Merge pull request #5419 from erik-krogh/forgery

Approved by asgerf
2026-05-05 21:55:19 +02:00 · 2021-03-19 12:56:53 +00:00
parent 98c1aa5298 ed8e0fb593
commit 3b117f5218
12 changed files with 227 additions and 62 deletions
--- a/javascript/ql/test/ApiGraphs/typed/NodeOfType.expected
+++ b/javascript/ql/test/ApiGraphs/typed/NodeOfType.expected
@@ -1,3 +1,4 @@
 | mongodb | Collection | index.ts:14:3:14:17 | getCollection() |
 | mongoose | Model | index.ts:22:3:22:20 | getMongooseModel() |
 | mongoose | Query | index.ts:23:3:23:20 | getMongooseQuery() |
+| puppeteer | Browser | index.ts:30:22:30:33 | this.browser |
--- a/javascript/ql/test/ApiGraphs/typed/index.ts
+++ b/javascript/ql/test/ApiGraphs/typed/index.ts
@@ -22,3 +22,11 @@ app.post("/find", (req, res) => {
  getMongooseModel().find({ id: v }); /* def (parameter 0 (member find (instance (member Model (member exports (module mongoose)))))) */
  getMongooseQuery().find({ id: v }); /* def (parameter 0 (member find (instance (member Query (member exports (module mongoose)))))) */
 });
+
+import * as puppeteer from 'puppeteer';
+class Renderer {
+    private browser: puppeteer.Browser;
+    foo(): void {
+        const page = this.browser.newPage(); /* use (instance (member Browser (member exports (module puppeteer)))) */
+    }
+}
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -5,6 +5,9 @@ test_ClientRequest
 | apollo.js:17:1:17:34 | new Pre ... yurl"}) |
 | apollo.js:20:1:20:77 | createN ... phql'}) |
 | apollo.js:23:1:23:31 | new Web ... wsUri}) |
+| puppeteer.ts:6:11:6:42 | page.go ... e.com') |
+| puppeteer.ts:8:5:8:61 | page.ad ... css" }) |
+| puppeteer.ts:18:30:18:50 | page.go ... estUrl) |
 | tst.js:11:5:11:16 | request(url) |
 | tst.js:13:5:13:20 | request.get(url) |
 | tst.js:15:5:15:23 | request.delete(url) |
@@ -138,6 +141,9 @@ test_getUrl
 | apollo.js:17:1:17:34 | new Pre ... yurl"}) | apollo.js:17:26:17:32 | "myurl" |
 | apollo.js:20:1:20:77 | createN ... phql'}) | apollo.js:20:30:20:75 | 'https: ... raphql' |
 | apollo.js:23:1:23:31 | new Web ... wsUri}) | apollo.js:23:25:23:29 | wsUri |
+| puppeteer.ts:6:11:6:42 | page.go ... e.com') | puppeteer.ts:6:21:6:41 | 'https: ... le.com' |
+| puppeteer.ts:8:5:8:61 | page.ad ... css" }) | puppeteer.ts:8:29:8:58 | "http:/ ... le.css" |
+| puppeteer.ts:18:30:18:50 | page.go ... estUrl) | puppeteer.ts:18:40:18:49 | requestUrl |
 | tst.js:11:5:11:16 | request(url) | tst.js:11:13:11:15 | url |
 | tst.js:13:5:13:20 | request.get(url) | tst.js:13:17:13:19 | url |
 | tst.js:15:5:15:23 | request.delete(url) | tst.js:15:20:15:22 | url |
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/puppeteer.ts
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/puppeteer.ts
@@ -0,0 +1,20 @@
+import * as puppeteer from 'puppeteer';
+
+(async () => {
+    const browser = await puppeteer.launch();
+    const page = await browser.newPage();
+    await page.goto('https://example.com');
+
+    page.addStyleTag({ url: "http://example.org/style.css" })
+})();
+
+class Renderer {
+    private browser: puppeteer.Browser;
+    constructor(browser: puppeteer.Browser) {
+        this.browser = browser;
+    }
+    async foo(requestUrl: string): Promise<void> {
+        const page = await this.browser.newPage();
+        let response = await page.goto(requestUrl);
+    }
+}
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/tsconfig.json
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/tsconfig.json
@@ -0,0 +1 @@
+{}
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -2168,6 +2168,24 @@ nodes
 | other-fs-libraries.js:42:53:42:56 | path |
 | other-fs-libraries.js:42:53:42:56 | path |
 | other-fs-libraries.js:42:53:42:56 | path |
+| pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:13:37:13:43 | tainted |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
 | tainted-access-paths.js:6:7:6:48 | path |
@@ -6403,6 +6421,27 @@ edges
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
 | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:38:14:38:37 | url.par ... , true) |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:9:28:9:34 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:9:5:71 | tainted | pupeteer.js:13:37:13:43 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" | pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" | pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:19:5:71 | "dir/"  ... t.data" | pupeteer.js:5:9:5:71 | tainted |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
+| pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:5:19:5:71 | "dir/"  ... t.data" |
 | tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
 | tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
 | tainted-access-paths.js:6:7:6:48 | path | tainted-access-paths.js:8:19:8:22 | path |
@@ -8007,6 +8046,8 @@ edges
 | other-fs-libraries.js:40:35:40:38 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:40:35:40:38 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
 | other-fs-libraries.js:41:50:41:53 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:41:50:41:53 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
 | other-fs-libraries.js:42:53:42:56 | path | other-fs-libraries.js:38:24:38:30 | req.url | other-fs-libraries.js:42:53:42:56 | path | This path depends on $@. | other-fs-libraries.js:38:24:38:30 | req.url | a user-provided value |
+| pupeteer.js:9:28:9:34 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:9:28:9:34 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
+| pupeteer.js:13:37:13:43 | tainted | pupeteer.js:5:28:5:53 | parseTo ... t).name | pupeteer.js:13:37:13:43 | tainted | This path depends on $@. | pupeteer.js:5:28:5:53 | parseTo ... t).name | a user-provided value |
 | tainted-access-paths.js:8:19:8:22 | path | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:8:19:8:22 | path | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:12:19:12:25 | obj.sub | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:12:19:12:25 | obj.sub | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
 | tainted-access-paths.js:26:19:26:26 | obj.sub3 | tainted-access-paths.js:6:24:6:30 | req.url | tainted-access-paths.js:26:19:26:26 | obj.sub3 | This path depends on $@. | tainted-access-paths.js:6:24:6:30 | req.url | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js
+++ b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/pupeteer.js
@@ -0,0 +1,18 @@
+const puppeteer = require('puppeteer');
+const parseTorrent = require('parse-torrent');
+
+(async () => {
+    let tainted = "dir/" + parseTorrent(torrent).name + ".torrent.data";
+
+    const browser = await puppeteer.launch();
+    const page = await browser.newPage();
+    await page.pdf({ path: tainted, format: 'a4' });
+
+    const pages = await browser.pages();
+    for (let i = 0; i < something(); i++) {
+        pages[i].screenshot({ path: tainted });
+    }
+
+    await browser.close();
+})();
+