Merge pull request #9756 from erik-krogh/greyMatter

JS: add model for the gray-matter library to js/code-injection
2026-05-04 05:05:12 +02:00 · 2022-07-01 12:19:12 +02:00
parent df78b7e54b 11be15aab1
commit 7dd095c0d2
4 changed files with 46 additions and 1 deletions
--- a/javascript/ql/lib/change-notes/2022-06-22-sensitive-common-words
+++ b/javascript/ql/lib/change-notes/2022-06-22-sensitive-common-words
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `gray-matter` library is now modeled as a sink for the `js/code-injection` query.
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -51,6 +51,18 @@ module CodeInjection {
    }
  }

+  /** An expression parsed by the `gray-matter` library. */
+  class GrayMatterSink extends Sink {
+    GrayMatterSink() {
+      exists(API::CallNode call |
+        call = DataFlow::moduleImport("gray-matter").getACall() and
+        this = call.getArgument(0) and
+        // if the js/javascript engine is set, then we assume they are set to something safe.
+        not exists(call.getParameter(1).getMember("engines").getMember(["js", "javascript"]))
+      )
+    }
+  }
+
  /**
   * A template tag occurring in JS code, viewed as a code injection sink.
   */