JS: Add environment threat-model source

2026-05-01 03:35:13 +02:00 · 2024-08-19 11:52:00 +02:00
parent f733ac19a9
commit 412e841d69
4 changed files with 53 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -1244,4 +1244,13 @@ module NodeJSLib {
      result = moduleImport().getAPropertyRead(member)
    }
  }
+
+  /** A read of `process.env`, considered as a threat-model source. */
+  private class ProcessEnvThreatSource extends ThreatModelSource::Range {
+    ProcessEnvThreatSource() { this = NodeJSLib::process().getAPropertyRead("env") }
+
+    override string getThreatModel() { result = "environment" }
+
+    override string getSourceType() { result = "process.env" }
+  }
 }