JS: mark PrintfStyleCall as a taint step

2026-04-30 03:05:15 +02:00 · 2018-08-20 10:27:28 +02:00
parent c058b91587
commit bbdf6b0f1d
7 changed files with 57 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -408,6 +408,27 @@ module TaintTracking {
    }
  }

+  /**
+   * A taint propagating data flow edge arising from string formatting.
+   */
+  private class StringFormattingTaintStep extends AdditionalTaintStep {
+    
+    PrintfStyleCall call;
+    
+    StringFormattingTaintStep() {
+      this = call and
+      call.returnsFormatted()
+    }
+    
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      succ = this and (
+        pred = call.getFormatString()
+        or
+        pred = call.getFormatArgument(_)
+      )
+    }
+  }
+
  /**
   * A taint propagating data flow edge arising from JSON unparsing.
   */
--- a/javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll
@@ -17,15 +17,23 @@ abstract class PrintfStyleCall extends DataFlow::CallNode {
   * Gets the ith argument to the format string.
   */
  abstract DataFlow::Node getFormatArgument(int i);
+
+  /**
+   * Holds if this call returns the formatted string.
+   */
+  abstract predicate returnsFormatted();
 }

 private class LibraryFormatter extends PrintfStyleCall {

  int formatIndex;

+  boolean returns;
+
  LibraryFormatter() {
    // built-in Node.js functions
    exists (string mod, string meth |
+      returns = false and
      mod = "console" and (
        (
          meth = "debug" or
@@ -40,6 +48,7 @@ private class LibraryFormatter extends PrintfStyleCall {
        meth = "assert" and formatIndex = 1
      )
      or
+      returns = true and
      mod = "util" and (
        (meth = "format" or meth = "log") and formatIndex = 0
        or
@@ -53,7 +62,7 @@ private class LibraryFormatter extends PrintfStyleCall {
      this = DataFlow::globalVarRef(mod).getAMemberCall(meth)
    )
    or
-    (
+    returns = true and (
      // https://www.npmjs.com/package/printf
      this = DataFlow::moduleImport("printf").getACall() and
      formatIndex in [0..1]
@@ -91,4 +100,9 @@ private class LibraryFormatter extends PrintfStyleCall {
    i >= 0 and
    result = getArgument(formatIndex + 1 + i)
  }
+
+  override predicate returnsFormatted() {
+    returns = true
+  }
+
 }