Merge pull request #1258 from asger-semmle/prototype-pollution

JS: prototype pollution query template
2026-05-01 19:55:15 +02:00 · 2019-04-17 12:58:05 +01:00
parent f33b24c917 48ca4ae0d8
commit a61ca489f1
5 changed files with 195 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.expected
@@ -0,0 +1,15 @@
+nodes
+| PrototypePollution.js:7:17:7:29 | req.query.foo |
+| PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } |
+| PrototypePollution.js:11:16:11:30 | req.query.value |
+| PrototypePollution.js:15:14:15:28 | req.query.value |
+| PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } |
+| PrototypePollution.js:18:16:18:25 | opts.thing |
+edges
+| PrototypePollution.js:11:16:11:30 | req.query.value | PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } |
+| PrototypePollution.js:15:14:15:28 | req.query.value | PrototypePollution.js:18:16:18:25 | opts.thing |
+| PrototypePollution.js:18:16:18:25 | opts.thing | PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } |
+#select
+| PrototypePollution.js:7:17:7:29 | req.query.foo | PrototypePollution.js:7:17:7:29 | req.query.foo | PrototypePollution.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a user-controlled value from $@. | PrototypePollution.js:7:17:7:29 | req.query.foo | here |
+| PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } | PrototypePollution.js:11:16:11:30 | req.query.value | PrototypePollution.js:10:17:12:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a user-controlled value from $@. | PrototypePollution.js:11:16:11:30 | req.query.value | here |
+| PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } | PrototypePollution.js:15:14:15:28 | req.query.value | PrototypePollution.js:17:17:19:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a user-controlled value from $@. | PrototypePollution.js:15:14:15:28 | req.query.value | here |
--- a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.js
@@ -0,0 +1,21 @@
+let express = require('express');
+let _ = require('lodash');
+
+let app = express();
+
+app.get('/hello', function(req, res) {
+    _.merge({}, req.query.foo); // NOT OK
+    _.merge({}, req.query); // NOT OK - but not flagged
+    
+    _.merge({}, {
+        value: req.query.value // NOT OK
+    });
+    
+    let opts = {
+      thing: req.query.value // wrapped and unwrapped value
+    };
+    _.merge({}, {
+        value: opts.thing // NOT OK
+    });
+});
+
--- a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollution.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Prototype Pollution
+ * @description Recursively merging a user-controlled object into another object
+ *              can allow an attacker to modify the built-in Object prototype. 
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/prototype-pollution
+ * @tags security
+ *       external/cwe/cwe-250
+ *       external/cwe/cwe-400
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.PrototypePollution::PrototypePollution
+import DataFlow::PathGraph
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Prototype pollution caused by merging a user-controlled value from $@.", source, "here"