hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

add taint step through the chalk library

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2021-06-22 23:28:17 +02:00
parent 053d9b5564
commit fe76341820
4 changed files with 102 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/change-notes/2021-06-22-colors.md
View File

@@ -8,4 +8,5 @@ lgtm,codescanning
[cli-highlight](https://npmjs.com/package/cli-highlight),
[cli-color](https://npmjs.com/package/cli-color),
[slice-ansi](https://npmjs.com/package/slice-ansi),
[kleur](https://npmjs.com/package/kleur)
[kleur](https://npmjs.com/package/kleur),
[chalk](https://npmjs.com/package/chalk)

12
javascript/ql/src/semmle/javascript/frameworks/Logging.qll
View File

@@ -308,3 +308,15 @@ class KleurStep extends TaintTracking::SharedTaintStep {
)
}
}
/**
* A step through the [`chalk`](https://npmjs.org/package/chalk) library.
*/
class ChalkStep extends TaintTracking::SharedTaintStep {
override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode call | call = API::moduleImport("chalk").getAMember*().getACall() |
pred = call.getArgument(0) and
succ = call
)
}
}

165
javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
View File

@@ -22,42 +22,45 @@ nodes
| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:30:42:30:46 | error |
| logInjectionBad.js:44:9:44:36 | q |
| logInjectionBad.js:44:13:44:36 | url.par ... , true) |
| logInjectionBad.js:44:23:44:29 | req.url |
| logInjectionBad.js:44:23:44:29 | req.url |
| logInjectionBad.js:45:9:45:35 | username |
| logInjectionBad.js:45:20:45:20 | q |
| logInjectionBad.js:45:20:45:26 | q.query |
| logInjectionBad.js:45:20:45:35 | q.query.username |
| logInjectionBad.js:47:18:47:54 | ansiCol ... ername) |
| logInjectionBad.js:47:18:47:54 | ansiCol ... ername) |
| logInjectionBad.js:47:46:47:53 | username |
| logInjectionBad.js:48:18:48:47 | colors. ... ername) |
| logInjectionBad.js:48:18:48:47 | colors. ... ername) |
| logInjectionBad.js:48:39:48:46 | username |
| logInjectionBad.js:49:18:49:61 | wrapAns ... e), 20) |
| logInjectionBad.js:49:18:49:61 | wrapAns ... e), 20) |
| logInjectionBad.js:49:27:49:56 | colors. ... ername) |
| logInjectionBad.js:49:48:49:55 | username |
| logInjectionBad.js:50:17:50:47 | underli ... name))) |
| logInjectionBad.js:50:17:50:47 | underli ... name))) |
| logInjectionBad.js:50:27:50:46 | bold(blue(username)) |
| logInjectionBad.js:50:32:50:45 | blue(username) |
| logInjectionBad.js:50:37:50:44 | username |
| logInjectionBad.js:51:17:51:76 | highlig ... true}) |
| logInjectionBad.js:51:17:51:76 | highlig ... true}) |
| logInjectionBad.js:51:27:51:34 | username |
| logInjectionBad.js:52:17:52:51 | clc.red ... ername) |
| logInjectionBad.js:52:17:52:51 | clc.red ... ername) |
| logInjectionBad.js:52:43:52:50 | username |
| logInjectionBad.js:53:17:53:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:53:17:53:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:53:27:53:56 | colors. ... ername) |
| logInjectionBad.js:53:48:53:55 | username |
| logInjectionBad.js:54:17:54:55 | kleur.b ... ername) |
| logInjectionBad.js:54:17:54:55 | kleur.b ... ername) |
| logInjectionBad.js:54:47:54:54 | username |
| logInjectionBad.js:45:9:45:36 | q |
| logInjectionBad.js:45:13:45:36 | url.par ... , true) |
| logInjectionBad.js:45:23:45:29 | req.url |
| logInjectionBad.js:45:23:45:29 | req.url |
| logInjectionBad.js:46:9:46:35 | username |
| logInjectionBad.js:46:20:46:20 | q |
| logInjectionBad.js:46:20:46:26 | q.query |
| logInjectionBad.js:46:20:46:35 | q.query.username |
| logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
| logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
| logInjectionBad.js:48:46:48:53 | username |
| logInjectionBad.js:49:18:49:47 | colors. ... ername) |
| logInjectionBad.js:49:18:49:47 | colors. ... ername) |
| logInjectionBad.js:49:39:49:46 | username |
| logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
| logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
| logInjectionBad.js:50:27:50:56 | colors. ... ername) |
| logInjectionBad.js:50:48:50:55 | username |
| logInjectionBad.js:51:17:51:47 | underli ... name))) |
| logInjectionBad.js:51:17:51:47 | underli ... name))) |
| logInjectionBad.js:51:27:51:46 | bold(blue(username)) |
| logInjectionBad.js:51:32:51:45 | blue(username) |
| logInjectionBad.js:51:37:51:44 | username |
| logInjectionBad.js:52:17:52:76 | highlig ... true}) |
| logInjectionBad.js:52:17:52:76 | highlig ... true}) |
| logInjectionBad.js:52:27:52:34 | username |
| logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
| logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
| logInjectionBad.js:53:43:53:50 | username |
| logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:54:27:54:56 | colors. ... ername) |
| logInjectionBad.js:54:48:54:55 | username |
| logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
| logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
| logInjectionBad.js:55:47:55:54 | username |
| logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
| logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
| logInjectionBad.js:56:40:56:47 | username |
edges
| logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
| logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -81,52 +84,56 @@ edges
| logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
| logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
| logInjectionBad.js:44:9:44:36 | q | logInjectionBad.js:45:20:45:20 | q |
| logInjectionBad.js:44:13:44:36 | url.par ... , true) | logInjectionBad.js:44:9:44:36 | q |
| logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:44:13:44:36 | url.par ... , true) |
| logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:44:13:44:36 | url.par ... , true) |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:47:46:47:53 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:48:39:48:46 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:49:48:49:55 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:50:37:50:44 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:51:27:51:34 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:52:43:52:50 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:53:48:53:55 | username |
| logInjectionBad.js:45:9:45:35 | username | logInjectionBad.js:54:47:54:54 | username |
| logInjectionBad.js:45:20:45:20 | q | logInjectionBad.js:45:20:45:26 | q.query |
| logInjectionBad.js:45:20:45:26 | q.query | logInjectionBad.js:45:20:45:35 | q.query.username |
| logInjectionBad.js:45:20:45:35 | q.query.username | logInjectionBad.js:45:9:45:35 | username |
| logInjectionBad.js:47:46:47:53 | username | logInjectionBad.js:47:18:47:54 | ansiCol ... ername) |
| logInjectionBad.js:47:46:47:53 | username | logInjectionBad.js:47:18:47:54 | ansiCol ... ername) |
| logInjectionBad.js:48:39:48:46 | username | logInjectionBad.js:48:18:48:47 | colors. ... ername) |
| logInjectionBad.js:48:39:48:46 | username | logInjectionBad.js:48:18:48:47 | colors. ... ername) |
| logInjectionBad.js:49:27:49:56 | colors. ... ername) | logInjectionBad.js:49:18:49:61 | wrapAns ... e), 20) |
| logInjectionBad.js:49:27:49:56 | colors. ... ername) | logInjectionBad.js:49:18:49:61 | wrapAns ... e), 20) |
| logInjectionBad.js:49:48:49:55 | username | logInjectionBad.js:49:27:49:56 | colors. ... ername) |
| logInjectionBad.js:50:27:50:46 | bold(blue(username)) | logInjectionBad.js:50:17:50:47 | underli ... name))) |
| logInjectionBad.js:50:27:50:46 | bold(blue(username)) | logInjectionBad.js:50:17:50:47 | underli ... name))) |
| logInjectionBad.js:50:32:50:45 | blue(username) | logInjectionBad.js:50:27:50:46 | bold(blue(username)) |
| logInjectionBad.js:50:37:50:44 | username | logInjectionBad.js:50:32:50:45 | blue(username) |
| logInjectionBad.js:51:27:51:34 | username | logInjectionBad.js:51:17:51:76 | highlig ... true}) |
| logInjectionBad.js:51:27:51:34 | username | logInjectionBad.js:51:17:51:76 | highlig ... true}) |
| logInjectionBad.js:52:43:52:50 | username | logInjectionBad.js:52:17:52:51 | clc.red ... ername) |
| logInjectionBad.js:52:43:52:50 | username | logInjectionBad.js:52:17:52:51 | clc.red ... ername) |
| logInjectionBad.js:53:27:53:56 | colors. ... ername) | logInjectionBad.js:53:17:53:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:53:27:53:56 | colors. ... ername) | logInjectionBad.js:53:17:53:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:53:48:53:55 | username | logInjectionBad.js:53:27:53:56 | colors. ... ername) |
| logInjectionBad.js:54:47:54:54 | username | logInjectionBad.js:54:17:54:55 | kleur.b ... ername) |
| logInjectionBad.js:54:47:54:54 | username | logInjectionBad.js:54:17:54:55 | kleur.b ... ername) |
| logInjectionBad.js:45:9:45:36 | q | logInjectionBad.js:46:20:46:20 | q |
| logInjectionBad.js:45:13:45:36 | url.par ... , true) | logInjectionBad.js:45:9:45:36 | q |
| logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:45:13:45:36 | url.par ... , true) |
| logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:45:13:45:36 | url.par ... , true) |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:48:46:48:53 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:49:39:49:46 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:50:48:50:55 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:51:37:51:44 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:52:27:52:34 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:53:43:53:50 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:54:48:54:55 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:55:47:55:54 | username |
| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:56:40:56:47 | username |
| logInjectionBad.js:46:20:46:20 | q | logInjectionBad.js:46:20:46:26 | q.query |
| logInjectionBad.js:46:20:46:26 | q.query | logInjectionBad.js:46:20:46:35 | q.query.username |
| logInjectionBad.js:46:20:46:35 | q.query.username | logInjectionBad.js:46:9:46:35 | username |
| logInjectionBad.js:48:46:48:53 | username | logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
| logInjectionBad.js:48:46:48:53 | username | logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
| logInjectionBad.js:49:39:49:46 | username | logInjectionBad.js:49:18:49:47 | colors. ... ername) |
| logInjectionBad.js:49:39:49:46 | username | logInjectionBad.js:49:18:49:47 | colors. ... ername) |
| logInjectionBad.js:50:27:50:56 | colors. ... ername) | logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
| logInjectionBad.js:50:27:50:56 | colors. ... ername) | logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
| logInjectionBad.js:50:48:50:55 | username | logInjectionBad.js:50:27:50:56 | colors. ... ername) |
| logInjectionBad.js:51:27:51:46 | bold(blue(username)) | logInjectionBad.js:51:17:51:47 | underli ... name))) |
| logInjectionBad.js:51:27:51:46 | bold(blue(username)) | logInjectionBad.js:51:17:51:47 | underli ... name))) |
| logInjectionBad.js:51:32:51:45 | blue(username) | logInjectionBad.js:51:27:51:46 | bold(blue(username)) |
| logInjectionBad.js:51:37:51:44 | username | logInjectionBad.js:51:32:51:45 | blue(username) |
| logInjectionBad.js:52:27:52:34 | username | logInjectionBad.js:52:17:52:76 | highlig ... true}) |
| logInjectionBad.js:52:27:52:34 | username | logInjectionBad.js:52:17:52:76 | highlig ... true}) |
| logInjectionBad.js:53:43:53:50 | username | logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
| logInjectionBad.js:53:43:53:50 | username | logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
| logInjectionBad.js:54:27:54:56 | colors. ... ername) | logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:54:27:54:56 | colors. ... ername) | logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
| logInjectionBad.js:54:48:54:55 | username | logInjectionBad.js:54:27:54:56 | colors. ... ername) |
| logInjectionBad.js:55:47:55:54 | username | logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
| logInjectionBad.js:55:47:55:54 | username | logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
| logInjectionBad.js:56:40:56:47 | username | logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
| logInjectionBad.js:56:40:56:47 | username | logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
#select
| logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
| logInjectionBad.js:47:18:47:54 | ansiCol ... ername) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:47:18:47:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:48:18:48:47 | colors. ... ername) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:48:18:48:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:49:18:49:61 | wrapAns ... e), 20) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:49:18:49:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:50:17:50:47 | underli ... name))) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:50:17:50:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:51:17:51:76 | highlig ... true}) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:51:17:51:76 | highlig ... true}) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:52:17:52:51 | clc.red ... ername) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:52:17:52:51 | clc.red ... ername) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:53:17:53:65 | sliceAn ... 20, 30) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:53:17:53:65 | sliceAn ... 20, 30) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:54:17:54:55 | kleur.b ... ername) | logInjectionBad.js:44:23:44:29 | req.url | logInjectionBad.js:54:17:54:55 | kleur.b ... ername) | $@ flows to log entry. | logInjectionBad.js:44:23:44:29 | req.url | User-provided value |
| logInjectionBad.js:48:18:48:54 | ansiCol ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:48:18:48:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:49:18:49:47 | colors. ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:49:18:49:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:51:17:51:47 | underli ... name))) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:51:17:51:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:52:17:52:76 | highlig ... true}) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:52:17:52:76 | highlig ... true}) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:53:17:53:51 | clc.red ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:53:17:53:51 | clc.red ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:55:17:55:55 | kleur.b ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:55:17:55:55 | kleur.b ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
| logInjectionBad.js:56:17:56:48 | chalk.u ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:56:17:56:48 | chalk.u ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |

2
javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
View File

@@ -39,6 +39,7 @@ const highlight = require('cli-highlight').highlight;
var clc = require("cli-color");
import sliceAnsi from 'slice-ansi';
import kleur from 'kleur';
const chalk = require('chalk');
const server2 = http.createServer((req, res) => {
let q = url.parse(req.url, true);
@@ -52,4 +53,5 @@ const server2 = http.createServer((req, res) => {
console.log(clc.red.bgWhite.underline(username)); // NOT OK
console.log(sliceAnsi(colors.red.underline(username), 20, 30)); // NOT OK
console.log(kleur.blue().bold().underline(username)); // NOT OK
console.log(chalk.underline.bgBlue(username)); // NOT OK
});