hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20397 from asgerf/js/build-artifact-leak-fp

Browse Source 
JS: Fix FP in js/build-artifact-leak when keys come from an array of constants
This commit is contained in:
Asger F
2025-10-28 06:40:13 +01:00
committed by GitHub
parent 227e1fcbde 2a4d6830ec
commit 8d49f26f3d
4 changed files with 30 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
View File

@@ -247,10 +247,24 @@ module CleartextLogging {
reduceCall.getABoundCallbackParameter(0, 1) = name reduceCall.getABoundCallbackParameter(0, 1) = name
| |
reduceCall.getReceiver+().(DataFlow::MethodCallNode).getMethodName() = "filter" reduceCall.getReceiver+().(DataFlow::MethodCallNode).getMethodName() = "filter"
or
isArrayOfConstants(reduceCall.getReceiver+())
) )
or or
exists(StringOps::RegExpTest test | test.getStringOperand().getALocalSource() = name) exists(StringOps::RegExpTest test | test.getStringOperand().getALocalSource() = name)
or or
exists(MembershipCandidate test | test.getAMemberNode().getALocalSource() = name) exists(MembershipCandidate test | test.getAMemberNode().getALocalSource() = name)
} }
private predicate isArrayOfConstants(DataFlow::ArrayCreationNode array) {
forex(DataFlow::Node node |
node =
[
array.getAnElement(), array.getAPropertyWrite().getRhs(),
array.getAMethodCall("push").getArgument(0)
]
|
exists(node.getStringValue())
)
}
} }

8
javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected
View File

@@ -1,3 +1,7 @@
#select
| build-leaks.js:4:39:6:1 | {\\n " ... leak]\\n} | build-leaks.js:5:35:5:45 | process.env | build-leaks.js:4:39:6:1 | {\\n " ... leak]\\n} | This creates a build artifact that depends on $@. | build-leaks.js:5:35:5:45 | process.env | sensitive data returned byprocess environment |
| build-leaks.js:34:26:34:57 | getEnv( ... ngified | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:34:26:34:57 | getEnv( ... ngified | This creates a build artifact that depends on $@. | build-leaks.js:15:24:15:34 | process.env | sensitive data returned byprocess environment |
| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | This creates a build artifact that depends on $@. | build-leaks.js:40:14:40:60 | url.par ... assword | sensitive data returned byan access to current_password |
edges edges
| build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | {\\n " ... leak]\\n} | provenance | | | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | build-leaks.js:4:39:6:1 | {\\n " ... leak]\\n} | provenance | |
| build-leaks.js:5:35:5:45 | process.env | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | provenance | | | build-leaks.js:5:35:5:45 | process.env | build-leaks.js:5:20:5:46 | JSON.st ... ss.env) | provenance | |
@@ -53,7 +57,3 @@ nodes
subpaths subpaths
| build-leaks.js:22:36:22:38 | raw | build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ... }, {}) | | build-leaks.js:22:36:22:38 | raw | build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ... }, {}) |
| build-leaks.js:22:36:22:38 | raw | build-leaks.js:23:39:23:41 | raw | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ... }, {}) | | build-leaks.js:22:36:22:38 | raw | build-leaks.js:23:39:23:41 | raw | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ... }, {}) |
#select
| build-leaks.js:4:39:6:1 | {\\n " ... leak]\\n} | build-leaks.js:5:35:5:45 | process.env | build-leaks.js:4:39:6:1 | {\\n " ... leak]\\n} | This creates a build artifact that depends on $@. | build-leaks.js:5:35:5:45 | process.env | sensitive data returned byprocess environment |
| build-leaks.js:34:26:34:57 | getEnv( ... ngified | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:34:26:34:57 | getEnv( ... ngified | This creates a build artifact that depends on $@. | build-leaks.js:15:24:15:34 | process.env | sensitive data returned byprocess environment |
| build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | build-leaks.js:40:14:40:60 | url.par ... assword | build-leaks.js:41:43:41:86 | { "proc ... y(pw) } | This creates a build artifact that depends on $@. | build-leaks.js:40:14:40:60 | url.par ... assword | sensitive data returned byan access to current_password |

1
javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.qlref
View File

@@ -1 +1,2 @@
query: Security/CWE-312/BuildArtifactLeak.ql query: Security/CWE-312/BuildArtifactLeak.ql
postprocess: utils/test/InlineExpectationsTestQuery.ql

12
javascript/ql/test/query-tests/Security/CWE-312/build-leaks.js
View File

@@ -90,4 +90,14 @@ var server = https.createServer(function (req, res) {
} }
new webpack.DefinePlugin(getOnlyReactVariables3()); new webpack.DefinePlugin(getOnlyReactVariables3());
})();
function getFilteredEnv4() {
return ["FOO", "BAR", "BAZ"]
.reduce((env, key) => {
env[key] = JSON.stringify(process.env[key]);
return env;
}, {});
}
new webpack.DefinePlugin(getFilteredEnv4());
})();