hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

add values written to the global scope as exports

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-09-06 14:27:17 +02:00
parent 91b03f56ad
commit d1d4ebb3b5
3 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/semmle/javascript/PackageExports.qll
View File

@@ -216,6 +216,10 @@ private DataFlow::Node getAnExportFromModule(Module mod) {
or
result = mod.getABulkExportedNode()
or
// exports saved to the global object
result = DataFlow::globalObjectRef().getAPropertyWrite().getRhs() and
result.getTopLevel() = mod
or
result.analyze().getAValue() = TAbstractModuleObject(mod)
}

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
View File

@@ -7,6 +7,10 @@ nodes
| lib/index.js:5:35:5:38 | name |
| lib/index.js:6:26:6:29 | name |
| lib/index.js:6:26:6:29 | name |
| lib/index.js:13:38:13:41 | data |
| lib/index.js:13:38:13:41 | data |
| lib/index.js:14:21:14:24 | data |
| lib/index.js:14:21:14:24 | data |
edges
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
| lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -16,6 +20,11 @@ edges
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
| lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
#select
| lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
| lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
| lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | $@ flows to here and is later $@. | lib/index.js:13:38:13:41 | data | Library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |

4
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
View File

@@ -9,3 +9,7 @@ export function unsafeGetter(obj, name) {
export function safeAssignment(obj, value) {
eval("obj.foo = " + JSON.stringify(value)); // OK
}
global.unsafeDeserialize = function (data) {
return eval("(" + data + ")"); // NOT OK
}