3(input) {
|
||||
return `(function(){${JSON.stringify(input)}))` // NOT OK
|
||||
}
|
||||
|
||||
function evenSaferProp(key) {
|
||||
return /^[_$a-zA-Z][_$a-zA-Z0-9]*$/.test(key) ? `.${key}` : `[${JSON.stringify(key)}]`.replace(/[<>\b\f\n\r\t\0\u2028\u2029]/g, '');
|
||||
}
|
||||
|
||||
function test4(input) {
|
||||
return `(function(){${evenSaferProp(input)}))` // OK
|
||||
}
|
||||
|
||||
function test4(input) {
|
||||
var foo = `(function(){${JSON.stringify(input)}))` // NOT OK - we can type-track to a code-injection sink, the source is not remote flow.
|
||||
setTimeout(foo);
|
||||
}
|
||||
|
||||
function test5(input) {
|
||||
console.log('methodName() => ' + JSON.stringify(input)); // OK
|
||||
}
|
||||
|
||||
function test6(input) {
|
||||
return `(() => {${JSON.stringify(input)})` // NOT OK
|
||||
}
|
||||
|
||||
function test7(input) {
|
||||
return `() => {${JSON.stringify(input)}` // NOT OK
|
||||
}
|
||||
|
||||
var express = require('express');
|
||||
|
||||
var app = express();
|
||||
|
||||
app.get('/some/path', function(req, res) {
|
||||
var foo = `(function(){${JSON.stringify(req.param("wobble"))}))` // NOT - the source is remote-flow, but we know of no sink.
|
||||
|
||||
setTimeout(`(function(){${JSON.stringify(req.param("wobble"))}))`); // OK - the source is remote-flow, and the sink is code-injection.
|
||||
});
|
||||
Reference in New Issue
Block a user