add model for xml-js

2026-04-26 17:25:19 +02:00 · 2021-02-04 18:16:19 +01:00
parent 73f7cd149f
commit e2a66bf3ed
3 changed files with 25 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/XmlParsers.qll
@@ -226,6 +226,27 @@ module XML {
    }
  }

+  /**
+   * An invocation of `xml-js`.
+   */
+  private class XmlJSInvocation extends XML::ParserInvocation {
+    XmlJSInvocation() {
+      this =
+        js::DataFlow::moduleMember("xml-js", ["xml2json", "xml2js", "json2xml", "js2xml"])
+            .getACall()
+            .asExpr()
+    }
+
+    override js::Expr getSourceArgument() { result = getArgument(0) }
+
+    override predicate resolvesEntities(XML::EntityKind kind) {
+      // xml-js does not expand custom entities.
+      none()
+    }
+
+    override js::DataFlow::Node getAResult() { result.asExpr() = this }
+  }
+
  private class XMLParserTaintStep extends js::TaintTracking::AdditionalTaintStep {
    XML::ParserInvocation parser;