hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Proto pollution: Add is-plain-object sanitizer

Browse Source
This commit is contained in:
Asger Feldthaus
2020-02-21 14:38:33 +00:00
parent ee5cf95f5b
commit d1df251b92
2 changed files with 32 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
View File

@@ -199,7 +199,8 @@ class PropNameTracking extends DataFlow::Configuration {
node instanceof InstanceOfGuard or
node instanceof TypeofGuard or
node instanceof BlacklistInclusionGuard or
node instanceof WhitelistInclusionGuard
node instanceof WhitelistInclusionGuard or
node instanceof IsPlainObjectGuard
}
}
@@ -374,6 +375,25 @@ class WhitelistInclusionGuard extends DataFlow::LabeledBarrierGuardNode {
}
}
/**
* A check of form `isPlainObject(e)` or similar, which sanitizes the `constructor`
* payload in the true case, since it rejects objects with a non-standard `constructor`
* property.
*/
class IsPlainObjectGuard extends DataFlow::LabeledBarrierGuardNode, DataFlow::CallNode {
IsPlainObjectGuard() {
exists(string name | name = "is-plain-object" or name = "is-extendable" |
this = moduleImport(name).getACall()
)
}
override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
e = getArgument(0).asExpr() and
outcome = true and
lbl = "constructor"
}
}
/**
* Gets a meaningful name for `node` if possible.
*/