recognize object transformations in module.exports when looking for library inputs

2026-05-04 21:25:44 +02:00 · 2021-03-18 20:54:33 +01:00
parent 28ad667578
commit d489d63b8e
4 changed files with 99 additions and 2 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
@@ -209,6 +209,10 @@ nodes
 | lib/lib.js:413:39:413:42 | name |
 | lib/lib.js:414:24:414:27 | name |
 | lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:418:20:418:23 | name |
+| lib/lib.js:418:20:418:23 | name |
+| lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:419:25:419:28 | name |
 edges
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
 | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name |
@@ -452,6 +456,10 @@ edges
 | lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
 | lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
 | lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
+| lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name |
 #select
 | lib/lib2.js:4:10:4:25 | "rm -rf " + name | lib/lib2.js:3:28:3:31 | name | lib/lib2.js:4:22:4:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:4:10:4:25 | "rm -rf " + name | String concatenation | lib/lib2.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/lib2.js:8:10:8:25 | "rm -rf " + name | lib/lib2.js:7:32:7:35 | name | lib/lib2.js:8:22:8:25 | name | $@ based on library input is later used in $@. | lib/lib2.js:8:10:8:25 | "rm -rf " + name | String concatenation | lib/lib2.js:8:2:8:26 | cp.exec ... + name) | shell command |
@@ -511,3 +519,4 @@ edges
 | lib/lib.js:366:17:366:56 | "learn  ... + model | lib/lib.js:360:20:360:23 | opts | lib/lib.js:366:28:366:42 | this.learn_args | $@ based on library input is later used in $@. | lib/lib.js:366:17:366:56 | "learn  ... + model | String concatenation | lib/lib.js:367:3:367:18 | cp.exec(command) | shell command |
 | lib/lib.js:406:10:406:25 | "rm -rf " + name | lib/lib.js:405:39:405:42 | name | lib/lib.js:406:22:406:25 | name | $@ based on library input is later used in $@. | lib/lib.js:406:10:406:25 | "rm -rf " + name | String concatenation | lib/lib.js:406:2:406:26 | cp.exec ... + name) | shell command |
 | lib/lib.js:414:12:414:27 | "rm -rf " + name | lib/lib.js:413:39:413:42 | name | lib/lib.js:414:24:414:27 | name | $@ based on library input is later used in $@. | lib/lib.js:414:12:414:27 | "rm -rf " + name | String concatenation | lib/lib.js:414:2:414:28 | asyncEx ... + name) | shell command |
+| lib/lib.js:419:13:419:28 | "rm -rf " + name | lib/lib.js:418:20:418:23 | name | lib/lib.js:419:25:419:28 | name | $@ based on library input is later used in $@. | lib/lib.js:419:13:419:28 | "rm -rf " + name | String concatenation | lib/lib.js:419:3:419:29 | asyncEx ... + name) | shell command |
--- a/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
@@ -412,4 +412,31 @@ module.exports.sanitizer3 = function (name) {
 var asyncExec = require("async-execute");
 module.exports.asyncStuff = function (name) {
 	asyncExec("rm -rf " + name); // NOT OK
-}
+}
+
+const myFuncs = {
+	myFunc: function (name) {
+		asyncExec("rm -rf " + name); // NOT OK
+	}
+};
+
+module.exports.blabity = {};
+
+Object.defineProperties(
+	module.exports.blabity,
+	Object.assign(
+		{},
+		Object.entries(myFuncs).reduce(
+			(props, [ key, value ]) => Object.assign(
+				props,
+				{
+					[key]: {
+						value,
+						configurable: true,
+					},
+				},
+			),
+			{}
+		)
+	)
+);