hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9756 from erik-krogh/greyMatter

Browse Source 
JS: add model for the gray-matter library to js/code-injection
This commit is contained in:
Erik Krogh Kristensen
2022-07-01 12:19:12 +02:00
committed by GitHub
parent df78b7e54b 11be15aab1
commit 7dd095c0d2
4 changed files with 46 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/change-notes/2022-06-22-sensitive-common-words copy.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The `gray-matter` library is now modeled as a sink for the `js/code-injection` query.

12
javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
View File

@@ -51,6 +51,18 @@ module CodeInjection {
}
}
/** An expression parsed by the `gray-matter` library. */
class GrayMatterSink extends Sink {
GrayMatterSink() {
exists(API::CallNode call |
call = DataFlow::moduleImport("gray-matter").getACall() and
this = call.getArgument(0) and
// if the js/javascript engine is set, then we assume they are set to something safe.
not exists(call.getParameter(1).getMember("engines").getMember(["js", "javascript"]))
)
}
}
/**
* A template tag occurring in JS code, viewed as a code injection sink.
*/

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
View File

@@ -11,6 +11,10 @@ nodes
| lib/index.js:13:38:13:41 | data |
| lib/index.js:14:21:14:24 | data |
| lib/index.js:14:21:14:24 | data |
| lib/index.js:19:26:19:29 | data |
| lib/index.js:19:26:19:29 | data |
| lib/index.js:22:7:22:10 | data |
| lib/index.js:22:7:22:10 | data |
edges
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -24,7 +28,12 @@ edges
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
#select
| lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
| lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
| lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | $@ flows to here and is later $@. | lib/index.js:13:38:13:41 | data | Library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |
| lib/index.js:22:7:22:10 | data | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data | $@ flows to here and is later $@. | lib/index.js:19:26:19:29 | data | Library input | lib/index.js:25:24:25:26 | str | interpreted as code |

22
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
View File

@@ -12,4 +12,24 @@ export function safeAssignment(obj, value) {
global.unsafeDeserialize = function (data) {
return eval("(" + data + ")"); // NOT OK
}
}
const matter = require("gray-matter");
export function greySink(data) {
const str = `
---js
${data}
---
`
const res = matter(str);
console.log(res);
matter(str, { // OK
engines: {
js: function (data) {
console.log("NOPE");
}
}
});
}