add sort-keys as a clone call

2026-05-04 05:05:12 +02:00 · 2021-07-15 12:59:20 +02:00
parent 8ccdd4fb9f
commit aaa8969537
3 changed files with 20 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/Extend.qll
+++ b/javascript/ql/src/semmle/javascript/Extend.qll
@@ -183,7 +183,8 @@ private import semmle.javascript.dataflow.internal.PreCallGraphStep
 private class CloneStep extends PreCallGraphStep {
  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
    exists(DataFlow::CallNode call |
-      call = DataFlow::moduleImport(["clone", "fclone"]).getACall()
+      // `camelcase-keys` isn't quite a cloning library. But it's pretty close.
+      call = DataFlow::moduleImport(["clone", "fclone", "sort-keys", "camelcase-keys"]).getACall()
      or
      call = DataFlow::moduleMember("json-cycle", ["decycle", "retrocycle"]).getACall()
    |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
@@ -72,6 +72,19 @@ app.get('/baz', function(req, res) {
  obj.p = p;
  var other = jc.retrocycle(jc.decycle(obj));

+  res.send(p); // NOT OK
+  res.send(other.p); // NOT OK
+});
+
+const sortKeys = require('sort-keys');
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params;
+
+  var obj = {};
+  obj.p = p;
+  var other = sortKeys(obj);
+
  res.send(p); // NOT OK
  res.send(other.p); // NOT OK
 });