hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add model for the luxon library

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-06-21 22:26:57 +02:00
parent cdf3cdcf71
commit 227f61b954
5 changed files with 122 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/change-notes/2021-06-21-dates.md
View File

@@ -1,5 +1,6 @@
lgtm,codescanning
* Improved support for date parsing libraries, resulting in more results in security queries.
Affected packages are
[dayjs](https://npmjs.com/package/dayjs)
[dayjs](https://npmjs.com/package/dayjs),
[luxon](https://npmjs.com/package/luxon)

39
javascript/ql/src/semmle/javascript/frameworks/DateFunctions.qll
View File

@@ -75,6 +75,45 @@ private module DateIO {
}
}
/**
* Provides classes and predicates modelling the `luxon` library.
*/
private module Luxon {
/**
* Gets a reference to a `DateTime` object from the `luxon` library.
*/
private API::Node luxonDateTime() {
exists(API::Node constructor | constructor = API::moduleImport("luxon").getMember("DateTime") |
result = constructor.getInstance()
or
result =
constructor
.getMember([
"fromJSDate", "fromJSDate", "fromISO", "now", "fromMillis", "fromHTTP",
"fromObject", "fromRFC2822", "fromSeconds", "fromSQL", "fromFormat", "fromString",
"invalid", "local", "utc"
])
.getReturn()
or
// fluent API that return immutable objects
result = luxonDateTime().getAMember()
or
result = luxonDateTime().getReturn()
)
}
/**
* A step of the form: `f -> luxonDateTime.toFormat(f)`.
*/
private class ToFormatStep extends TaintTracking::SharedTaintStep {
override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call | call = luxonDateTime().getMember("toFormat").getACall() |
pred = call.getArgument(0) and succ = call
)
}
}
}
private module Moment {
/** Gets a reference to a `moment` object. */
private API::Node moment() {

36
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -151,6 +151,23 @@ nodes
| dates.js:40:31:40:84 | `Time i ... aint)}` |
| dates.js:40:42:40:82 | dayjs.f ... taint) |
| dates.js:40:77:40:81 | taint |
| dates.js:46:9:46:69 | taint |
| dates.js:46:17:46:69 | decodeU ... ing(1)) |
| dates.js:46:36:46:55 | window.location.hash |
| dates.js:46:36:46:55 | window.location.hash |
| dates.js:46:36:46:68 | window. ... ring(1) |
| dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:42:48:88 | DateTim ... (taint) |
| dates.js:48:83:48:87 | taint |
| dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:42:49:87 | new Dat ... (taint) |
| dates.js:49:82:49:86 | taint |
| dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) |
| dates.js:50:97:50:101 | taint |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href |
@@ -823,6 +840,22 @@ edges
| dates.js:40:42:40:82 | dayjs.f ... taint) | dates.js:40:31:40:84 | `Time i ... aint)}` |
| dates.js:40:42:40:82 | dayjs.f ... taint) | dates.js:40:31:40:84 | `Time i ... aint)}` |
| dates.js:40:77:40:81 | taint | dates.js:40:42:40:82 | dayjs.f ... taint) |
| dates.js:46:9:46:69 | taint | dates.js:48:83:48:87 | taint |
| dates.js:46:9:46:69 | taint | dates.js:49:82:49:86 | taint |
| dates.js:46:9:46:69 | taint | dates.js:50:97:50:101 | taint |
| dates.js:46:17:46:69 | decodeU ... ing(1)) | dates.js:46:9:46:69 | taint |
| dates.js:46:36:46:55 | window.location.hash | dates.js:46:36:46:68 | window. ... ring(1) |
| dates.js:46:36:46:55 | window.location.hash | dates.js:46:36:46:68 | window. ... ring(1) |
| dates.js:46:36:46:68 | window. ... ring(1) | dates.js:46:17:46:69 | decodeU ... ing(1)) |
| dates.js:48:42:48:88 | DateTim ... (taint) | dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:42:48:88 | DateTim ... (taint) | dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:83:48:87 | taint | dates.js:48:42:48:88 | DateTim ... (taint) |
| dates.js:49:42:49:87 | new Dat ... (taint) | dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:42:49:87 | new Dat ... (taint) | dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:82:49:86 | taint | dates.js:49:42:49:87 | new Dat ... (taint) |
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:97:50:101 | taint | dates.js:50:42:50:102 | DateTim ... (taint) |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1339,6 +1372,9 @@ edges
| dates.js:38:31:38:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:38:31:38:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value |
| dates.js:39:31:39:86 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:39:31:39:86 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value |
| dates.js:40:31:40:84 | `Time i ... aint)}` | dates.js:30:36:30:55 | window.location.hash | dates.js:40:31:40:84 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:30:36:30:55 | window.location.hash | user-provided value |
| dates.js:48:31:48:90 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:48:31:48:90 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value |
| dates.js:49:31:49:89 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:49:31:49:89 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value |
| dates.js:50:31:50:104 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:50:31:50:104 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value |
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |

33
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -151,6 +151,23 @@ nodes
| dates.js:40:31:40:84 | `Time i ... aint)}` |
| dates.js:40:42:40:82 | dayjs.f ... taint) |
| dates.js:40:77:40:81 | taint |
| dates.js:46:9:46:69 | taint |
| dates.js:46:17:46:69 | decodeU ... ing(1)) |
| dates.js:46:36:46:55 | window.location.hash |
| dates.js:46:36:46:55 | window.location.hash |
| dates.js:46:36:46:68 | window. ... ring(1) |
| dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:42:48:88 | DateTim ... (taint) |
| dates.js:48:83:48:87 | taint |
| dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:42:49:87 | new Dat ... (taint) |
| dates.js:49:82:49:86 | taint |
| dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) |
| dates.js:50:97:50:101 | taint |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href |
@@ -841,6 +858,22 @@ edges
| dates.js:40:42:40:82 | dayjs.f ... taint) | dates.js:40:31:40:84 | `Time i ... aint)}` |
| dates.js:40:42:40:82 | dayjs.f ... taint) | dates.js:40:31:40:84 | `Time i ... aint)}` |
| dates.js:40:77:40:81 | taint | dates.js:40:42:40:82 | dayjs.f ... taint) |
| dates.js:46:9:46:69 | taint | dates.js:48:83:48:87 | taint |
| dates.js:46:9:46:69 | taint | dates.js:49:82:49:86 | taint |
| dates.js:46:9:46:69 | taint | dates.js:50:97:50:101 | taint |
| dates.js:46:17:46:69 | decodeU ... ing(1)) | dates.js:46:9:46:69 | taint |
| dates.js:46:36:46:55 | window.location.hash | dates.js:46:36:46:68 | window. ... ring(1) |
| dates.js:46:36:46:55 | window.location.hash | dates.js:46:36:46:68 | window. ... ring(1) |
| dates.js:46:36:46:68 | window. ... ring(1) | dates.js:46:17:46:69 | decodeU ... ing(1)) |
| dates.js:48:42:48:88 | DateTim ... (taint) | dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:42:48:88 | DateTim ... (taint) | dates.js:48:31:48:90 | `Time i ... aint)}` |
| dates.js:48:83:48:87 | taint | dates.js:48:42:48:88 | DateTim ... (taint) |
| dates.js:49:42:49:87 | new Dat ... (taint) | dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:42:49:87 | new Dat ... (taint) | dates.js:49:31:49:89 | `Time i ... aint)}` |
| dates.js:49:82:49:86 | taint | dates.js:49:42:49:87 | new Dat ... (taint) |
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:97:50:101 | taint | dates.js:50:42:50:102 | DateTim ... (taint) |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |

13
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js
View File

@@ -38,4 +38,15 @@ function dateio() {
document.body.innerHTML = `Time is ${luxon.formatByString(luxon.date(), taint)}`; // NOT OK
document.body.innerHTML = `Time is ${moment.formatByString(moment.date(), taint)}`; // NOT OK
document.body.innerHTML = `Time is ${dayjs.formatByString(dayjs.date(), taint)}`; // NOT OK
}
}
import { DateTime } from "luxon";
function luxon() {
let taint = decodeURIComponent(window.location.hash.substring(1));
document.body.innerHTML = `Time is ${DateTime.now().plus({years: 1}).toFormat(taint)}`; // NOT OK
document.body.innerHTML = `Time is ${new DateTime().setLocale('fr').toFormat(taint)}`; // NOT OK
document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // NOT OK
}