Merge pull request #6254 from erik-krogh/json2csv

Approved by asgerf
2026-04-28 10:15:14 +02:00 · 2021-07-13 05:44:36 -07:00
parent cb1b227c87 bef7e61e76
commit b34f444c88
11 changed files with 205 additions and 4 deletions
--- a/javascript/ql/src/semmle/javascript/Extend.qll
+++ b/javascript/ql/src/semmle/javascript/Extend.qll
@@ -178,11 +178,15 @@ private class ExtendCallTaintStep extends TaintTracking::SharedTaintStep {
 private import semmle.javascript.dataflow.internal.PreCallGraphStep

 /**
- * A step for the `clone` package.
+ * A step through a cloning library, such as `clone` or `fclone`.
 */
 private class CloneStep extends PreCallGraphStep {
  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("clone").getACall() |
+    exists(DataFlow::CallNode call |
+      call = DataFlow::moduleImport(["clone", "fclone"]).getACall()
+      or
+      call = DataFlow::moduleMember("json-cycle", ["decycle", "retrocycle"]).getACall()
+    |
      pred = call.getArgument(0) and
      succ = call
    )
--- a/javascript/ql/src/semmle/javascript/JsonParsers.qll
+++ b/javascript/ql/src/semmle/javascript/JsonParsers.qll
@@ -26,6 +26,10 @@ private class PlainJsonParserCall extends JsonParserCall {
  PlainJsonParserCall() {
    exists(DataFlow::SourceNode callee | this = callee.getACall() |
      callee = DataFlow::globalVarRef("JSON").getAPropertyRead("parse") or
+      callee =
+        DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
+          "parse") or
+      callee = API::moduleImport("replicator").getInstance().getMember("decode").getAnImmediateUse() or
      callee = DataFlow::moduleImport("parse-json") or
      callee = DataFlow::moduleImport("json-parse-better-errors") or
      callee = DataFlow::moduleImport("json-safe-parse") or
@@ -74,3 +78,15 @@ private class JsonParserCallWithCallback extends JsonParserCall {

  override DataFlow::SourceNode getOutput() { result = getCallback(1).getParameter(1) }
 }
+
+/**
+ * A taint step through the `strip-json-comments` library.
+ */
+private class StripJsonCommentsStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("strip-json-comments").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
--- a/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
+++ b/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
@@ -11,12 +11,15 @@ class JsonStringifyCall extends DataFlow::CallNode {
  JsonStringifyCall() {
    exists(DataFlow::SourceNode callee | this = callee.getACall() |
      callee = DataFlow::globalVarRef("JSON").getAPropertyRead("stringify") or
-      callee = DataFlow::moduleMember("json3", "stringify") or
+      callee =
+        DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
+          "stringify") or
+      callee = API::moduleImport("replicator").getInstance().getMember("encode").getAnImmediateUse() or
      callee =
        DataFlow::moduleImport([
            "json-stringify-safe", "json-stable-stringify", "stringify-object",
            "fast-json-stable-stringify", "fast-safe-stringify", "javascript-stringify",
-            "js-stringify"
+            "js-stringify", "safe-stable-stringify", "fast-json-stringify"
          ]) or
      // require("util").inspect() and similar
      callee = DataFlow::moduleMember("util", "inspect") or
@@ -34,3 +37,38 @@ class JsonStringifyCall extends DataFlow::CallNode {
   */
  DataFlow::SourceNode getOutput() { result = this }
 }
+
+/**
+ * A taint step through the [`json2csv`](https://www.npmjs.com/package/json2csv) library.
+ */
+class JSON2CSVTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call =
+        API::moduleImport("json2csv")
+            .getMember("Parser")
+            .getInstance()
+            .getMember("parse")
+            .getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
+
+/**
+ * A step through the [`prettyjson`](https://www.npmjs.com/package/prettyjson) library.
+ * This is not quite a `JSON.stringify` call, as it e.g. does not wrap keys in double quotes.
+ * It's therefore modelled as a taint-step rather than as a `JSON.stringify` call.
+ */
+class PrettyJSONTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call = API::moduleImport("prettyjson").getMember("render").getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}