Fixed issue where TaintTracking was not catching matchAll vulnerability

2026-04-26 17:25:19 +02:00 · 2024-11-07 13:40:10 +01:00
parent a4fe728af2
commit dbd57e3870
3 changed files with 26 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -716,7 +716,7 @@ module TaintTracking {

  pragma[nomagic]
  private DataFlow::MethodCallNode matchMethodCall() {
-    result.getMethodName() = "match" and
+    result.getMethodName() = ["match", "matchAll"] and
    exists(DataFlow::AnalyzedNode analyzed |
      pragma[only_bind_into](analyzed) = result.getArgument(0).analyze() and
      analyzed.getAType() = TTRegExp()
--- a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -94,6 +94,18 @@ nodes
 | logInjectionBad.js:99:26:99:33 | username |
 | logInjectionBad.js:113:37:113:44 | username |
 | logInjectionBad.js:113:37:113:44 | username |
+| logInjectionBad.js:122:9:122:58 | username |
+| logInjectionBad.js:122:20:122:43 | url.par ... , true) |
+| logInjectionBad.js:122:20:122:49 | url.par ... ).query |
+| logInjectionBad.js:122:20:122:58 | url.par ... sername |
+| logInjectionBad.js:122:30:122:36 | req.url |
+| logInjectionBad.js:122:30:122:36 | req.url |
+| logInjectionBad.js:123:9:123:46 | otherStr |
+| logInjectionBad.js:123:20:123:27 | username |
+| logInjectionBad.js:123:20:123:43 | usernam ... (/.*/g) |
+| logInjectionBad.js:123:20:123:46 | usernam ... */g)[0] |
+| logInjectionBad.js:124:17:124:24 | otherStr |
+| logInjectionBad.js:124:17:124:24 | otherStr |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -186,6 +198,17 @@ edges
 | logInjectionBad.js:73:20:73:20 | q | logInjectionBad.js:73:20:73:26 | q.query |
 | logInjectionBad.js:73:20:73:26 | q.query | logInjectionBad.js:73:20:73:35 | q.query.username |
 | logInjectionBad.js:73:20:73:35 | q.query.username | logInjectionBad.js:73:9:73:35 | username |
+| logInjectionBad.js:122:9:122:58 | username | logInjectionBad.js:123:20:123:27 | username |
+| logInjectionBad.js:122:20:122:43 | url.par ... , true) | logInjectionBad.js:122:20:122:49 | url.par ... ).query |
+| logInjectionBad.js:122:20:122:49 | url.par ... ).query | logInjectionBad.js:122:20:122:58 | url.par ... sername |
+| logInjectionBad.js:122:20:122:58 | url.par ... sername | logInjectionBad.js:122:9:122:58 | username |
+| logInjectionBad.js:122:30:122:36 | req.url | logInjectionBad.js:122:20:122:43 | url.par ... , true) |
+| logInjectionBad.js:122:30:122:36 | req.url | logInjectionBad.js:122:20:122:43 | url.par ... , true) |
+| logInjectionBad.js:123:9:123:46 | otherStr | logInjectionBad.js:124:17:124:24 | otherStr |
+| logInjectionBad.js:123:9:123:46 | otherStr | logInjectionBad.js:124:17:124:24 | otherStr |
+| logInjectionBad.js:123:20:123:27 | username | logInjectionBad.js:123:20:123:43 | usernam ... (/.*/g) |
+| logInjectionBad.js:123:20:123:43 | usernam ... (/.*/g) | logInjectionBad.js:123:20:123:46 | usernam ... */g)[0] |
+| logInjectionBad.js:123:20:123:46 | usernam ... */g)[0] | logInjectionBad.js:123:9:123:46 | otherStr |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | Log entry depends on a $@. | logInjectionBad.js:19:23:19:29 | req.url | user-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | Log entry depends on a $@. | logInjectionBad.js:19:23:19:29 | req.url | user-provided value |
@@ -208,3 +231,4 @@ edges
 | logInjectionBad.js:91:26:91:33 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:91:26:91:33 | username | Log entry depends on a $@. | logInjectionBad.js:72:23:72:29 | req.url | user-provided value |
 | logInjectionBad.js:99:26:99:33 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:99:26:99:33 | username | Log entry depends on a $@. | logInjectionBad.js:72:23:72:29 | req.url | user-provided value |
 | logInjectionBad.js:113:37:113:44 | username | logInjectionBad.js:72:23:72:29 | req.url | logInjectionBad.js:113:37:113:44 | username | Log entry depends on a $@. | logInjectionBad.js:72:23:72:29 | req.url | user-provided value |
+| logInjectionBad.js:124:17:124:24 | otherStr | logInjectionBad.js:122:30:122:36 | req.url | logInjectionBad.js:124:17:124:24 | otherStr | Log entry depends on a $@. | logInjectionBad.js:122:30:122:36 | req.url | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
+++ b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -120,6 +120,6 @@ const server4 = http.createServer((req, res) => {

 const serverMatchAll = http.createServer((req, res) => {
    let username = url.parse(req.url, true).query.username;
-    let otherStr = username.matchAll(/.*/g)[0]; // BAD - this is suppose to be cought by Taint Tracking, works for match but not matchAll
+    let otherStr = username.matchAll(/.*/g)[0]; // BAD
    console.log(otherStr);
 });