hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

add support for moment/dayjs/luxon instances returned by @date-io adapters

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-06-21 23:28:31 +02:00
parent 227f61b954
commit c736606695
5 changed files with 116 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
javascript/ql/src/semmle/javascript/frameworks/DateFunctions.qll
View File

@@ -73,6 +73,35 @@ private module DateIO {
)
}
}
/** Gets a method name from an `@date-io` adapter that returns an instance of the adapted library. */
private string getAnAdapterMethodName() {
result =
[
"addSeconds", "addMinutes", "addHours", "addDays", "addWeeks", "addMonths", "endOfDay",
"setHours", "setMinutes", "setSeconds", "startOfMonth", "endOfMonth", "startOfWeek",
"endOfWeek", "setYear", "date", "parse", "setMonth", "getNextMonth", "getPreviousMonth"
]
}
/**
* Gets an instance of `library` that has been created by an `@date-io` adapter.
* Library is one of: "moment", "luxon", or "dayjs".
*/
API::Node getAnAdaptedInstance(string library) {
exists(API::Node adapter |
library = "moment" and
adapter = API::moduleImport("@date-io/moment")
or
library = "luxon" and
adapter = API::moduleImport("@date-io/luxon")
or
library = "dayjs" and
adapter = API::moduleImport("@date-io/dayjs")
|
result = adapter.getInstance().getMember(getAnAdapterMethodName()).getReturn()
)
}
}
/**
@@ -99,6 +128,8 @@ private module Luxon {
result = luxonDateTime().getAMember()
or
result = luxonDateTime().getReturn()
or
result = DateIO::getAnAdaptedInstance("luxon")
)
}
@@ -125,6 +156,8 @@ private module Moment {
result = moment().getReturn()
or
result = moment().getAMember()
or
result = DateIO::getAnAdaptedInstance(["moment", "dayjs"])
}
/**

36
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
View File

@@ -168,6 +168,23 @@ nodes
| dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) |
| dates.js:50:97:50:101 | taint |
| dates.js:54:9:54:69 | taint |
| dates.js:54:17:54:69 | decodeU ... ing(1)) |
| dates.js:54:36:54:55 | window.location.hash |
| dates.js:54:36:54:55 | window.location.hash |
| dates.js:54:36:54:68 | window. ... ring(1) |
| dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:42:57:99 | moment. ... (taint) |
| dates.js:57:94:57:98 | taint |
| dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:42:59:85 | luxon.e ... (taint) |
| dates.js:59:80:59:84 | taint |
| dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dates.js:61:81:61:85 | taint |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href |
@@ -856,6 +873,22 @@ edges
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:97:50:101 | taint | dates.js:50:42:50:102 | DateTim ... (taint) |
| dates.js:54:9:54:69 | taint | dates.js:57:94:57:98 | taint |
| dates.js:54:9:54:69 | taint | dates.js:59:80:59:84 | taint |
| dates.js:54:9:54:69 | taint | dates.js:61:81:61:85 | taint |
| dates.js:54:17:54:69 | decodeU ... ing(1)) | dates.js:54:9:54:69 | taint |
| dates.js:54:36:54:55 | window.location.hash | dates.js:54:36:54:68 | window. ... ring(1) |
| dates.js:54:36:54:55 | window.location.hash | dates.js:54:36:54:68 | window. ... ring(1) |
| dates.js:54:36:54:68 | window. ... ring(1) | dates.js:54:17:54:69 | decodeU ... ing(1)) |
| dates.js:57:42:57:99 | moment. ... (taint) | dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:42:57:99 | moment. ... (taint) | dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:94:57:98 | taint | dates.js:57:42:57:99 | moment. ... (taint) |
| dates.js:59:42:59:85 | luxon.e ... (taint) | dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:42:59:85 | luxon.e ... (taint) | dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:80:59:84 | taint | dates.js:59:42:59:85 | luxon.e ... (taint) |
| dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
@@ -1375,6 +1408,9 @@ edges
| dates.js:48:31:48:90 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:48:31:48:90 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value |
| dates.js:49:31:49:89 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:49:31:49:89 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value |
| dates.js:50:31:50:104 | `Time i ... aint)}` | dates.js:46:36:46:55 | window.location.hash | dates.js:50:31:50:104 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:46:36:46:55 | window.location.hash | user-provided value |
| dates.js:57:31:57:101 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:57:31:57:101 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
| dates.js:59:31:59:87 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:59:31:59:87 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
| dates.js:61:31:61:88 | `Time i ... aint)}` | dates.js:54:36:54:55 | window.location.hash | dates.js:61:31:61:88 | `Time i ... aint)}` | Cross-site scripting vulnerability due to $@. | dates.js:54:36:54:55 | window.location.hash | user-provided value |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' | Cross-site scripting vulnerability due to $@. | event-handler-receiver.js:2:49:2:61 | location.href | user-provided value |
| express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | express.js:7:15:7:33 | req.param("wobble") | Cross-site scripting vulnerability due to $@. | express.js:7:15:7:33 | req.param("wobble") | user-provided value |
| jquery.js:7:5:7:34 | "<div i ... + "\\">" | jquery.js:2:17:2:40 | documen ... .search | jquery.js:7:5:7:34 | "<div i ... + "\\">" | Cross-site scripting vulnerability due to $@. | jquery.js:2:17:2:40 | documen ... .search | user-provided value |

33
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/XssWithAdditionalSources.expected
View File

@@ -168,6 +168,23 @@ nodes
| dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) |
| dates.js:50:97:50:101 | taint |
| dates.js:54:9:54:69 | taint |
| dates.js:54:17:54:69 | decodeU ... ing(1)) |
| dates.js:54:36:54:55 | window.location.hash |
| dates.js:54:36:54:55 | window.location.hash |
| dates.js:54:36:54:68 | window. ... ring(1) |
| dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:42:57:99 | moment. ... (taint) |
| dates.js:57:94:57:98 | taint |
| dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:42:59:85 | luxon.e ... (taint) |
| dates.js:59:80:59:84 | taint |
| dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:42:61:86 | dayjs.s ... (taint) |
| dates.js:61:81:61:85 | taint |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href |
@@ -874,6 +891,22 @@ edges
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:42:50:102 | DateTim ... (taint) | dates.js:50:31:50:104 | `Time i ... aint)}` |
| dates.js:50:97:50:101 | taint | dates.js:50:42:50:102 | DateTim ... (taint) |
| dates.js:54:9:54:69 | taint | dates.js:57:94:57:98 | taint |
| dates.js:54:9:54:69 | taint | dates.js:59:80:59:84 | taint |
| dates.js:54:9:54:69 | taint | dates.js:61:81:61:85 | taint |
| dates.js:54:17:54:69 | decodeU ... ing(1)) | dates.js:54:9:54:69 | taint |
| dates.js:54:36:54:55 | window.location.hash | dates.js:54:36:54:68 | window. ... ring(1) |
| dates.js:54:36:54:55 | window.location.hash | dates.js:54:36:54:68 | window. ... ring(1) |
| dates.js:54:36:54:68 | window. ... ring(1) | dates.js:54:17:54:69 | decodeU ... ing(1)) |
| dates.js:57:42:57:99 | moment. ... (taint) | dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:42:57:99 | moment. ... (taint) | dates.js:57:31:57:101 | `Time i ... aint)}` |
| dates.js:57:94:57:98 | taint | dates.js:57:42:57:99 | moment. ... (taint) |
| dates.js:59:42:59:85 | luxon.e ... (taint) | dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:42:59:85 | luxon.e ... (taint) | dates.js:59:31:59:87 | `Time i ... aint)}` |
| dates.js:59:80:59:84 | taint | dates.js:59:42:59:85 | luxon.e ... (taint) |
| dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:42:61:86 | dayjs.s ... (taint) | dates.js:61:31:61:88 | `Time i ... aint)}` |
| dates.js:61:81:61:85 | taint | dates.js:61:42:61:86 | dayjs.s ... (taint) |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |
| event-handler-receiver.js:2:49:2:61 | location.href | event-handler-receiver.js:2:31:2:83 | '<h2><a ... ></h2>' |

10
javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js
View File

@@ -50,3 +50,13 @@ function luxon() {
document.body.innerHTML = `Time is ${DateTime.fromISO("2020-01-01").startOf('day').toFormat(taint)}`; // NOT OK
}
function dateio2() {
let taint = decodeURIComponent(window.location.hash.substring(1));
const moment = new MomentAdapter();
document.body.innerHTML = `Time is ${moment.addDays(moment.date("2020-06-21"), 1).format(taint)}`; // NOT OK
const luxon = new LuxonAdapter();
document.body.innerHTML = `Time is ${luxon.endOfDay(luxon.date()).toFormat(taint)}`; // NOT OK
const dayjs = new DayJSAdapter();
document.body.innerHTML = `Time is ${dayjs.setHours(dayjs.date(), 4).format(taint)}`; // NOT OK
}