Merge pull request #13529 from jorgectf/seclab/webix-modeling

JS: Add models for `webix`
2026-04-29 18:55:14 +02:00 · 2023-07-03 12:03:18 +02:00
parent 95ddc01ccb e210b0d0a7
commit 4c9501eba5
14 changed files with 315 additions and 138 deletions
--- a/javascript/ql/lib/change-notes/2023-06-22-webix.md
+++ b/javascript/ql/lib/change-notes/2023-06-22-webix.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for the Webix Framework.
--- a/javascript/ql/lib/javascript.qll
+++ b/javascript/ql/lib/javascript.qll
@@ -134,6 +134,7 @@ import semmle.javascript.frameworks.TrustedTypes
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.Vuex
+import semmle.javascript.frameworks.Webix
 import semmle.javascript.frameworks.WebSocket
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
--- a/javascript/ql/lib/semmle/javascript/Extend.qll
+++ b/javascript/ql/lib/semmle/javascript/Extend.qll
@@ -96,7 +96,10 @@ private class ExtendCallDeep extends ExtendCall {
      callee = LodashUnderscore::member("merge") or
      callee = LodashUnderscore::member("mergeWith") or
      callee = LodashUnderscore::member("defaultsDeep") or
-      callee = AngularJS::angular().getAPropertyRead("merge")
+      callee = AngularJS::angular().getAPropertyRead("merge") or
+      callee =
+        [DataFlow::moduleImport("webix"), DataFlow::globalVarRef("webix")]
+            .getAPropertyRead(["extend", "copy"])
    )
  }

--- a/javascript/ql/lib/semmle/javascript/frameworks/Webix.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Webix.qll
@@ -0,0 +1,23 @@
+/**
+ * Provides classes and predicates for working with the `webix` library.
+ */
+
+private import javascript
+
+/**
+ * Provides classes and predicates for working with the `webix` library.
+ */
+module Webix {
+  /** The global variable `webix` as an entry point for API graphs. */
+  private class WebixGlobalEntry extends API::EntryPoint {
+    WebixGlobalEntry() { this = "WebixGlobalEntry" }
+
+    override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("webix") }
+  }
+
+  /** Gets a reference to the Webix package. */
+  API::Node webix() {
+    result = API::moduleImport("webix") or
+    result = any(WebixGlobalEntry w).getANode()
+  }
+}
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -312,6 +312,13 @@ module CodeInjection {
    }
  }

+  /**
+   * A value interpreted as code by the `webix` library.
+   */
+  class WebixExec extends Sink {
+    WebixExec() { this = Webix::webix().getMember("exec").getParameter(0).asSink() }
+  }
+
  /** A sink for code injection via template injection. */
  abstract private class TemplateSink extends Sink {
    deprecated override string getMessageSuffix() {
@@ -419,6 +426,18 @@ module CodeInjection {
    }
  }

+  /**
+   * A value interpreted as a template by the `webix` library.
+   */
+  class WebixTemplateSink extends TemplateSink {
+    WebixTemplateSink() {
+      this = Webix::webix().getMember("ui").getParameter(0).getMember("template").asSink()
+      or
+      this =
+        Webix::webix().getMember("ui").getParameter(0).getMember("template").getReturn().asSink()
+    }
+  }
+
  /**
   * A call to JSON.stringify() seen as a sanitizer.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
@@ -171,5 +171,9 @@ module PrototypePollution {
    call.isDeep() and
    call = AngularJS::angular().getAMemberCall("merge") and
    id = "angular"
+    or
+    call.isDeep() and
+    call = Webix::webix().getMember(["extend", "copy"]).getACall() and
+    id = "webix"
  }
 }