add taint step through the json2csv library

2026-04-30 19:26:02 +02:00 · 2021-06-24 10:45:09 +02:00
parent db4c8dfd3c
commit cb3bd4901b
4 changed files with 27 additions and 0 deletions
--- a/javascript/change-notes/2021-06-24-json.md
+++ b/javascript/change-notes/2021-06-24-json.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow through more JSON utility libraries.
+  Affected packages are
+    [json2csv](https://npmjs.com/package/json2csv)
--- a/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
+++ b/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
@@ -34,3 +34,22 @@ class JsonStringifyCall extends DataFlow::CallNode {
   */
  DataFlow::SourceNode getOutput() { result = this }
 }
+
+/**
+ * A taint step through the [`json2csv`](https://www.npmjs.com/package/json2csv) library.
+ */
+class JSON2CSVTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call =
+        API::moduleImport("json2csv")
+            .getMember("Parser")
+            .getInstance()
+            .getMember("parse")
+            .getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -90,6 +90,7 @@ typeInferenceMismatch
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:16:8:16:38 | require ... source) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:17:8:17:39 | require ... source) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:18:8:18:40 | require ... source) |
+| json-stringify.js:2:16:2:23 | source() | json-stringify.js:21:8:21:46 | new jso ... source) |
 | json-stringify.js:3:15:3:22 | source() | json-stringify.js:8:8:8:31 | jsonStr ... (taint) |
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |
--- a/javascript/ql/test/library-tests/TaintTracking/json-stringify.js
+++ b/javascript/ql/test/library-tests/TaintTracking/json-stringify.js
@@ -16,4 +16,7 @@ function foo() {
  sink(require("util").inspect(source)); // NOT OK
  sink(require("pretty-format")(source)); // NOT OK
  sink(require("object-inspect")(source)); // NOT OK
+  
+  const json2csv = require('json2csv');
+  sink(new json2csv.Parser(opts).parse(source)); // NOT OK
 }