hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

add taint step through the colors library

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-06-22 22:55:15 +02:00
parent a21ebbbe8f
commit 626a653401
4 changed files with 48 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/change-notes/2021-06-22-colors.md
View File

@@ -1,4 +1,5 @@
lgtm,codescanning
* The dataflow libraries now model dataflow through console styling libraries.
Affected packages are
[ansi-colors](https://npmjs.com/package/ansi-colors)
[ansi-colors](https://npmjs.com/package/ansi-colors),
[colors](https://npmjs.com/package/colors)

15
javascript/ql/src/semmle/javascript/frameworks/Logging.qll
View File

@@ -213,3 +213,18 @@ class AnsiColorsStep extends TaintTracking::SharedTaintStep {
)
}
}
/**
* A step through the [`colors`](https://npmjs.org/package/colors) library.
* This step ignores the `String.prototype` modifying part of the `colors` library.
*/
class ColorsStep extends TaintTracking::SharedTaintStep {
override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call |
call = API::moduleImport(["colors", "colors/safe"]).getAMember*().getACall()
|
pred = call.getArgument(0) and
succ = call
)
}
}

51
javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
View File

@@ -22,17 +22,20 @@ nodes
| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:30:42:30:46 | error |
| logInjectionBad.js:37:9:37:36 | q |
| logInjectionBad.js:37:13:37:36 | url.par ... , true) |
| logInjectionBad.js:37:23:37:29 | req.url |
| logInjectionBad.js:37:23:37:29 | req.url |
| logInjectionBad.js:38:9:38:35 | username |
| logInjectionBad.js:38:20:38:20 | q |
| logInjectionBad.js:38:20:38:26 | q.query |
| logInjectionBad.js:38:20:38:35 | q.query.username |
| logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
| logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
| logInjectionBad.js:40:46:40:53 | username |
| logInjectionBad.js:38:9:38:36 | q |
| logInjectionBad.js:38:13:38:36 | url.par ... , true) |
| logInjectionBad.js:38:23:38:29 | req.url |
| logInjectionBad.js:38:23:38:29 | req.url |
| logInjectionBad.js:39:9:39:35 | username |
| logInjectionBad.js:39:20:39:20 | q |
| logInjectionBad.js:39:20:39:26 | q.query |
| logInjectionBad.js:39:20:39:35 | q.query.username |
| logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
| logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
| logInjectionBad.js:41:46:41:53 | username |
| logInjectionBad.js:42:18:42:47 | colors. ... ername) |
| logInjectionBad.js:42:18:42:47 | colors. ... ername) |
| logInjectionBad.js:42:39:42:46 | username |
edges
| logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
| logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -56,20 +59,24 @@ edges
| logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
| logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:37:9:37:36 | q | logInjectionBad.js:38:20:38:20 | q |
| logInjectionBad.js:37:13:37:36 | url.par ... , true) | logInjectionBad.js:37:9:37:36 | q |
| logInjectionBad.js:37:23:37:29 | req.url | logInjectionBad.js:37:13:37:36 | url.par ... , true) |
| logInjectionBad.js:37:23:37:29 | req.url | logInjectionBad.js:37:13:37:36 | url.par ... , true) |
| logInjectionBad.js:38:9:38:35 | username | logInjectionBad.js:40:46:40:53 | username |
| logInjectionBad.js:38:20:38:20 | q | logInjectionBad.js:38:20:38:26 | q.query |
| logInjectionBad.js:38:20:38:26 | q.query | logInjectionBad.js:38:20:38:35 | q.query.username |
| logInjectionBad.js:38:20:38:35 | q.query.username | logInjectionBad.js:38:9:38:35 | username |
| logInjectionBad.js:40:46:40:53 | username | logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
| logInjectionBad.js:40:46:40:53 | username | logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
| logInjectionBad.js:38:9:38:36 | q | logInjectionBad.js:39:20:39:20 | q |
| logInjectionBad.js:38:13:38:36 | url.par ... , true) | logInjectionBad.js:38:9:38:36 | q |
| logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:38:13:38:36 | url.par ... , true) |
| logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:38:13:38:36 | url.par ... , true) |
| logInjectionBad.js:39:9:39:35 | username | logInjectionBad.js:41:46:41:53 | username |
| logInjectionBad.js:39:9:39:35 | username | logInjectionBad.js:42:39:42:46 | username |
| logInjectionBad.js:39:20:39:20 | q | logInjectionBad.js:39:20:39:26 | q.query |
| logInjectionBad.js:39:20:39:26 | q.query | logInjectionBad.js:39:20:39:35 | q.query.username |
| logInjectionBad.js:39:20:39:35 | q.query.username | logInjectionBad.js:39:9:39:35 | username |
| logInjectionBad.js:41:46:41:53 | username | logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
| logInjectionBad.js:41:46:41:53 | username | logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
| logInjectionBad.js:42:39:42:46 | username | logInjectionBad.js:42:18:42:47 | colors. ... ername) |
| logInjectionBad.js:42:39:42:46 | username | logInjectionBad.js:42:18:42:47 | colors. ... ername) |
#select
| logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:40:18:40:54 | ansiCol ... ername) | logInjectionBad.js:37:23:37:29 | req.url | logInjectionBad.js:40:18:40:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:37:23:37:29 | req.url | User-provided value |
| logInjectionBad.js:41:18:41:54 | ansiCol ... ername) | logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:41:18:41:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:38:23:38:29 | req.url | User-provided value |
| logInjectionBad.js:42:18:42:47 | colors. ... ername) | logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:42:18:42:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:38:23:38:29 | req.url | User-provided value |

2
javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
View File

@@ -32,10 +32,12 @@ const server = http.createServer((req, res) => {
});
const ansiColors = require('ansi-colors');
const colors = require('colors');
const server2 = http.createServer((req, res) => {
let q = url.parse(req.url, true);
let username = q.query.username;
console.info(ansiColors.yellow.underline(username)); // NOT OK
console.info(colors.red.underline(username)); // NOT OK
});