hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add support for the debug library

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-06-02 23:11:15 +02:00
parent 8e6dd51f50
commit 431c995131
4 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/change-notes/2021-06-02-debug.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Logging calls using the [debug](https://npmjs.com/package/immutable) library are now recognized.
Affected packages are
[debug](https://npmjs.com/package/debug)

9
javascript/ql/src/semmle/javascript/frameworks/Logging.qll
View File

@@ -192,3 +192,12 @@ private module Fancylog {
override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
}
}
/**
* A class modelling [debug](https://npmjs.org/package/debug) as a logging mechanism.
*/
private class DebugLoggerCall extends LoggerCall, API::CallNode {
DebugLoggerCall() { this = API::moduleImport("debug").getReturn().getACall() }
override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
}

18
javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
View File

@@ -125,6 +125,14 @@ nodes
| passwords.js:164:14:164:21 | password |
| passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password |
| passwords.js:169:17:169:24 | password |
| passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password |
| passwords.js:170:11:170:18 | password |
| passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser1.js:2:13:2:20 | password |
@@ -261,6 +269,14 @@ edges
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
| passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
| passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -304,6 +320,8 @@ edges
| passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
| passwords.js:163:14:163:41 | passwor ... g, "*") | passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:163:14:163:21 | password | an access to password |
| passwords.js:164:14:164:42 | passwor ... g, "*") | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:164:14:164:21 | password | an access to password |
| passwords.js:169:17:169:45 | passwor ... g, "*") | passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:169:17:169:24 | password | an access to password |
| passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:170:11:170:18 | password | an access to password |
| passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
| passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
| passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |

8
javascript/ql/test/query-tests/Security/CWE-312/passwords.js
View File

@@ -162,4 +162,10 @@ var Util = require('util');
console.log(password.replace(/./g, "*")); // OK!
console.log(password.replace(/\./g, "*")); // NOT OK!
console.log(password.replace(/foo/g, "*")); // NOT OK!
})();
})();
const debug = require('debug')('test');
(function () {
console.log(password.replace(/foo/g, "*")); // NOT OK
debug(password.replace(/foo/g, "*")); // NOT OK
});