hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add steps and sinks for pipes

Browse Source
This commit is contained in:
Asger Feldthaus
2021-07-20 13:58:21 +02:00
parent 23eeb49959
commit 2412f530f9
3 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/src/semmle/javascript/JsonStringifiers.qll
View File

@@ -25,6 +25,8 @@ class JsonStringifyCall extends DataFlow::CallNode {
callee = DataFlow::moduleMember("util", "inspect") or
callee = DataFlow::moduleImport(["pretty-format", "object-inspect"])
)
or
this = Templating::getAPipeCall(["json", "dump"])
}
/**

11
javascript/ql/src/semmle/javascript/frameworks/Templating.qll
View File

@@ -531,4 +531,15 @@ module Templating {
not file.getExtension() = any(TemplateSyntax s).getAFileExtension() and
result = getTemplateSyntaxInFolder(file.getParentContainer())
}
/** A step through the `safe` pipe, which bypasses HTML escaping. */
private class SafePipeStep extends TaintTracking::SharedTaintStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::CallNode call |
call = getAPipeCall("safe") and
pred = call.getArgument(0) and
succ = call
)
}
}
}

10
javascript/ql/src/semmle/javascript/security/dataflow/Xss.qll
View File

@@ -381,6 +381,16 @@ module DomBasedXss {
}
}
/**
* A value being piped into the `safe` pipe in a template file,
* disabling subsequent HTML escaping.
*/
class SafePipe extends DomBasedXss::Sink {
SafePipe() {
this = Templating::getAPipeCall("safe").getArgument(0)
}
}
/**
* A property read from a safe property is considered a sanitizer.
*/