add more template sinks for the js/code-injection query

2026-04-28 18:25:24 +02:00 · 2021-06-22 20:24:42 +02:00
parent eb95dff746
commit 2ba2642c7a
5 changed files with 211 additions and 84 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -197,11 +197,63 @@ module CodeInjection {
  }

  /**
-   * A value interpreted as a tempalte by the `dot` library.
+   * A value interpreted as a template by the `handlebars` library.
+   */
+  class HandlebarsTemplateSink extends TemplateSink {
+    HandlebarsTemplateSink() {
+      this = any(Handlebars::Handlebars h).getAMemberCall("compile").getArgument(0)
+    }
+  }
+
+  /**
+   * A value interpreted as a template by the `mustache` library.
+   */
+  class MustacheTemplateSink extends TemplateSink {
+    MustacheTemplateSink() {
+      this = DataFlow::moduleMember("mustache", "render").getACall().getArgument(0)
+    }
+  }
+
+  /**
+   * A value interpreted as a template by the `hogan.js` library.
+   */
+  class HoganTemplateSink extends TemplateSink {
+    HoganTemplateSink() {
+      this = DataFlow::moduleMember("hogan.js", "compile").getACall().getArgument(0)
+    }
+  }
+
+  /**
+   * A value interpreted as a template by the `eta` library.
+   */
+  class EtaTemplateSink extends TemplateSink {
+    EtaTemplateSink() { this = DataFlow::moduleMember("eta", "render").getACall().getArgument(0) }
+  }
+
+  /**
+   * A value interpreted as a template by the `squirrelly` library.
+   */
+  class SquirrelTemplateSink extends TemplateSink {
+    SquirrelTemplateSink() {
+      this = DataFlow::moduleMember("squirrelly", "render").getACall().getArgument(0)
+    }
+  }
+
+  /**
+   * A value interpreted as a template by the `whiskers` library.
+   */
+  class WhiskersTemplateSink extends TemplateSink {
+    WhiskersTemplateSink() {
+      this = DataFlow::moduleMember("whiskers", "render").getACall().getArgument(0)
+    }
+  }
+
+  /**
+   * A value interpreted as a template by the `dot` library.
   */
  class DotTemplateSink extends TemplateSink {
    DotTemplateSink() {
-      this = DataFlow::moduleImport("dot").getAMemberCall("template").getArgument(0)
+      this = DataFlow::moduleImport("dot").getAMemberCall(["template", "compile"]).getArgument(0)
    }
  }