hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove paths without unmatched returns from js/prototype-polluting-assignment

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-09-08 13:13:00 +02:00
parent 0c9c9bbde7
commit 2dedfb302a
3 changed files with 75 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
View File

@@ -69,6 +69,14 @@ class Configuration extends TaintTracking::Configuration {
inlbl.isTaint() and
outlbl instanceof ObjectPrototype
)
or
DataFlow::localFieldStep(pred, succ) and inlbl = outlbl
}
// override to require that there is a path without unmatched return steps
override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
super.hasFlowPath(source, sink) and
DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
}
override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {

35
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
View File

@@ -52,6 +52,24 @@ nodes
| lib.js:42:3:42:14 | obj[path[0]] |
| lib.js:42:7:42:10 | path |
| lib.js:42:7:42:13 | path[0] |
| lib.js:45:13:45:13 | s |
| lib.js:45:13:45:13 | s |
| lib.js:46:10:46:10 | s |
| lib.js:52:9:52:22 | path |
| lib.js:52:16:52:22 | id("x") |
| lib.js:55:11:55:22 | obj[path[0]] |
| lib.js:55:11:55:22 | obj[path[0]] |
| lib.js:55:15:55:18 | path |
| lib.js:55:15:55:21 | path[0] |
| lib.js:59:18:59:18 | s |
| lib.js:59:18:59:18 | s |
| lib.js:61:17:61:17 | s |
| lib.js:68:11:68:26 | path |
| lib.js:68:18:68:26 | this.path |
| lib.js:70:13:70:24 | obj[path[0]] |
| lib.js:70:13:70:24 | obj[path[0]] |
| lib.js:70:17:70:20 | path |
| lib.js:70:17:70:23 | path[0] |
| tst.js:5:9:5:38 | taint |
| tst.js:5:17:5:38 | String( ... y.data) |
| tst.js:5:24:5:37 | req.query.data |
@@ -141,6 +159,22 @@ edges
| lib.js:42:7:42:10 | path | lib.js:42:7:42:13 | path[0] |
| lib.js:42:7:42:13 | path[0] | lib.js:42:3:42:14 | obj[path[0]] |
| lib.js:42:7:42:13 | path[0] | lib.js:42:3:42:14 | obj[path[0]] |
| lib.js:45:13:45:13 | s | lib.js:46:10:46:10 | s |
| lib.js:45:13:45:13 | s | lib.js:46:10:46:10 | s |
| lib.js:46:10:46:10 | s | lib.js:52:16:52:22 | id("x") |
| lib.js:52:9:52:22 | path | lib.js:55:15:55:18 | path |
| lib.js:52:16:52:22 | id("x") | lib.js:52:9:52:22 | path |
| lib.js:55:15:55:18 | path | lib.js:55:15:55:21 | path[0] |
| lib.js:55:15:55:21 | path[0] | lib.js:55:11:55:22 | obj[path[0]] |
| lib.js:55:15:55:21 | path[0] | lib.js:55:11:55:22 | obj[path[0]] |
| lib.js:59:18:59:18 | s | lib.js:61:17:61:17 | s |
| lib.js:59:18:59:18 | s | lib.js:61:17:61:17 | s |
| lib.js:61:17:61:17 | s | lib.js:68:18:68:26 | this.path |
| lib.js:68:11:68:26 | path | lib.js:70:17:70:20 | path |
| lib.js:68:18:68:26 | this.path | lib.js:68:11:68:26 | path |
| lib.js:70:17:70:20 | path | lib.js:70:17:70:23 | path[0] |
| lib.js:70:17:70:23 | path[0] | lib.js:70:13:70:24 | obj[path[0]] |
| lib.js:70:17:70:23 | path[0] | lib.js:70:13:70:24 | obj[path[0]] |
| tst.js:5:9:5:38 | taint | tst.js:8:12:8:16 | taint |
| tst.js:5:9:5:38 | taint | tst.js:9:12:9:16 | taint |
| tst.js:5:9:5:38 | taint | tst.js:12:25:12:29 | taint |
@@ -184,6 +218,7 @@ edges
| lib.js:26:10:26:21 | obj[path[0]] | lib.js:25:44:25:47 | path | lib.js:26:10:26:21 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:25:44:25:47 | path | library input |
| lib.js:34:3:34:14 | obj[path[0]] | lib.js:32:14:32:20 | args[1] | lib.js:34:3:34:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:32:14:32:20 | args[1] | library input |
| lib.js:42:3:42:14 | obj[path[0]] | lib.js:40:14:40:20 | args[1] | lib.js:42:3:42:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:40:14:40:20 | args[1] | library input |
| lib.js:70:13:70:24 | obj[path[0]] | lib.js:59:18:59:18 | s | lib.js:70:13:70:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:59:18:59:18 | s | library input |
| tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
| tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
| tst.js:14:5:14:32 | unsafeG ... taint) | tst.js:5:24:5:37 | req.query.data | tst.js:14:5:14:32 | unsafeG ... taint) | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |

33
javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js
View File

@@ -40,4 +40,35 @@ module.exports.setWithArgs3 = function() {
var path = args[1];
var value = args[2];
obj[path[0]][path[1]] = value; // NOT OK
}
}
function id(s) {
return s;
}
module.exports.id = id;
module.exports.notVulnerable = function () {
const path = id("x");
const value = id("y");
const obj = id("z");
return (obj[path[0]][path[1]] = value); // OK
}
class Foo {
constructor(o, s, v) {
this.obj = o;
this.path = s;
this.value = v;
}
doXss() {
// not called here, but still bad.
const obj = this.obj;
const path = this.path;
const value = this.value;
return (obj[path[0]][path[1]] = value); // NOT OK
}
}
module.exports.Foo = Foo;