Merge pull request #2741 from esbena/js/split-and-slice-for-tainted-path

Approved by erik-krogh
2025-12-21 11:16:30 +01:00 · 2020-02-05 10:53:39 +00:00
parent 2928f9e5b2 8a2c81b41c
commit 53763c789f
5 changed files with 1021 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -67,6 +67,40 @@ module TaintedPath {
        read.getPropertyName() != "length" and
        srclabel = dstlabel
      )
+      or
+      // string method calls of interest
+      exists(DataFlow::MethodCallNode mcn, string name |
+        srclabel = dstlabel and dst = mcn and mcn.calls(src, name)
+      |
+        exists(string substringMethodName |
+          substringMethodName = "substr" or
+          substringMethodName = "substring" or
+          substringMethodName = "slice"
+        |
+          name = substringMethodName and
+          // to avoid very dynamic transformations, require at least one fixed index
+          exists(mcn.getAnArgument().asExpr().getIntValue())
+        )
+        or
+        exists(string argumentlessMethodName |
+          argumentlessMethodName = "toLocaleLowerCase" or
+          argumentlessMethodName = "toLocaleUpperCase" or
+          argumentlessMethodName = "toLowerCase" or
+          argumentlessMethodName = "toUpperCase" or
+          argumentlessMethodName = "trim" or
+          argumentlessMethodName = "trimLeft" or
+          argumentlessMethodName = "trimRight"
+        |
+          name = argumentlessMethodName
+        )
+        or
+        name = "split" and
+        not exists(DataFlow::Node splitBy | splitBy = mcn.getArgument(0) |
+          splitBy.mayHaveStringValue("/") or
+          any(DataFlow::RegExpLiteralNode reg | reg.getRoot().getAMatchedString() = "/")
+              .flowsTo(splitBy)
+        )
+      )
    }

    /**