Merge pull request #314 from esben-semmle/js/json-stringify-as-command-line-injection-source-heuristic

Approved by xiemaisi

javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll

@@ -6,6 +6,7 @@
 
 import javascript
 import SyntacticHeuristics
+private import semmle.javascript.security.dataflow.CommandInjection
 
 /**
  * A heuristic source of data flow in a security query.
@@ -26,3 +27,13 @@ private class RemoteFlowPassword extends HeuristicSource, RemoteFlowSource {
   }
 
 }
+
+/**
+ * A use of `JSON.stringify`, viewed as a source for command line injections
+ * since it does not properly escape single quotes and dollar symbols.
+ */
+private class JSONStringifyAsCommandInjectionSource extends HeuristicSource, CommandInjection::Source {
+  JSONStringifyAsCommandInjectionSource() {
+    this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
+  }
+}

javascript/ql/test/library-tests/Security/heuristics/HeuristicSource.expected

@@ -1,2 +1,3 @@
 | additionalCommandInjections.js:2:28:2:35 | password |
 | sources.js:2:5:2:12 | password |
+| sources.js:3:5:3:20 | JSON.stringify() |

javascript/ql/test/library-tests/Security/heuristics/sources.js

@@ -1,3 +1,4 @@
 (function() {
     password;
+    JSON.stringify();
 })();