add library input as source to js/prototype-polluting-assignment

erik-krogh · erik-krogh · commit 78774233c7b8 · 2021-10-27T20:35:36.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentCustomizations.qll
@@ -53,4 +53,13 @@ module PrototypePollutingAssignment {
   private class DefaultSource extends Source {
     DefaultSource() { this instanceof RemoteFlowSource }
   }
+
+  import semmle.javascript.PackageExports as Exports
+
+  /**
+   * A parameter of an exported function, seen as a source prototype-polluting assignment.
+   */
+  class ExternalInputSource extends Source, DataFlow::SourceNode {
+    ExternalInputSource() { this = Exports::getALibraryInputParameter() }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -1,4 +1,24 @@
 nodes
+| lib.js:1:38:1:40 | obj |
+| lib.js:1:43:1:46 | path |
+| lib.js:1:43:1:46 | path |
+| lib.js:1:43:1:46 | path |
+| lib.js:2:7:2:27 | currentPath |
+| lib.js:2:7:2:27 | currentPath |
+| lib.js:2:21:2:24 | path |
+| lib.js:2:21:2:24 | path |
+| lib.js:2:21:2:27 | path[0] |
+| lib.js:2:21:2:27 | path[0] |
+| lib.js:6:7:6:9 | obj |
+| lib.js:6:7:6:9 | obj |
+| lib.js:11:17:11:32 | obj[currentPath] |
+| lib.js:11:17:11:32 | obj[currentPath] |
+| lib.js:11:21:11:31 | currentPath |
+| lib.js:11:21:11:31 | currentPath |
+| lib.js:11:35:11:38 | path |
+| lib.js:11:35:11:38 | path |
+| lib.js:11:35:11:47 | path.slice(1) |
+| lib.js:11:35:11:47 | path.slice(1) |
 | tst.js:5:9:5:38 | taint |
 | tst.js:5:17:5:38 | String( ... y.data) |
 | tst.js:5:24:5:37 | req.query.data |
@@ -24,6 +44,28 @@ nodes
 | tst.js:48:9:48:11 | obj |
 | tst.js:48:9:48:11 | obj |
 edges
+| lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
+| lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
+| lib.js:1:43:1:46 | path | lib.js:2:21:2:24 | path |
+| lib.js:1:43:1:46 | path | lib.js:2:21:2:24 | path |
+| lib.js:1:43:1:46 | path | lib.js:2:21:2:24 | path |
+| lib.js:1:43:1:46 | path | lib.js:11:35:11:38 | path |
+| lib.js:1:43:1:46 | path | lib.js:11:35:11:38 | path |
+| lib.js:1:43:1:46 | path | lib.js:11:35:11:38 | path |
+| lib.js:2:7:2:27 | currentPath | lib.js:11:21:11:31 | currentPath |
+| lib.js:2:7:2:27 | currentPath | lib.js:11:21:11:31 | currentPath |
+| lib.js:2:21:2:24 | path | lib.js:2:21:2:27 | path[0] |
+| lib.js:2:21:2:24 | path | lib.js:2:21:2:27 | path[0] |
+| lib.js:2:21:2:27 | path[0] | lib.js:2:7:2:27 | currentPath |
+| lib.js:2:21:2:27 | path[0] | lib.js:2:7:2:27 | currentPath |
+| lib.js:11:17:11:32 | obj[currentPath] | lib.js:1:38:1:40 | obj |
+| lib.js:11:17:11:32 | obj[currentPath] | lib.js:1:38:1:40 | obj |
+| lib.js:11:21:11:31 | currentPath | lib.js:11:17:11:32 | obj[currentPath] |
+| lib.js:11:21:11:31 | currentPath | lib.js:11:17:11:32 | obj[currentPath] |
+| lib.js:11:35:11:38 | path | lib.js:11:35:11:47 | path.slice(1) |
+| lib.js:11:35:11:38 | path | lib.js:11:35:11:47 | path.slice(1) |
+| lib.js:11:35:11:47 | path.slice(1) | lib.js:1:43:1:46 | path |
+| lib.js:11:35:11:47 | path.slice(1) | lib.js:1:43:1:46 | path |
 | tst.js:5:9:5:38 | taint | tst.js:8:12:8:16 | taint |
 | tst.js:5:9:5:38 | taint | tst.js:9:12:9:16 | taint |
 | tst.js:5:9:5:38 | taint | tst.js:12:25:12:29 | taint |
@@ -48,6 +90,7 @@ edges
 | tst.js:33:23:33:25 | obj | tst.js:48:9:48:11 | obj |
 | tst.js:33:23:33:25 | obj | tst.js:48:9:48:11 | obj |
 #select
+| lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | here |
 | tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | here |
 | tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | here |
 | tst.js:14:5:14:32 | unsafeG ...  taint) | tst.js:5:24:5:37 | req.query.data | tst.js:14:5:14:32 | unsafeG ...  taint) | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | here |
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js
@@ -0,0 +1,12 @@
+module.exports.set = function recSet(obj, path, value) {
+  var currentPath = path[0];
+  var currentValue = obj[currentPath];
+  if (path.length === 1) {
+    if (currentValue === void 0) {
+      obj[currentPath] = value; // NOT OK
+    }
+    return currentValue;
+  }
+
+  return recSet(obj[currentPath], path.slice(1), value);
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/package.json b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/package.json
@@ -0,0 +1,5 @@
+{
+    "name": "my-lib",
+    "version": "0.0.7",
+    "main": "./lib.js"
+}

Original file line number	Diff line number	Diff line change
`@@ -53,4 +53,13 @@ module PrototypePollutingAssignment {`
`53`	`53`	`private class DefaultSource extends Source {`
`54`	`54`	`DefaultSource() { this instanceof RemoteFlowSource }`
`55`	`55`	`}`
	`56`	`+`
	`57`	`+ import semmle.javascript.PackageExports as Exports`
	`58`	`+`
	`59`	`+ /**`
	`60`	`+ * A parameter of an exported function, seen as a source prototype-polluting assignment.`
	`61`	`+ */`
	`62`	`+ class ExternalInputSource extends Source, DataFlow::SourceNode {`
	`63`	`+ ExternalInputSource() { this = Exports::getALibraryInputParameter() }`
	`64`	`+ }`
`56`	`65`	`}`