Merge branch 'main' into alias-html

2026-05-05 13:45:19 +02:00 · 2023-02-27 09:16:25 +01:00
parent 51ddb55d7b f8f926ad50
commit 0e60fc5512
473 changed files with 33939 additions and 3224 deletions
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
+
 ## 0.4.2

 ### Minor Analysis Improvements
--- a/javascript/ql/lib/change-notes/2023-02-12-express-ws.md
+++ b/javascript/ql/lib/change-notes/2023-02-12-express-ws.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
--- a/javascript/ql/lib/change-notes/2023-02-14-regex-injection-process-env.md
+++ b/javascript/ql/lib/change-notes/2023-02-14-regex-injection-process-env.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `js/regex-injection` query now recognizes environment variables and command-line arguments as sources.
--- a/javascript/ql/lib/change-notes/released/0.4.3.md
+++ b/javascript/ql/lib/change-notes/released/0.4.3.md
@@ -0,0 +1,5 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Added dataflow sources for the [express-ws](https://www.npmjs.com/package/express-ws) library. 
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/lib/semmle/javascript/NPM.qll
+++ b/javascript/ql/lib/semmle/javascript/NPM.qll
@@ -198,9 +198,7 @@ class PackageJson extends JsonObject {
  /**
   * Gets the main module of this package.
   */
-  Module getMainModule() {
-    result = min(Module m, int prio | m.getFile() = resolveMainModule(this, prio) | m order by prio)
-  }
+  Module getMainModule() { result = this.getExportedModule(".") }

  /**
   * Gets the module exported under the given relative path.
@@ -208,10 +206,12 @@ class PackageJson extends JsonObject {
   * The main module is considered exported under the path `"."`.
   */
  Module getExportedModule(string relativePath) {
-    relativePath = "." and
-    result = this.getMainModule()
-    or
-    result.getFile() = MainModulePath::of(this, relativePath).resolve()
+    result =
+      min(Module m, int prio |
+        m.getFile() = resolveMainModule(this, prio, relativePath)
+      |
+        m order by prio
+      )
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
+++ b/javascript/ql/lib/semmle/javascript/NodeModuleResolutionImpl.qll
@@ -62,7 +62,7 @@ File loadAsFile(Require req, int rootPriority, int priority) {
 */
 File loadAsDirectory(Require req, int rootPriority, int priority) {
  exists(Folder dir | dir = req.getImportedPath().resolve(rootPriority) |
-    result = resolveMainModule(dir.(NpmPackage).getPackageJson(), priority) or
+    result = resolveMainModule(dir.(NpmPackage).getPackageJson(), priority, ".") or
    result = tryExtensions(dir, "index", priority - (numberOfExtensions() + 1))
  )
 }
@@ -132,12 +132,10 @@ private File resolveMainPath(PackageJson pkg, string mainPath, int priority) {
 /**
 * Gets the main module described by `pkg` with the given `priority`.
 */
-File resolveMainModule(PackageJson pkg, int priority) {
-  exists(int subPriority, string mainPath |
-    result = resolveMainPath(pkg, mainPath, subPriority) and
-    if mainPath = "." then subPriority = priority else priority = subPriority + 1000
-  )
+File resolveMainModule(PackageJson pkg, int priority, string exportPath) {
+  result = resolveMainPath(pkg, exportPath, priority)
  or
+  exportPath = "." and
  exists(Folder folder, Folder child |
    child = folder or
    child = folder.getChildContainer(getASrcFolderName()) or
@@ -149,6 +147,7 @@ File resolveMainModule(PackageJson pkg, int priority) {
  )
  or
  // if there is no main module, then we look for files that are explicitly included in the published package.
+  exportPath = "." and
  exists(PathExpr file |
    // `FilesPath` only exists if there is no main module for a given package.
    file = FilesPath::of(pkg) and priority = 100 // fixing the priority, because there might be multiple files in the package.
--- a/javascript/ql/lib/semmle/javascript/PackageExports.qll
+++ b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -133,7 +133,9 @@ private DataFlow::Node getAValueExportedByPackage() {
    DataFlow::globalVarRef("define").getACall().getAnArgument() = factory.getALocalUse() and
    func.getFile() =
      min(int j, File f |
-        f = NodeModule::resolveMainModule(any(PackageJson pack | exists(pack.getPackageName())), j)
+        f =
+          NodeModule::resolveMainModule(any(PackageJson pack | exists(pack.getPackageName())), j,
+            ".")
      |
        f order by j
      )
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll
@@ -10,7 +10,10 @@ module IndirectCommandInjection {
  /**
   * A data flow source for command-injection vulnerabilities.
   */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /** Gets a description of this source. */
+    string describe() { result = "command-line argument" }
+  }

  /**
   * A data flow sink for command-injection vulnerabilities.
@@ -37,6 +40,15 @@ module IndirectCommandInjection {
    }
  }

+  /**
+   * A read of `process.env`, considered as a flow source for command injection.
+   */
+  private class ProcessEnvAsSource extends Source {
+    ProcessEnvAsSource() { this = NodeJSLib::process().getAPropertyRead("env") }
+
+    override string describe() { result = "environment variable" }
+  }
+
  /**
   * An object containing parsed command-line arguments, considered as a flow source for command injection.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
@@ -10,7 +10,10 @@ module RegExpInjection {
  /**
   * A data flow source for untrusted user input used to construct regular expressions.
   */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /** Gets a description of this source. */
+    string describe() { result = "user-provided value" }
+  }

  /**
   * A data flow sink for untrusted user input used to construct regular expressions.
@@ -30,6 +33,16 @@ module RegExpInjection {
    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
  }

+  private import IndirectCommandInjectionCustomizations
+
+  /**
+   * A read of `process.env`, `process.argv`, and similar, considered as a flow source for regular
+   * expression injection.
+   */
+  class ArgvAsSource extends Source instanceof IndirectCommandInjection::Source {
+    override string describe() { result = IndirectCommandInjection::Source.super.describe() }
+  }
+
  /**
   * The source string of a regular expression.
   */