add process.env as source for js/clear-text-logging

2026-04-25 16:55:19 +02:00 · 2019-10-29 11:46:16 +01:00
parent b12e255fd8
commit 297c71a64b
4 changed files with 49 additions and 10 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -42,6 +42,14 @@ module CleartextLogging {
        write.getRhs() = src and
        trg.(DataFlow::SourceNode).flowsTo(write.getBase())
      )
+      or
+      // Taint step through `util.inspect(..)` from Node.js
+      trg = DataFlow::moduleImport("util").getAMethodCall("inspect") and
+      trg.(DataFlow::CallNode).getAnArgument() = src
+      or
+      // Taint step through a `str.replace(..)` call.
+      trg.(DataFlow::MethodCallNode).getCalleeName() = "replace" and
+      trg.(DataFlow::MethodCallNode).getReceiver() = src
    }
  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -144,4 +144,13 @@ module CleartextLogging {

    override string describe() { result = "a call to " + name }
  }
+
+
+  private class ProcessEnvSource extends Source {
+    ProcessEnvSource() {
+      this = DataFlow::globalVarRef("process").getAPropertyRead("env")
+    }
+
+    override string describe() { result = "process environment" }
+  }
 }