mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
add model for the unified and remark libraries
This commit is contained in:
Erik Krogh Kristensen
@@ -48,3 +48,61 @@ private class ShowDownStep extends TaintTracking::AdditionalTaintStep, DataFlow:
|
||||
pred = this.getArgument(0)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Classes and predicates for modelling taint steps in `unified` and `remark`.
|
||||
*/
|
||||
private module Unified {
|
||||
/**
|
||||
* The creation of a parser from `unified`.
|
||||
* The `remark` module is a shorthand that initializes `unified` with a markdown parser.
|
||||
*/
|
||||
DataFlow::CallNode unified() { result = DataFlow::moduleImport(["unified", "remark"]).getACall() }
|
||||
|
||||
/**
|
||||
* A chain of method calls that process an input with `unified`.
|
||||
*/
|
||||
class UnifiedChain extends DataFlow::CallNode {
|
||||
DataFlow::CallNode root;
|
||||
|
||||
UnifiedChain() {
|
||||
root = unified() and
|
||||
this = root.getAChainedMethodCall(["process", "processSync"])
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a plugin that is used in this chain.
|
||||
*/
|
||||
DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) }
|
||||
|
||||
/**
|
||||
* Gets the input that is processed.
|
||||
*/
|
||||
DataFlow::Node getInput() { result = getArgument(0) }
|
||||
|
||||
/**
|
||||
* Gets the processed output.
|
||||
*/
|
||||
DataFlow::Node getOutput() {
|
||||
this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1)
|
||||
or
|
||||
this.getCalleeName() = "processSync" and result = this
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint step for the `unified` library.
|
||||
*/
|
||||
class UnifiedStep extends TaintTracking::AdditionalTaintStep, UnifiedChain {
|
||||
UnifiedStep() {
|
||||
// sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name.
|
||||
not this.getAUsedPlugin().getALocalSource() =
|
||||
DataFlow::moduleImport(any(string s | s.matches("%sanitize%")))
|
||||
}
|
||||
|
||||
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
pred = getInput() and
|
||||
succ = getOutput()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -32,6 +32,29 @@ nodes
|
||||
| ReflectedXss.js:42:12:42:39 | convert ... q.body) |
|
||||
| ReflectedXss.js:42:31:42:38 | req.body |
|
||||
| ReflectedXss.js:42:31:42:38 | req.body |
|
||||
| ReflectedXss.js:56:12:56:19 | req.body |
|
||||
| ReflectedXss.js:56:12:56:19 | req.body |
|
||||
| ReflectedXss.js:56:12:56:19 | req.body |
|
||||
| ReflectedXss.js:64:14:64:21 | req.body |
|
||||
| ReflectedXss.js:64:14:64:21 | req.body |
|
||||
| ReflectedXss.js:64:39:64:42 | file |
|
||||
| ReflectedXss.js:65:16:65:19 | file |
|
||||
| ReflectedXss.js:65:16:65:19 | file |
|
||||
| ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
|
||||
| ReflectedXss.js:68:12:68:52 | remark( ... tring() |
|
||||
| ReflectedXss.js:68:12:68:52 | remark( ... tring() |
|
||||
| ReflectedXss.js:68:33:68:40 | req.body |
|
||||
| ReflectedXss.js:68:33:68:40 | req.body |
|
||||
| ReflectedXss.js:72:12:72:56 | unified ... q.body) |
|
||||
| ReflectedXss.js:72:12:72:65 | unified ... oString |
|
||||
| ReflectedXss.js:72:12:72:65 | unified ... oString |
|
||||
| ReflectedXss.js:72:48:72:55 | req.body |
|
||||
| ReflectedXss.js:72:48:72:55 | req.body |
|
||||
| ReflectedXss.js:74:20:74:27 | req.body |
|
||||
| ReflectedXss.js:74:20:74:27 | req.body |
|
||||
| ReflectedXss.js:74:34:74:34 | f |
|
||||
| ReflectedXss.js:75:14:75:14 | f |
|
||||
| ReflectedXss.js:75:14:75:14 | f |
|
||||
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
|
||||
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
|
||||
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
|
||||
@@ -143,6 +166,23 @@ edges
|
||||
| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
|
||||
| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
|
||||
| ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
|
||||
| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body |
|
||||
| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file |
|
||||
| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file |
|
||||
| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file |
|
||||
| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file |
|
||||
| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() |
|
||||
| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() |
|
||||
| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
|
||||
| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
|
||||
| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString |
|
||||
| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString |
|
||||
| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) |
|
||||
| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) |
|
||||
| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
|
||||
| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
|
||||
| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
|
||||
| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
|
||||
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
|
||||
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
|
||||
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
|
||||
@@ -227,6 +267,11 @@ edges
|
||||
| ReflectedXss.js:34:12:34:18 | mytable | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
|
||||
| ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
|
||||
| ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
|
||||
| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |
|
||||
| ReflectedXss.js:65:16:65:19 | file | ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value |
|
||||
| ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
|
||||
| ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
|
||||
| ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
|
||||
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
|
||||
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
|
||||
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
|
||||
|
||||
@@ -41,3 +41,37 @@ app.get('/user/:id', function(req, res) {
|
||||
res.send(req.body); // NOT OK
|
||||
res.send(converter.makeHtml(req.body)); // NOT OK
|
||||
});
|
||||
|
||||
var unified = require('unified');
|
||||
var markdown = require('remark-parse');
|
||||
var remark2rehype = require('remark-rehype');
|
||||
var doc = require('rehype-document');
|
||||
var format = require('rehype-format');
|
||||
var html = require('rehype-stringify');
|
||||
var remark = require("remark");
|
||||
var sanitize = require("rehype-sanitize");
|
||||
const { resetExtensions } = require('showdown');
|
||||
|
||||
app.get('/user/:id', function (req, res) {
|
||||
res.send(req.body); // NOT OK
|
||||
|
||||
unified()
|
||||
.use(markdown)
|
||||
.use(remark2rehype)
|
||||
.use(doc, { title: '👋🌍' })
|
||||
.use(format)
|
||||
.use(html)
|
||||
.process(req.body, function (err, file) {
|
||||
res.send(file); // NOT OK
|
||||
});
|
||||
|
||||
res.send(remark().processSync(req.body).toString()); // NOT OK
|
||||
|
||||
res.send(remark().use(sanitize).processSync(req.body).toString()); // OK
|
||||
|
||||
res.send(unified().use(markdown).processSync(req.body).toString); // NOT OK
|
||||
|
||||
remark().process(req.body, (e, f) => {
|
||||
res.send(f); // NOT OK
|
||||
})
|
||||
});
|
||||
|
||||
@@ -6,6 +6,11 @@
|
||||
| ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
|
||||
| ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
|
||||
| ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
|
||||
| ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |
|
||||
| ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value |
|
||||
| ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
|
||||
| ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
|
||||
| ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
|
||||
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
|
||||
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
|
||||
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
|
||||
|
||||
Reference in New Issue
Block a user