add JSON.stringify as a code-injection sanitizer

erik-krogh · erik-krogh · commit 955ad8c4582b · 2022-02-07T13:34:18.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -375,4 +375,9 @@ module CodeInjection {
       this = LodashUnderscore::member("template").getACall().getArgument(0)
     }
   }
+
+  /**
+   * A call to JSON.stringify() seen as a sanitizer.
+   */
+  class JSONStringifySanitizer extends Sanitizer, JsonStringifyCall { }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/express.js
@@ -25,4 +25,6 @@ const cp = require('child_process');
 app.get('/other/path', function(req, res) {
   const taint = req.param("wobble");
   cp.execFileSync('node', ['-e', taint]); // NOT OK
+
+  cp.execFileSync('node', ['-e', `console.log(${JSON.stringify(taint)})`]); // OK
 });

Original file line number	Diff line number	Diff line change
`@@ -375,4 +375,9 @@ module CodeInjection {`
`375`	`375`	`this = LodashUnderscore::member("template").getACall().getArgument(0)`
`376`	`376`	`}`
`377`	`377`	`}`
	`378`	`+`
	`379`	`+ /**`
	`380`	`+ * A call to JSON.stringify() seen as a sanitizer.`
	`381`	`+ */`
	`382`	`+ class JSONStringifySanitizer extends Sanitizer, JsonStringifyCall { }`
`378`	`383`	`}`