From fd293d07d7cfed26d1ce53d28f4c5cce992da2cf Mon Sep 17 00:00:00 2001 From: Asger Feldthaus Date: Wed, 9 Dec 2020 09:58:52 +0000 Subject: [PATCH] JS: Address doc review --- javascript/change-notes/2020-11-25-prototype-pollution.md | 2 +- .../ql/src/Security/CWE-915/PrototypePollutingAssignment.ql | 3 ++- .../ql/src/Security/CWE-915/PrototypePollutingFunction.ql | 1 + .../ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/javascript/change-notes/2020-11-25-prototype-pollution.md b/javascript/change-notes/2020-11-25-prototype-pollution.md index f945ae89332..e550c93fe20 100644 --- a/javascript/change-notes/2020-11-25-prototype-pollution.md +++ b/javascript/change-notes/2020-11-25-prototype-pollution.md @@ -6,6 +6,6 @@ lgtm,codescanning This highlights indirect modification of `Object.prototype` via an unsafe `merge` call taking a user-controlled object as argument. * The query previously named "Prototype pollution in utility function" (`js/prototype-pollution-utility`) has been renamed to "Prototype-polluting function". This query highlights the implementation of an unsafe `merge` function, to ensure a robust API is exposed downstream. - * The above queries have been moved to the Security/CWE-915 folder, and tagged with CWE-079, CWE-094, CWE-400, and CWE-915. + * The above queries have been moved to the Security/CWE-915 folder, and assigned the following tags: CWE-078, CWE-079, CWE-094, CWE-400, and CWE-915. * The query "Type confusion through parameter tampering" (`js/type-confusion-through-parameter-tampering`) now highlights ineffective prototype pollution checks that can be bypassed by type confusion. diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql index 310e7b05830..cc611640527 100644 --- a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql +++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql @@ -1,7 +1,7 @@ /** * @name Prototype-polluting assignment * @description Modifying an object obtained via a user-controlled property name may - * lead to accidental modification of the built-in Object.prototype, + * lead to accidental mutation of the built-in Object prototype, * and possibly escalate to remote code execution or cross-site scripting. * @kind path-problem * @problem.severity warning @@ -9,6 +9,7 @@ * @id js/prototype-polluting-assignment * @tags security * external/cwe/cwe-078 + * external/cwe/cwe-079 * external/cwe/cwe-094 * external/cwe/cwe-400 * external/cwe/cwe-915 diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql index e3fb4129749..f1dc8a33d27 100644 --- a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql +++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql @@ -8,6 +8,7 @@ * @id js/prototype-pollution-utility * @tags security * external/cwe/cwe-078 + * external/cwe/cwe-079 * external/cwe/cwe-094 * external/cwe/cwe-400 * external/cwe/cwe-915 diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql index 7d541bb01d7..80a99563918 100644 --- a/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql +++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql @@ -9,6 +9,7 @@ * @id js/prototype-pollution * @tags security * external/cwe/cwe-078 + * external/cwe/cwe-079 * external/cwe/cwe-094 * external/cwe/cwe-400 * external/cwe/cwe-915