Packaging: Rafactor Javascript core libraries

Extract the external facing `qll` files into the codeql/javascript-all query pack.
2026-05-05 21:55:19 +02:00 · 2021-08-25 12:02:31 -07:00
parent 48344d9ffc
commit 45d1fa7f01
410 changed files with 41 additions and 10 deletions
--- a/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll
+++ b/javascript/ql/lib/semmle/javascript/JsonStringifiers.qll
@@ -0,0 +1,76 @@
+/**
+ * Provides classes for working with JSON serializers.
+ */
+
+import javascript
+
+/**
+ * A call to a JSON stringifier such as `JSON.stringify` or `require("util").inspect`.
+ */
+class JsonStringifyCall extends DataFlow::CallNode {
+  JsonStringifyCall() {
+    exists(DataFlow::SourceNode callee | this = callee.getACall() |
+      callee = DataFlow::globalVarRef("JSON").getAPropertyRead("stringify") or
+      callee =
+        DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
+          "stringify") or
+      callee = API::moduleImport("replicator").getInstance().getMember("encode").getAnImmediateUse() or
+      callee =
+        DataFlow::moduleImport([
+            "json-stringify-safe", "json-stable-stringify", "stringify-object",
+            "fast-json-stable-stringify", "fast-safe-stringify", "javascript-stringify",
+            "js-stringify", "safe-stable-stringify", "fast-json-stringify"
+          ]) or
+      // require("util").inspect() and similar
+      callee = DataFlow::moduleMember("util", "inspect") or
+      callee = DataFlow::moduleImport(["pretty-format", "object-inspect"])
+    )
+    or
+    this = Templating::getAPipeCall(["json", "dump"])
+  }
+
+  /**
+   * Gets the data flow node holding the input object to be stringified.
+   */
+  DataFlow::Node getInput() { result = getArgument(0) }
+
+  /**
+   * Gets the data flow node holding the resulting string.
+   */
+  DataFlow::SourceNode getOutput() { result = this }
+}
+
+/**
+ * A taint step through the [`json2csv`](https://www.npmjs.com/package/json2csv) library.
+ */
+class JSON2CSVTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call =
+        API::moduleImport("json2csv")
+            .getMember("Parser")
+            .getInstance()
+            .getMember("parse")
+            .getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
+
+/**
+ * A step through the [`prettyjson`](https://www.npmjs.com/package/prettyjson) library.
+ * This is not quite a `JSON.stringify` call, as it e.g. does not wrap keys in double quotes.
+ * It's therefore modelled as a taint-step rather than as a `JSON.stringify` call.
+ */
+class PrettyJSONTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call = API::moduleImport("prettyjson").getMember("render").getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}