Merge pull request #13157 from jcogs33/jcogs33/update-javascript-sink-kinds

JS: update MaD sink kinds

docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst

@@ -53,7 +53,7 @@ Note that this sink is already recognized by the CodeQL JS analysis, but for thi
         pack: codeql/javascript-all
         extensible: sinkModel
       data:
-        - ["execa", "Member[shell].Argument[0]", "command-line-injection"]
+        - ["execa", "Member[shell].Argument[0]", "command-injection"]
 
 
 - Since we're adding a new sink, we add a tuple to the **sinkModel** extensible predicate.
@@ -64,7 +64,7 @@ Note that this sink is already recognized by the CodeQL JS analysis, but for thi
   - **Member[shell]** selects accesses to the **shell** member of the **execa** package.
   - **Argument[0]** selects the first argument to calls to that member.
 
-- **command-line-injection** indicates that this is considered a sink for the command injection query.
+- **command-injection** indicates that this is considered a sink for the command injection query.
 
 Example: Taint sources from window 'message' events
 ---------------------------------------------------
@@ -463,7 +463,7 @@ Sink kinds
 Unlike sources, sinks tend to be highly query-specific, rarely affecting more than one or two queries. Not every query supports customizable sinks. If the following sinks are not suitable for your use case, you should add a new query.
 
 - **code-injection**: A sink that can be used to inject code, such as in calls to **eval**.
-- **command-line-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
+- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
 - **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **fs.readFile**.
 - **sql-injection**: A sink that can be used for SQL injection, such as in a MySQL **query** call.
 - **nosql-injection**: A sink that can be used for NoSQL injection, such as in a MongoDB **findOne** call.

javascript/ql/lib/change-notes/2023-05-12-update-js-sink-kinds.md

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+  * `command-line-injection` to `command-injection`
+  * `credentials[kind]` to `credentials-kind`

javascript/ql/lib/semmle/javascript/frameworks/Credentials.qll

@@ -46,7 +46,7 @@ module CredentialsExpr {
 private class CredentialsFromModel extends CredentialsNode {
   string kind;
 
-  CredentialsFromModel() { this = ModelOutput::getASinkNode("credentials[" + kind + "]").asSink() }
+  CredentialsFromModel() { this = ModelOutput::getASinkNode("credentials-" + kind).asSink() }
 
   override string getCredentialsKind() { result = CredentialsExpr::normalizeKind(kind) }
 }

javascript/ql/lib/semmle/javascript/frameworks/sequelize/model.json

@@ -19,10 +19,10 @@
             "sequelize.Sequelize;Member[query].Argument[0].Member[query];sql-injection",
             "sequelize.Sequelize;Member[query].Argument[0];sql-injection",
             "sequelize.SequelizeStaticAndInstance;Member[asIs,literal].Argument[0];sql-injection",
-            "sequelize;Argument[0..].Member[password];credentials[password]",
-            "sequelize;Argument[0..].Member[username];credentials[username]",
-            "sequelize;Argument[1];credentials[username]",
-            "sequelize;Argument[2];credentials[password]"
+            "sequelize;Argument[0..].Member[password];credentials-password",
+            "sequelize;Argument[0..].Member[username];credentials-username",
+            "sequelize;Argument[1];credentials-username",
+            "sequelize;Argument[2];credentials-password"
         ],
         "typeDefinitions": [
             "sequelize.Sequelize;sequelize-typescript.Sequelize;"

javascript/ql/lib/semmle/javascript/frameworks/sequelize/model.yml

@@ -1,17 +1,17 @@
 extensions:
-  - addsTo: 
+  - addsTo:
       pack: codeql/javascript-all
       extensible: sinkModel
     data:
       - [sequelize.Sequelize, "Member[query].Argument[0].Member[query]", "sql-injection"]
       - [sequelize.Sequelize, "Member[query].Argument[0]", "sql-injection"]
       - [sequelize.SequelizeStaticAndInstance, "Member[asIs,literal].Argument[0]", "sql-injection"]
-      - [sequelize, "Argument[0..].Member[password]", "credentials[password]"]
-      - [sequelize, "Argument[0..].Member[username]", "credentials[username]"]
-      - [sequelize, "Argument[1]", "credentials[username]"]
-      - [sequelize, "Argument[2]", "credentials[password]"]
+      - [sequelize, "Argument[0..].Member[password]", "credentials-password"]
+      - [sequelize, "Argument[0..].Member[username]", "credentials-username"]
+      - [sequelize, "Argument[1]", "credentials-username"]
+      - [sequelize, "Argument[2]", "credentials-password"]
 
-  - addsTo: 
+  - addsTo:
       pack: codeql/javascript-all
       extensible: typeModel
     data:
@@ -264,7 +264,7 @@ extensions:
       - [sequelize.ThroughOptions, sequelize.AssociationOptionsBelongsToMany, "Member[through]"]
       - [sequelize.Utils, sequelize.SequelizeStaticAndInstance, "Member[Utils]"]
 
-  - addsTo: 
+  - addsTo:
       pack: codeql/javascript-all
       extensible: summaryModel
     data:
@@ -274,7 +274,7 @@ extensions:
       - [sequelize.Model, "", "", "Member[schema,scope,unscoped].ReturnValue", type]
       - [sequelize.Model, "", "", "Member[sync].ReturnValue.Awaited", type]
 
-  - addsTo: 
+  - addsTo:
       pack: codeql/javascript-all
       extensible: typeVariableModel
     data:

javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll

@@ -49,6 +49,6 @@ module CommandInjection {
   }
 
   private class SinkFromModel extends Sink {
-    SinkFromModel() { this = ModelOutput::getASinkNode("command-line-injection").asSink() }
+    SinkFromModel() { this = ModelOutput::getASinkNode("command-injection").asSink() }
   }
 }

javascript/ql/test/library-tests/DataExtensions/execa.model.yml

@@ -6,5 +6,5 @@ extensions:
       - [
           "@example/execa",
           "Member[shell].Argument[0]",
-          "command-line-injection",
+          "command-injection",
         ]