From 4529d8b75af66527c4f972d88bbb6cdbd30b5d96 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 28 Jul 2023 22:37:56 +0000 Subject: [PATCH 1/3] Add support for log injection in MaD --- .../ql/lib/change-notes/2023-07-28-mad-log-injection.md | 4 ++++ .../semmle/javascript/security/dataflow/LogInjectionQuery.qll | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md diff --git a/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md b/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md new file mode 100644 index 00000000000..e0ae47129a6 --- /dev/null +++ b/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added support for Model as Data for Log-injection query \ No newline at end of file diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll index cfae5b83409..6a98db71c72 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll @@ -66,3 +66,7 @@ class HtmlSanitizer extends Sanitizer instanceof HtmlSanitizerCall { } class JsonStringifySanitizer extends Sanitizer { JsonStringifySanitizer() { this = any(JsonStringifyCall c).getOutput() } } + +private class SinkFromModel extends Sink { + SinkFromModel() { this = ModelOutput::getASinkNode("log-injection").asSink() } +} From a148c7cc876c3e69bca0283e5f874e69fa05308b Mon Sep 17 00:00:00 2001 From: Asger F Date: Mon, 31 Jul 2023 14:04:16 +0200 Subject: [PATCH 2/3] JS: Mention log-injection sink kind in docs --- .../customizing-library-models-for-javascript.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst index d5cf4e0338e..2d58a4ba821 100644 --- a/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst +++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst @@ -471,6 +471,7 @@ Unlike sources, sinks tend to be highly query-specific, rarely affecting more th - **request-forgery**: A sink that controls the URL of a request, such as in a **fetch** call. - **url-redirection**: A sink that can be used to redirect the user to a malicious URL. - **unsafe-deserialization**: A deserialization sink that can lead to code execution or other unsafe behaviour, such as an unsafe YAML parser. +- **log-injection**: A sink that can be used for log injection, such as in a **console.log** call. Summary kinds ~~~~~~~~~~~~~ From 1d5eb4a9602c84b65052dee265012002a6b440ab Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Mon, 31 Jul 2023 15:38:35 -0700 Subject: [PATCH 3/3] Update javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md Co-authored-by: Asger F --- javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md b/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md index e0ae47129a6..63dba2e4539 100644 --- a/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md +++ b/javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* Added support for Model as Data for Log-injection query \ No newline at end of file +* Added `log-injection` as a customizable sink kind for log injection. \ No newline at end of file