hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Guard against more FPs

Browse Source
This commit is contained in:
Asger F
2019-11-26 09:28:55 +00:00
committed by Asger Feldthaus
parent 738123d3f5
commit bd9405ab84
3 changed files with 125 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
View File

@@ -144,6 +144,26 @@ class DynamicPropRead extends DataFlow::SourceNode, DataFlow::ValueNode {
/** Gets the base of the dynamic read. */
DataFlow::Node getBase() { result = astNode.getBase().flow() }
/**
* Holds if the value of this read was assigned to earlier in the same basic block.
*
* For example, this is true for `dst[x]` on line 2 below:
* ```js
* dst[x] = {};
* dst[x][y] = src[y];
* ```
*/
predicate hasDominatingAssignment() {
exists(DataFlow::PropWrite write, BasicBlock bb, int i, int j, SsaVariable ssaVar |
write = getBase().getALocalSource().getAPropertyWrite() and
bb.getNode(i) = write.getWriteNode() and
bb.getNode(j) = astNode and
i < j and
write.getPropertyNameExpr() = ssaVar.getAUse() and
astNode.getIndex() = ssaVar.getAUse()
)
}
}
/**
@@ -238,11 +258,13 @@ class PropNameTracking extends DataFlow::Configuration {
// Step through `p -> x[p]`
exists(PropRead read |
pred = read.getPropertyNameExpr().flow() and
not read.(DynamicPropRead).hasDominatingAssignment() and
succ = read
)
or
// Step through `x -> x[p]`
exists(DynamicPropRead read |
not read.hasDominatingAssignment() and
pred = read.getBase() and
succ = read
)

86
javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected
View File

@@ -707,6 +707,42 @@ nodes
| PrototypePollutionUtility/tests.js:280:24:280:31 | src[key] |
| PrototypePollutionUtility/tests.js:280:28:280:30 | key |
| PrototypePollutionUtility/tests.js:280:28:280:30 | key |
| PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:285:33:285:36 | path |
| PrototypePollutionUtility/tests.js:285:33:285:36 | path |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key |
| PrototypePollutionUtility/tests.js:289:40:289:42 | src |
| PrototypePollutionUtility/tests.js:289:40:289:42 | src |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:44:289:46 | key |
| PrototypePollutionUtility/tests.js:289:44:289:46 | key |
| PrototypePollutionUtility/tests.js:289:50:289:78 | path ? ... y : key |
| PrototypePollutionUtility/tests.js:289:50:289:78 | path ? ... y : key |
| PrototypePollutionUtility/tests.js:289:76:289:78 | key |
| PrototypePollutionUtility/tests.js:289:76:289:78 | key |
| PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:293:37:293:39 | src |
| PrototypePollutionUtility/tests.js:293:37:293:39 | src |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:41:293:43 | key |
| PrototypePollutionUtility/tests.js:293:41:293:43 | key |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
| examples/PrototypePollutionUtility.js:1:21:1:23 | src |
@@ -1696,6 +1732,56 @@ edges
| PrototypePollutionUtility/tests.js:280:28:280:30 | key | PrototypePollutionUtility/tests.js:280:24:280:31 | src[key] |
| PrototypePollutionUtility/tests.js:280:28:280:30 | key | PrototypePollutionUtility/tests.js:280:24:280:31 | src[key] |
| PrototypePollutionUtility/tests.js:280:28:280:30 | key | PrototypePollutionUtility/tests.js:280:24:280:31 | src[key] |
| PrototypePollutionUtility/tests.js:285:28:285:30 | src | PrototypePollutionUtility/tests.js:289:40:289:42 | src |
| PrototypePollutionUtility/tests.js:285:28:285:30 | src | PrototypePollutionUtility/tests.js:289:40:289:42 | src |
| PrototypePollutionUtility/tests.js:285:28:285:30 | src | PrototypePollutionUtility/tests.js:293:37:293:39 | src |
| PrototypePollutionUtility/tests.js:285:28:285:30 | src | PrototypePollutionUtility/tests.js:293:37:293:39 | src |
| PrototypePollutionUtility/tests.js:285:33:285:36 | path | PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:285:33:285:36 | path | PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:285:33:285:36 | path | PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:285:33:285:36 | path | PrototypePollutionUtility/tests.js:292:24:292:27 | path |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:44:289:46 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:44:289:46 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:44:289:46 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:44:289:46 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:76:289:78 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:76:289:78 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:76:289:78 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:289:76:289:78 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:30:293:32 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:41:293:43 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:41:293:43 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:41:293:43 | key |
| PrototypePollutionUtility/tests.js:286:14:286:16 | key | PrototypePollutionUtility/tests.js:293:41:293:43 | key |
| PrototypePollutionUtility/tests.js:289:40:289:42 | src | PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:40:289:42 | src | PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] | PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] | PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] | PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] | PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] | PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] | PrototypePollutionUtility/tests.js:285:28:285:30 | src |
| PrototypePollutionUtility/tests.js:289:44:289:46 | key | PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:44:289:46 | key | PrototypePollutionUtility/tests.js:289:40:289:47 | src[key] |
| PrototypePollutionUtility/tests.js:289:50:289:78 | path ? ... y : key | PrototypePollutionUtility/tests.js:285:33:285:36 | path |
| PrototypePollutionUtility/tests.js:289:50:289:78 | path ? ... y : key | PrototypePollutionUtility/tests.js:285:33:285:36 | path |
| PrototypePollutionUtility/tests.js:289:76:289:78 | key | PrototypePollutionUtility/tests.js:289:50:289:78 | path ? ... y : key |
| PrototypePollutionUtility/tests.js:289:76:289:78 | key | PrototypePollutionUtility/tests.js:289:50:289:78 | path ? ... y : key |
| PrototypePollutionUtility/tests.js:293:37:293:39 | src | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:39 | src | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:39 | src | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:39 | src | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| PrototypePollutionUtility/tests.js:293:41:293:43 | key | PrototypePollutionUtility/tests.js:293:37:293:44 | src[key] |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
| examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:7:13:7:15 | dst |

16
javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js
View File

@@ -281,3 +281,19 @@ function copyUsingReflect(dst, src) {
}
});
}
function copyWithPath(dst, src, path) {
for (let key in src) {
if (src.hasOwnProperty(key)) {
if (dst[key]) {
copyWithPath(dst[key], src[key], path ? path + '.' + key : key);
} else {
let target = {};
target[path] = {};
target[path][key] = src[key]; // OK
doSomething(target);
}
}
}
return dst;
}