Merge pull request #10347 from erik-krogh/mermaid

JS: add a markdown step through the `mermaid` library
2026-05-02 04:05:14 +02:00 · 2022-09-08 12:41:58 +02:00
parent 1d834799a2 0407198dd2
commit 57bf92a70c
4 changed files with 101 additions and 1 deletions
--- a/javascript/ql/lib/change-notes/2022-08-09-mermaid.md
+++ b/javascript/ql/lib/change-notes/2022-08-09-mermaid.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A model for the `mermaid` library has been added. XSS queries can now detect flow through the `render` method of the `mermaid` library. 
--- a/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Markdown.qll
@@ -78,6 +78,32 @@ module Markdown {
    }
  }

+  /** A taint step for the `mermaid` library. */
+  private class MermaidStep extends MarkdownStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::CallNode call |
+        call =
+          [API::moduleImport("mermaid"), API::moduleImport("mermaid").getMember("mermaidAPI")]
+              .getMember("render")
+              .getACall()
+      |
+        succ = [call, call.getParameter(2).getParameter(0).asSource()] and
+        pred = call.getArgument(1)
+      )
+      or
+      exists(DataFlow::CallNode call |
+        call =
+          [
+            DataFlow::globalVarRef("mermaid"),
+            DataFlow::globalVarRef("mermaid").getAPropertyRead("mermaidAPI")
+          ].getAMemberCall("render")
+      |
+        succ = [call.(DataFlow::Node), call.getABoundCallbackParameter(2, 0)] and
+        pred = call.getArgument(1)
+      )
+    }
+  }
+
  /**
   * Classes and predicates for modeling taint steps in `unified` and `remark`.
   */