Merge pull request #665 from asger-semmle/js-property-concat-sanitizer

Approved by esben-semmle, xiemaisi
2026-04-30 11:15:13 +02:00 · 2019-01-16 08:44:55 +00:00
parent cf3a4ac956 f4c89601ff
commit 5bc17923b1
10 changed files with 77 additions and 22 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected
@@ -23,6 +23,10 @@ nodes
 | tst.js:11:7:11:18 | message.name |
 | tst.js:15:5:15:14 | window[ev] |
 | tst.js:15:12:15:13 | ev |
+| tst.js:21:5:21:29 | window[ ... e.name] |
+| tst.js:21:12:21:28 | '' + message.name |
+| tst.js:21:17:21:23 | message |
+| tst.js:21:17:21:28 | message.name |
 edges
 | example.js:9:37:9:38 | ev | example.js:10:30:10:31 | ev |
 | example.js:10:9:10:37 | message | example.js:13:12:13:18 | message |
@@ -36,6 +40,7 @@ edges
 | tst.js:4:9:4:37 | message | tst.js:5:12:5:18 | message |
 | tst.js:4:9:4:37 | message | tst.js:6:16:6:22 | message |
 | tst.js:4:9:4:37 | message | tst.js:11:7:11:13 | message |
+| tst.js:4:9:4:37 | message | tst.js:21:17:21:23 | message |
 | tst.js:4:19:4:37 | JSON.parse(ev.data) | tst.js:4:9:4:37 | message |
 | tst.js:4:30:4:31 | ev | tst.js:4:30:4:36 | ev.data |
 | tst.js:4:30:4:36 | ev.data | tst.js:4:19:4:37 | JSON.parse(ev.data) |
@@ -46,9 +51,13 @@ edges
 | tst.js:11:7:11:13 | message | tst.js:11:7:11:18 | message.name |
 | tst.js:11:7:11:18 | message.name | tst.js:11:5:11:19 | f[message.name] |
 | tst.js:15:12:15:13 | ev | tst.js:15:5:15:14 | window[ev] |
+| tst.js:21:12:21:28 | '' + message.name | tst.js:21:5:21:29 | window[ ... e.name] |
+| tst.js:21:17:21:23 | message | tst.js:21:17:21:28 | message.name |
+| tst.js:21:17:21:28 | message.name | tst.js:21:12:21:28 | '' + message.name |
 #select
 | example.js:13:5:13:24 | window[message.name] | example.js:9:37:9:38 | ev | example.js:13:5:13:24 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | example.js:9:37:9:38 | ev | user-controlled value |
 | tst.js:5:5:5:24 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:5:5:5:24 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
 | tst.js:6:9:6:28 | window[message.name] | tst.js:3:37:3:38 | ev | tst.js:6:9:6:28 | window[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
 | tst.js:11:5:11:19 | f[message.name] | tst.js:3:37:3:38 | ev | tst.js:11:5:11:19 | f[message.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
 | tst.js:15:5:15:14 | window[ev] | tst.js:3:37:3:38 | ev | tst.js:15:5:15:14 | window[ev] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
+| tst.js:21:5:21:29 | window[ ... e.name] | tst.js:3:37:3:38 | ev | tst.js:21:5:21:29 | window[ ... e.name] | Invocation of method derived from $@ may lead to remote code execution. | tst.js:3:37:3:38 | ev | user-controlled value |
--- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js
@@ -13,4 +13,10 @@ window.addEventListener('message', (ev) => {
    obj[message.name](message.payload); // OK - may crash, but no code execution involved

    window[ev](ev); // NOT OK
+
+    window[configData() + ' ' + message.name](message.payload); // OK - concatenation restricts choice of methods
+
+    window[configData() + message.name](message.payload); // OK - concatenation restricts choice of methods
+
+    window['' + message.name](message.payload); // NOT OK - coercion does not restrict choice of methods
 });
--- a/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCall.expected
@@ -46,6 +46,14 @@ nodes
 | tst.js:26:11:26:14 | name |
 | tst.js:28:7:28:15 | obj[name] |
 | tst.js:28:11:28:14 | name |
+| tst.js:34:9:34:24 | key |
+| tst.js:34:15:34:24 | "$" + name |
+| tst.js:34:21:34:24 | name |
+| tst.js:35:5:35:12 | obj[key] |
+| tst.js:35:5:35:12 | obj[key] |
+| tst.js:35:9:35:11 | key |
+| tst.js:37:7:37:14 | obj[key] |
+| tst.js:37:11:37:13 | key |
 | tst.js:47:39:47:40 | ev |
 | tst.js:48:9:48:39 | name |
 | tst.js:48:16:48:34 | JSON.parse(ev.data) |
@@ -78,6 +86,7 @@ edges
 | tst.js:7:9:7:39 | name | tst.js:21:11:21:14 | name |
 | tst.js:7:9:7:39 | name | tst.js:26:11:26:14 | name |
 | tst.js:7:9:7:39 | name | tst.js:28:11:28:14 | name |
+| tst.js:7:9:7:39 | name | tst.js:34:21:34:24 | name |
 | tst.js:7:16:7:34 | JSON.parse(ev.data) | tst.js:7:16:7:39 | JSON.pa ... a).name |
 | tst.js:7:16:7:39 | JSON.pa ... a).name | tst.js:7:9:7:39 | name |
 | tst.js:7:27:7:28 | ev | tst.js:7:27:7:33 | ev.data |
@@ -101,6 +110,13 @@ edges
 | tst.js:26:11:26:14 | name | tst.js:26:7:26:15 | obj[name] |
 | tst.js:26:11:26:14 | name | tst.js:26:7:26:15 | obj[name] |
 | tst.js:28:11:28:14 | name | tst.js:28:7:28:15 | obj[name] |
+| tst.js:34:9:34:24 | key | tst.js:35:9:35:11 | key |
+| tst.js:34:9:34:24 | key | tst.js:37:11:37:13 | key |
+| tst.js:34:15:34:24 | "$" + name | tst.js:34:9:34:24 | key |
+| tst.js:34:21:34:24 | name | tst.js:34:15:34:24 | "$" + name |
+| tst.js:35:9:35:11 | key | tst.js:35:5:35:12 | obj[key] |
+| tst.js:35:9:35:11 | key | tst.js:35:5:35:12 | obj[key] |
+| tst.js:37:11:37:13 | key | tst.js:37:7:37:14 | obj[key] |
 | tst.js:47:39:47:40 | ev | tst.js:48:27:48:28 | ev |
 | tst.js:48:9:48:39 | name | tst.js:49:19:49:22 | name |
 | tst.js:48:16:48:34 | JSON.parse(ev.data) | tst.js:48:16:48:39 | JSON.pa ... a).name |
@@ -128,4 +144,7 @@ edges
 | tst.js:26:7:26:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:26:7:26:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
 | tst.js:26:7:26:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:26:7:26:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
 | tst.js:28:7:28:15 | obj[name] | tst.js:6:39:6:40 | ev | tst.js:28:7:28:15 | obj[name] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
+| tst.js:35:5:35:12 | obj[key] | tst.js:6:39:6:40 | ev | tst.js:35:5:35:12 | obj[key] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
+| tst.js:35:5:35:12 | obj[key] | tst.js:6:39:6:40 | ev | tst.js:35:5:35:12 | obj[key] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
+| tst.js:37:7:37:14 | obj[key] | tst.js:6:39:6:40 | ev | tst.js:37:7:37:14 | obj[key] | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:6:39:6:40 | ev | user-controlled |
 | tst.js:50:5:50:6 | fn | tst.js:47:39:47:40 | ev | tst.js:50:5:50:6 | fn | Invocation of method with $@ name may dispatch to unexpected target and cause an exception. | tst.js:47:39:47:40 | ev | user-controlled |
--- a/javascript/ql/test/query-tests/Security/CWE-754/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-754/tst.js
@@ -32,9 +32,9 @@
    }

    let key = "$" + name;
-    obj[key]();     // NOT OK, but not flagged
+    obj[key]();     // NOT OK
    if (typeof obj[key] === 'function')
-      obj[key]();   // OK
+      obj[key]();   // OK - but still flagged

    if (typeof fn === 'function') {
      fn.apply(obj); // OK