add values written to the global scope as exports

erik-krogh · erik-krogh · commit d1d4ebb3b553 · 2022-02-07T13:34:18.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/PackageExports.qll b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -216,6 +216,10 @@ private DataFlow::Node getAnExportFromModule(Module mod) {
   or
   result = mod.getABulkExportedNode()
   or
+  // exports saved to the global object
+  result = DataFlow::globalObjectRef().getAPropertyWrite().getRhs() and
+  result.getTopLevel() = mod
+  or
   result.analyze().getAValue() = TAbstractModuleObject(mod)
 }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
@@ -7,6 +7,10 @@ nodes
 | lib/index.js:5:35:5:38 | name |
 | lib/index.js:6:26:6:29 | name |
 | lib/index.js:6:26:6:29 | name |
+| lib/index.js:13:38:13:41 | data |
+| lib/index.js:13:38:13:41 | data |
+| lib/index.js:14:21:14:24 | data |
+| lib/index.js:14:21:14:24 | data |
 edges
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -16,6 +20,11 @@ edges
 | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
 | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
 | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
 #select
 | lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
 | lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
+| lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | $@ flows to here and is later $@. | lib/index.js:13:38:13:41 | data | Library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
@@ -9,3 +9,7 @@ export function unsafeGetter(obj, name) {
 export function safeAssignment(obj, value) {
     eval("obj.foo = " + JSON.stringify(value)); // OK
 }
+
+global.unsafeDeserialize = function (data) {
+  return eval("(" + data + ")"); // NOT OK
+}

Original file line number	Diff line number	Diff line change
`@@ -9,3 +9,7 @@ export function unsafeGetter(obj, name) {`
`9`	`9`	`export function safeAssignment(obj, value) {`
`10`	`10`	`eval("obj.foo = " + JSON.stringify(value)); // OK`
`11`	`11`	`}`
	`12`	`+`
	`13`	`+global.unsafeDeserialize = function (data) {`
	`14`	`+ return eval("(" + data + ")"); // NOT OK`
	`15`	`+}`