mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
add process.env as source for js/clear-text-logging
This commit is contained in:
@@ -42,6 +42,14 @@ module CleartextLogging {
|
||||
write.getRhs() = src and
|
||||
trg.(DataFlow::SourceNode).flowsTo(write.getBase())
|
||||
)
|
||||
or
|
||||
// Taint step through `util.inspect(..)` from Node.js
|
||||
trg = DataFlow::moduleImport("util").getAMethodCall("inspect") and
|
||||
trg.(DataFlow::CallNode).getAnArgument() = src
|
||||
or
|
||||
// Taint step through a `str.replace(..)` call.
|
||||
trg.(DataFlow::MethodCallNode).getCalleeName() = "replace" and
|
||||
trg.(DataFlow::MethodCallNode).getReceiver() = src
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -144,4 +144,13 @@ module CleartextLogging {
|
||||
|
||||
override string describe() { result = "a call to " + name }
|
||||
}
|
||||
|
||||
|
||||
private class ProcessEnvSource extends Source {
|
||||
ProcessEnvSource() {
|
||||
this = DataFlow::globalVarRef("process").getAPropertyRead("env")
|
||||
}
|
||||
|
||||
override string describe() { result = "process environment" }
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user