hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add support for the fast-json-stringify library

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-07-12 11:13:01 +02:00
parent 40aa970db3
commit bef7e61e76
4 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/change-notes/2021-06-24-json.md
View File

@@ -10,4 +10,5 @@ lgtm,codescanning
[safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify),
[fclone](https://npmjs.com/package/fclone),
[json-cycle](https://npmjs.com/package/json-cycle),
[strip-json-comments](https://npmjs.com/package/strip-json-comments)
[strip-json-comments](https://npmjs.com/package/strip-json-comments),
[fast-json-stringify](https://npmjs.com/package/fast-json-stringify)

2
javascript/ql/src/semmle/javascript/JsonStringifiers.qll
View File

@@ -19,7 +19,7 @@ class JsonStringifyCall extends DataFlow::CallNode {
DataFlow::moduleImport([
"json-stringify-safe", "json-stable-stringify", "stringify-object",
"fast-json-stable-stringify", "fast-safe-stringify", "javascript-stringify",
"js-stringify", "safe-stable-stringify"
"js-stringify", "safe-stable-stringify", "fast-json-stringify"
]) or
// require("util").inspect() and similar
callee = DataFlow::moduleMember("util", "inspect") or

1
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -98,6 +98,7 @@ typeInferenceMismatch
| json-stringify.js:2:16:2:23 | source() | json-stringify.js:36:8:36:47 | require ... source) |
| json-stringify.js:2:16:2:23 | source() | json-stringify.js:39:8:39:37 | jc.stri ... ource)) |
| json-stringify.js:2:16:2:23 | source() | json-stringify.js:42:8:42:51 | JSON.st ... urce))) |
| json-stringify.js:2:16:2:23 | source() | json-stringify.js:45:8:45:23 | fastJson(source) |
| json-stringify.js:3:15:3:22 | source() | json-stringify.js:8:8:8:31 | jsonStr ... (taint) |
| nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
| nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |

3
javascript/ql/test/library-tests/TaintTracking/json-stringify.js
View File

@@ -40,4 +40,7 @@ function foo() {
const stripper = require("strip-json-comments");
sink(JSON.stringify(JSON.parse(stripper(source)))); // NOT OK
const fastJson = require('fast-json-stringify');
sink(fastJson(source)); // NOT OK
}