JavaScript: Recognise wrapped string replacement functions.

2026-05-03 20:58:03 +02:00 · 2019-10-30 10:59:04 +00:00
parent aaeca32519
commit 02d16b1dc9
3 changed files with 37 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -221,6 +221,34 @@ class JsonParseReplacement extends Replacement {
  }
 }

+/**
+ * A string replacement wrapped in a utility function.
+ */
+class WrappedReplacement extends Replacement, DataFlow::CallNode {
+  int i;
+
+  Replacement inner;
+
+  WrappedReplacement() {
+    exists(DataFlow::FunctionNode wrapped | wrapped.getFunction() = getACallee() |
+      wrapped.getParameter(i).flowsTo(inner.getInput()) and
+      inner.getOutput().flowsTo(wrapped.getAReturn())
+    )
+  }
+
+  override predicate replaces(string input, string output) {
+    inner.replaces(input, output)
+  }
+
+  override DataFlow::Node getInput() {
+    result = getArgument(i)
+  }
+
+  override DataFlow::SourceNode getOutput() {
+    result = this
+  }
+}
+
 from Replacement primary, Replacement supplementary, string message, string metachar
 where
  primary.escapes(metachar, _) and
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/DoubleEscaping.expected
@@ -8,3 +8,4 @@
 | tst.js:74:10:77:10 | JSON.st ...       ) | This replacement may double-escape '\\' characters from $@. | tst.js:75:12:76:37 | s.repla ... u003E") | here |
 | tst.js:86:10:86:22 | JSON.parse(s) | This replacement may produce '\\' characters that are double-unescaped $@. | tst.js:86:10:86:47 | JSON.pa ... g, "<") | here |
 | tst.js:99:10:99:66 | s.repla ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:99:10:99:43 | s.repla ... epl[c]) | here |
+| tst.js:107:10:107:53 | encodeD ... &amp;") | This replacement may double-escape '&' characters from $@. | tst.js:107:10:107:30 | encodeD ... otes(s) | here |
--- a/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-116/DoubleEscaping/tst.js
@@ -98,3 +98,11 @@ function badEncodeWithReplacer(s) {
  };
  return s.replace(/["']/g, (c) => repl[c]).replace(/&/g, "&amp;");
 }
+
+function encodeDoubleQuotes(s) {
+  return s.replace(/"/g, "&quot;");
+}
+
+function badWrappedEncode(s) {
+  return encodeDoubleQuotes(s).replace(/&/g, "&amp;");
+}