JavaScript: Recognise JSON.stringify and JSON.parse as escaper/unescaper.

2026-04-27 09:45:15 +02:00 · 2019-10-30 09:35:49 +00:00
parent 63f24476e9
commit bd1c99d8a4
3 changed files with 68 additions and 0 deletions
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -167,6 +167,52 @@ class GlobalStringReplacement extends Replacement, DataFlow::MethodCallNode {
  }
 }

+/**
+ * A call to `JSON.stringify`, viewed as a string replacement.
+ */
+class JsonStringifyReplacement extends Replacement, DataFlow::CallNode {
+  JsonStringifyReplacement() {
+    this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
+  }
+
+  override predicate replaces(string input, string output) {
+    input = "\\" and output = "\\\\"
+    // the other replacements are not relevant for this query
+  }
+
+  override DataFlow::Node getInput() {
+    result = this.getArgument(0)
+  }
+
+  override DataFlow::SourceNode getOutput() {
+    result = this
+  }
+}
+
+/**
+ * A call to `JSON.parse`, viewed as a string replacement.
+ */
+class JsonParseReplacement extends Replacement {
+  JsonParserCall self;
+
+  JsonParseReplacement() {
+    this = self
+  }
+
+  override predicate replaces(string input, string output) {
+    input = "\\\\" and output = "\\"
+    // the other replacements are not relevant for this query
+  }
+
+  override DataFlow::Node getInput() {
+    result = self.getInput()
+  }
+
+  override DataFlow::SourceNode getOutput() {
+    result = self.getOutput()
+  }
+}
+
 from Replacement primary, Replacement supplementary, string message, string metachar
 where
  primary.escapes(metachar, _) and