JS: address some comments

2026-04-30 03:05:15 +02:00 · 2018-11-20 18:11:46 +00:00
parent 8aff66616b
commit 1c06f45046
3 changed files with 7 additions and 6 deletions
--- a/javascript/ql/src/Security/CWE-094/MethodNameInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-094/MethodNameInjection.qhelp
@@ -15,6 +15,7 @@ in its <code>constructor</code> property.
 <recommendation>
 <p>
 Avoid invoking user-controlled methods on the global object or on any function object.
+Whitelist the permitted method names or change the type of object the methods are stored on.
 </p>
 </recommendation>

--- a/javascript/ql/src/Security/CWE-094/MethodNameInjection.ql
+++ b/javascript/ql/src/Security/CWE-094/MethodNameInjection.ql
@@ -1,8 +1,8 @@
 /**
 * @name Method name injection
- * @description Invoking user-controlled methods on a arbitrary objects can lead to remote code execution.
+ * @description Invoking user-controlled methods on arbitrary objects can lead to remote code execution.
 * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
 * @precision high
 * @id js/method-name-injection
 * @tags security
--- a/javascript/ql/src/semmle/javascript/security/dataflow/MethodNameInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/MethodNameInjection.qll
@@ -1,5 +1,5 @@
 /**
- * Provides a taint tracking configuration for reasoning about method invocations
+ * Provides a taint-tracking configuration for reasoning about method invocations
 * with a user-controlled method name.
 */

@@ -51,8 +51,8 @@ module MethodNameInjection {
  class Configuration extends TaintTracking::Configuration {
    Configuration() { this = "RemotePropertyInjection" }

-    override predicate isSource(DataFlow::Node source) {
-      source instanceof Source
+    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+      source.(Source).getFlowLabel() = label
    }

    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
@@ -68,7 +68,7 @@ module MethodNameInjection {
     * Holds if a property of the given object is an unsafe function.
     */
    predicate isUnsafeBaseObject(DataFlow::SourceNode node) {
-      // eval an friends can be accessed from the global object.
+      // eval and friends can be accessed from the global object.
      node = DataFlow::globalObjectRef()
      or
      // 'constructor' property leads to the Function constructor.