recognize an access to the arguments object as library-input

2026-04-29 02:35:15 +02:00 · 2021-12-01 23:21:53 +01:00
parent 7b1ef7473e
commit d86b7f6c54
9 changed files with 44 additions and 7 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/PolynomialBackTracking.expected
@@ -32,6 +32,7 @@
 | lib/lib.js:1:15:1:16 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/lib.js:8:3:8:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/lib.js:28:3:28:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
+| lib/lib.js:36:3:36:4 | f* | Strings with many repetitions of 'f' can start matching anywhere after the start of the preceeding f*g |
 | lib/moduleLib/moduleLib.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/otherLib/js/src/index.js:2:3:2:4 | a* | Strings with many repetitions of 'a' can start matching anywhere after the start of the preceeding a*b |
 | lib/snapdragon.js:7:28:7:29 | a* | Strings starting with 'a' and with many repetitions of 'a' can start matching anywhere after the start of the preceeding aa*$ |
--- a/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/ReDoS/lib/lib.js
@@ -28,4 +28,12 @@ module.exports.safe = function (x) {
 	/f*g/.test(y); // OK
 }

+module.exports.useArguments = function () {
+	usedWithArguments.apply(this, arguments);
+}
+
+function usedWithArguments(name) {
+	/f*g/.test(name); // NOT OK - bit not yet recognized [INCONSITENCY]
+}
+
 module.exports.snapdragon = require("./snapdragon")
--- a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -26,6 +26,8 @@ nodes
 | lib.js:15:7:15:10 | path |
 | lib.js:15:7:15:13 | path[0] |
 | lib.js:20:7:20:25 | path |
+| lib.js:20:14:20:22 | arguments |
+| lib.js:20:14:20:22 | arguments |
 | lib.js:20:14:20:25 | arguments[1] |
 | lib.js:20:14:20:25 | arguments[1] |
 | lib.js:22:3:22:14 | obj[path[0]] |
@@ -45,7 +47,12 @@ nodes
 | lib.js:34:3:34:14 | obj[path[0]] |
 | lib.js:34:7:34:10 | path |
 | lib.js:34:7:34:13 | path[0] |
+| lib.js:38:9:38:36 | args |
+| lib.js:38:16:38:36 | Array.f ... uments) |
+| lib.js:38:27:38:35 | arguments |
+| lib.js:38:27:38:35 | arguments |
 | lib.js:40:7:40:20 | path |
+| lib.js:40:14:40:17 | args |
 | lib.js:40:14:40:20 | args[1] |
 | lib.js:40:14:40:20 | args[1] |
 | lib.js:42:3:42:14 | obj[path[0]] |
@@ -71,6 +78,8 @@ nodes
 | lib.js:70:17:70:20 | path |
 | lib.js:70:17:70:23 | path[0] |
 | lib.js:83:7:83:25 | path |
+| lib.js:83:14:83:22 | arguments |
+| lib.js:83:14:83:22 | arguments |
 | lib.js:83:14:83:25 | arguments[1] |
 | lib.js:83:14:83:25 | arguments[1] |
 | lib.js:86:7:86:26 | proto |
@@ -89,6 +98,8 @@ nodes
 | lib.js:95:3:95:12 | maybeProto |
 | lib.js:95:3:95:12 | maybeProto |
 | lib.js:104:7:104:24 | one |
+| lib.js:104:13:104:21 | arguments |
+| lib.js:104:13:104:21 | arguments |
 | lib.js:104:13:104:24 | arguments[1] |
 | lib.js:104:13:104:24 | arguments[1] |
 | lib.js:108:3:108:10 | obj[one] |
@@ -183,6 +194,8 @@ edges
 | lib.js:15:7:15:13 | path[0] | lib.js:15:3:15:14 | obj[path[0]] |
 | lib.js:15:7:15:13 | path[0] | lib.js:15:3:15:14 | obj[path[0]] |
 | lib.js:20:7:20:25 | path | lib.js:22:7:22:10 | path |
+| lib.js:20:14:20:22 | arguments | lib.js:20:14:20:25 | arguments[1] |
+| lib.js:20:14:20:22 | arguments | lib.js:20:14:20:25 | arguments[1] |
 | lib.js:20:14:20:25 | arguments[1] | lib.js:20:7:20:25 | path |
 | lib.js:20:14:20:25 | arguments[1] | lib.js:20:7:20:25 | path |
 | lib.js:22:7:22:10 | path | lib.js:22:7:22:13 | path[0] |
@@ -199,7 +212,12 @@ edges
 | lib.js:34:7:34:10 | path | lib.js:34:7:34:13 | path[0] |
 | lib.js:34:7:34:13 | path[0] | lib.js:34:3:34:14 | obj[path[0]] |
 | lib.js:34:7:34:13 | path[0] | lib.js:34:3:34:14 | obj[path[0]] |
+| lib.js:38:9:38:36 | args | lib.js:40:14:40:17 | args |
+| lib.js:38:16:38:36 | Array.f ... uments) | lib.js:38:9:38:36 | args |
+| lib.js:38:27:38:35 | arguments | lib.js:38:16:38:36 | Array.f ... uments) |
+| lib.js:38:27:38:35 | arguments | lib.js:38:16:38:36 | Array.f ... uments) |
 | lib.js:40:7:40:20 | path | lib.js:42:7:42:10 | path |
+| lib.js:40:14:40:17 | args | lib.js:40:14:40:20 | args[1] |
 | lib.js:40:14:40:20 | args[1] | lib.js:40:7:40:20 | path |
 | lib.js:40:14:40:20 | args[1] | lib.js:40:7:40:20 | path |
 | lib.js:42:7:42:10 | path | lib.js:42:7:42:13 | path[0] |
@@ -222,6 +240,8 @@ edges
 | lib.js:70:17:70:23 | path[0] | lib.js:70:13:70:24 | obj[path[0]] |
 | lib.js:70:17:70:23 | path[0] | lib.js:70:13:70:24 | obj[path[0]] |
 | lib.js:83:7:83:25 | path | lib.js:86:19:86:22 | path |
+| lib.js:83:14:83:22 | arguments | lib.js:83:14:83:25 | arguments[1] |
+| lib.js:83:14:83:22 | arguments | lib.js:83:14:83:25 | arguments[1] |
 | lib.js:83:14:83:25 | arguments[1] | lib.js:83:7:83:25 | path |
 | lib.js:83:14:83:25 | arguments[1] | lib.js:83:7:83:25 | path |
 | lib.js:86:7:86:26 | proto | lib.js:87:10:87:14 | proto |
@@ -238,6 +258,8 @@ edges
 | lib.js:91:20:91:28 | obj[path] | lib.js:91:7:91:28 | maybeProto |
 | lib.js:91:24:91:27 | path | lib.js:91:20:91:28 | obj[path] |
 | lib.js:104:7:104:24 | one | lib.js:108:7:108:9 | one |
+| lib.js:104:13:104:21 | arguments | lib.js:104:13:104:24 | arguments[1] |
+| lib.js:104:13:104:21 | arguments | lib.js:104:13:104:24 | arguments[1] |
 | lib.js:104:13:104:24 | arguments[1] | lib.js:104:7:104:24 | one |
 | lib.js:104:13:104:24 | arguments[1] | lib.js:104:7:104:24 | one |
 | lib.js:108:7:108:9 | one | lib.js:108:3:108:10 | obj[one] |
@@ -299,12 +321,16 @@ edges
 #select
 | lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input |
 | lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input |
+| lib.js:22:3:22:14 | obj[path[0]] | lib.js:20:14:20:22 | arguments | lib.js:22:3:22:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:20:14:20:22 | arguments | library input |
 | lib.js:22:3:22:14 | obj[path[0]] | lib.js:20:14:20:25 | arguments[1] | lib.js:22:3:22:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:20:14:20:25 | arguments[1] | library input |
 | lib.js:26:10:26:21 | obj[path[0]] | lib.js:25:44:25:47 | path | lib.js:26:10:26:21 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:25:44:25:47 | path | library input |
 | lib.js:34:3:34:14 | obj[path[0]] | lib.js:32:14:32:20 | args[1] | lib.js:34:3:34:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:32:14:32:20 | args[1] | library input |
+| lib.js:42:3:42:14 | obj[path[0]] | lib.js:38:27:38:35 | arguments | lib.js:42:3:42:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:38:27:38:35 | arguments | library input |
 | lib.js:42:3:42:14 | obj[path[0]] | lib.js:40:14:40:20 | args[1] | lib.js:42:3:42:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:40:14:40:20 | args[1] | library input |
 | lib.js:70:13:70:24 | obj[path[0]] | lib.js:59:18:59:18 | s | lib.js:70:13:70:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:59:18:59:18 | s | library input |
+| lib.js:87:10:87:14 | proto | lib.js:83:14:83:22 | arguments | lib.js:87:10:87:14 | proto | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:83:14:83:22 | arguments | library input |
 | lib.js:87:10:87:14 | proto | lib.js:83:14:83:25 | arguments[1] | lib.js:87:10:87:14 | proto | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:83:14:83:25 | arguments[1] | library input |
+| lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input |
 | lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:24 | arguments[1] | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:24 | arguments[1] | library input |
 | lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input |
 | sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input |