Add models for webix

Co-authored-by: Kevin Stubbings <Kwstubbs@users.noreply.github.com>
2026-04-30 11:15:13 +02:00 · 2023-06-22 01:07:33 +02:00
parent 318a60b208
commit 6947e99c15
9 changed files with 145 additions and 77 deletions
--- a/javascript/ql/lib/javascript.qll
+++ b/javascript/ql/lib/javascript.qll
@@ -134,6 +134,7 @@ import semmle.javascript.frameworks.TrustedTypes
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.Vuex
+import semmle.javascript.frameworks.Webix
 import semmle.javascript.frameworks.WebSocket
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
--- a/javascript/ql/lib/semmle/javascript/Extend.qll
+++ b/javascript/ql/lib/semmle/javascript/Extend.qll
@@ -96,7 +96,8 @@ private class ExtendCallDeep extends ExtendCall {
      callee = LodashUnderscore::member("merge") or
      callee = LodashUnderscore::member("mergeWith") or
      callee = LodashUnderscore::member("defaultsDeep") or
-      callee = AngularJS::angular().getAPropertyRead("merge")
+      callee = AngularJS::angular().getAPropertyRead("merge") or
+      callee = DataFlow::moduleImport("webix").getAPropertyRead("extend")
    )
  }

--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -312,6 +312,13 @@ module CodeInjection {
    }
  }

+  /**
+   * A value interpreted as code by the `webix` library.
+   */
+  class WebixExec extends Sink {
+    WebixExec() { this = DataFlow::moduleImport("webix").getAMemberCall("exec").getArgument(0) }
+  }
+
  /** A sink for code injection via template injection. */
  abstract private class TemplateSink extends Sink {
    deprecated override string getMessageSuffix() {
@@ -419,6 +426,23 @@ module CodeInjection {
    }
  }

+  /**
+   * A value interpreted as a template by the `webix` library.
+   */
+  class WebixTemplateSink extends TemplateSink {
+    WebixTemplateSink() {
+      this = DataFlow::moduleImport("webix").getAMemberCall("ui").getOptionArgument(0, "template")
+      or
+      this.asExpr() =
+        DataFlow::moduleImport("webix")
+            .getAMemberCall("ui")
+            .getOptionArgument(0, "template")
+            .asExpr()
+            .(Function)
+            .getAReturnedExpr()
+    }
+  }
+
  /**
   * A call to JSON.stringify() seen as a sanitizer.
   */
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
@@ -171,5 +171,9 @@ module PrototypePollution {
    call.isDeep() and
    call = AngularJS::angular().getAMemberCall("merge") and
    id = "angular"
+    or
+    call.isDeep() and
+    call = DataFlow::moduleImport("webix").getAMemberCall("extend") and
+    id = "webix"
  }
 }