hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13157 from jcogs33/jcogs33/update-javascript-sink-kinds

Browse Source 
JS: update MaD sink kinds
This commit is contained in:
Jami
2023-06-01 15:04:19 -04:00
committed by GitHub
parent 1a82e21fdb 3886ebffa9
commit 84a7b3ca52
7 changed files with 24 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst
View File

@@ -53,7 +53,7 @@ Note that this sink is already recognized by the CodeQL JS analysis, but for thi
pack: codeql/javascript-all
extensible: sinkModel
data:
- ["execa", "Member[shell].Argument[0]", "command-line-injection"]
- ["execa", "Member[shell].Argument[0]", "command-injection"]
- Since we're adding a new sink, we add a tuple to the **sinkModel** extensible predicate.
@@ -64,7 +64,7 @@ Note that this sink is already recognized by the CodeQL JS analysis, but for thi
- **Member[shell]** selects accesses to the **shell** member of the **execa** package.
- **Argument[0]** selects the first argument to calls to that member.
- **command-line-injection** indicates that this is considered a sink for the command injection query.
- **command-injection** indicates that this is considered a sink for the command injection query.
Example: Taint sources from window 'message' events
---------------------------------------------------
@@ -463,7 +463,7 @@ Sink kinds
Unlike sources, sinks tend to be highly query-specific, rarely affecting more than one or two queries. Not every query supports customizable sinks. If the following sinks are not suitable for your use case, you should add a new query.
- **code-injection**: A sink that can be used to inject code, such as in calls to **eval**.
- **command-line-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **child_process.spawn**.
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **fs.readFile**.
- **sql-injection**: A sink that can be used for SQL injection, such as in a MySQL **query** call.
- **nosql-injection**: A sink that can be used for NoSQL injection, such as in a MongoDB **findOne** call.