add model for the unified and remark libraries

javascript/ql/src/semmle/javascript/frameworks/Markdown.qll

@@ -48,3 +48,61 @@ private class ShowDownStep extends TaintTracking::AdditionalTaintStep, DataFlow:
     pred = this.getArgument(0)
   }
 }
+
+/**
+ * Classes and predicates for modelling taint steps in `unified` and `remark`.
+ */
+private module Unified {
+  /**
+   * The creation of a parser from `unified`.
+   * The `remark` module is a shorthand that initializes `unified` with a markdown parser.
+   */
+  DataFlow::CallNode unified() { result = DataFlow::moduleImport(["unified", "remark"]).getACall() }
+
+  /**
+   * A chain of method calls that process an input with `unified`.
+   */
+  class UnifiedChain extends DataFlow::CallNode {
+    DataFlow::CallNode root;
+
+    UnifiedChain() {
+      root = unified() and
+      this = root.getAChainedMethodCall(["process", "processSync"])
+    }
+
+    /**
+     * Gets a plugin that is used in this chain.
+     */
+    DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) }
+
+    /**
+     * Gets the input that is processed.
+     */
+    DataFlow::Node getInput() { result = getArgument(0) }
+
+    /**
+     * Gets the processed output.
+     */
+    DataFlow::Node getOutput() {
+      this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1)
+      or
+      this.getCalleeName() = "processSync" and result = this
+    }
+  }
+
+  /**
+   * A taint step for the `unified` library.
+   */
+  class UnifiedStep extends TaintTracking::AdditionalTaintStep, UnifiedChain {
+    UnifiedStep() {
+      // sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name.
+      not this.getAUsedPlugin().getALocalSource() =
+        DataFlow::moduleImport(any(string s | s.matches("%sanitize%")))
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getInput() and
+      succ = getOutput()
+    }
+  }
+}

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -32,6 +32,29 @@ nodes
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXss.js:42:31:42:38 | req.body |
 | ReflectedXss.js:42:31:42:38 | req.body |
+| ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:64:14:64:21 | req.body |
+| ReflectedXss.js:64:14:64:21 | req.body |
+| ReflectedXss.js:64:39:64:42 | file |
+| ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:33:68:40 | req.body |
+| ReflectedXss.js:68:33:68:40 | req.body |
+| ReflectedXss.js:72:12:72:56 | unified ... q.body) |
+| ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:48:72:55 | req.body |
+| ReflectedXss.js:72:48:72:55 | req.body |
+| ReflectedXss.js:74:20:74:27 | req.body |
+| ReflectedXss.js:74:20:74:27 | req.body |
+| ReflectedXss.js:74:34:74:34 | f |
+| ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -143,6 +166,23 @@ edges
 | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
 | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) |
+| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body |
+| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file |
+| ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:64:39:64:42 | file |
+| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:64:39:64:42 | file | ReflectedXss.js:65:16:65:19 | file |
+| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:12:68:41 | remark( ... q.body) | ReflectedXss.js:68:12:68:52 | remark( ... tring() |
+| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
+| ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:41 | remark( ... q.body) |
+| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:12:72:56 | unified ... q.body) | ReflectedXss.js:72:12:72:65 | unified ... oString |
+| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) |
+| ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:56 | unified ... q.body) |
+| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
+| ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
+| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -227,6 +267,11 @@ edges
 | ReflectedXss.js:34:12:34:18 | mytable | ReflectedXss.js:32:14:32:21 | req.body | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) | ReflectedXss.js:42:31:42:38 | req.body | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
+| ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |
+| ReflectedXss.js:65:16:65:19 | file | ReflectedXss.js:64:14:64:21 | req.body | ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
+| ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
+| ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js

@@ -41,3 +41,37 @@ app.get('/user/:id', function(req, res) {
   res.send(req.body); // NOT OK
   res.send(converter.makeHtml(req.body)); // NOT OK
 });
+
+var unified = require('unified');
+var markdown = require('remark-parse');
+var remark2rehype = require('remark-rehype');
+var doc = require('rehype-document');
+var format = require('rehype-format');
+var html = require('rehype-stringify');
+var remark = require("remark");
+var sanitize = require("rehype-sanitize");
+const { resetExtensions } = require('showdown');
+
+app.get('/user/:id', function (req, res) {
+  res.send(req.body); // NOT OK
+
+  unified()
+    .use(markdown)
+    .use(remark2rehype)
+    .use(doc, { title: '👋🌍' })
+    .use(format)
+    .use(html)
+    .process(req.body, function (err, file) {
+      res.send(file); // NOT OK
+    });
+
+  res.send(remark().processSync(req.body).toString()); // NOT OK
+
+  res.send(remark().use(sanitize).processSync(req.body).toString()); // OK
+
+  res.send(unified().use(markdown).processSync(req.body).toString); // NOT OK
+
+  remark().process(req.body, (e, f) => {
+    res.send(f); // NOT OK
+  })
+});

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -6,6 +6,11 @@
 | ReflectedXss.js:34:12:34:18 | mytable | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:32:14:32:21 | req.body | user-provided value |
 | ReflectedXss.js:41:12:41:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:41:12:41:19 | req.body | user-provided value |
 | ReflectedXss.js:42:12:42:39 | convert ... q.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:42:31:42:38 | req.body | user-provided value |
+| ReflectedXss.js:56:12:56:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:56:12:56:19 | req.body | user-provided value |
+| ReflectedXss.js:65:16:65:19 | file | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:64:14:64:21 | req.body | user-provided value |
+| ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
+| ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
+| ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |