Merge pull request #5685 from erik-krogh/markdownIt

Approved by asgerf
2026-04-29 10:45:15 +02:00 · 2021-04-22 14:55:31 -07:00
parent 3e4ff9e472 357e1c0802
commit 635fb4c25a
5 changed files with 98 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -118,3 +118,43 @@ private class SnarkdownStep extends TaintTracking::SharedTaintStep {
    )
  }
 }
+
+/**
+ * Classes and predicates for modelling taint steps the `markdown-it` library.
+ */
+private module MarkdownIt {
+  /**
+   * The creation of a parser from `markdown-it`.
+   */
+  private API::Node markdownIt() {
+    exists(API::InvokeNode call |
+      call = API::moduleImport("markdown-it").getAnInvocation()
+      or
+      call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation()
+    |
+      call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and
+      result = call.getReturn()
+    )
+    or
+    exists(API::CallNode call |
+      call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and
+      result = call.getReturn() and
+      not call.getParameter(0).getAValueReachingRhs() =
+        DataFlow::moduleImport("markdown-it-sanitizer")
+    )
+  }
+
+  /**
+   * A taint step for the `markdown-it` library.
+   */
+  private class MarkdownItStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::CallNode call |
+        call = markdownIt().getMember(["render", "renderInline"]).getACall()
+      |
+        succ = call and
+        pred = call.getArgument(0)
+      )
+    }
+  }
+}