JS: Model readline as a stdin threat-model source

Technically not always true, but my assumption is that +90% of the time that's what it will be used for, so while we could be more precise by adding a taint-step from the `input` part of the construction, I'm not sure it's worth it in this case. Furthermore, doing so would break with the current way we model threat-model sources, and how sources are generally modeled in JS... so for a very pretty setup it would require changing all the other `file` threat-model sources to start at the constructors such as `fs.createReadStream()` and have taint-propagation steps towards the actual use (like we do in Python)... I couldn't see an easy path forwards for doing this while keeping the Concepts integration, so I opted for the simpler solution here.
2026-04-29 18:55:14 +02:00 · 2024-10-31 14:29:30 +01:00
parent eca8bf5a35
commit 61e60de969
2 changed files with 12 additions and 10 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
@@ -8,3 +8,5 @@ extensions:
      - ['fs', 'Member[promises].Member[readFile].ReturnValue.Member[then].Argument[0].Parameter[0]', 'file']
      - ['global', 'Member[process].Member[stdin].Member[read].ReturnValue', 'stdin']
      - ['global', 'Member[process].Member[stdin].Member[on,addListener].WithStringArgument[0=data].Argument[1].Parameter[0]', 'stdin']
+      - ['readline', 'Member[createInterface].ReturnValue.Member[question].Argument[1].Parameter[0]', 'stdin']
+      - ['readline', 'Member[createInterface].ReturnValue.Member[on,addListener].WithStringArgument[0=line].Argument[1].Parameter[0]', 'stdin']