JS: Added test cases which cover new RegExp creation with replace on protytpe pulluting

Napalys · Napalys · commit bb384fd90699 · 2024-11-26T11:30:20.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected
@@ -190,6 +190,16 @@ nodes
 | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:12:105:16 | taint |
+| tst.js:130:5:130:53 | obj[req ... ), '')] |
+| tst.js:130:5:130:53 | obj[req ... ), '')] |
+| tst.js:130:9:130:19 | req.query.x |
+| tst.js:130:9:130:19 | req.query.x |
+| tst.js:130:9:130:52 | req.que ... '), '') |
+| tst.js:131:5:131:65 | obj[req ... ), '')] |
+| tst.js:131:5:131:65 | obj[req ... ), '')] |
+| tst.js:131:9:131:19 | req.query.x |
+| tst.js:131:9:131:19 | req.query.x |
+| tst.js:131:9:131:64 | req.que ... )), '') |
 edges
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
 | lib.js:1:38:1:40 | obj | lib.js:6:7:6:9 | obj |
@@ -366,6 +376,14 @@ edges
 | tst.js:102:24:102:37 | req.query.data | tst.js:102:17:102:38 | String( ... y.data) |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
 | tst.js:105:12:105:16 | taint | tst.js:105:5:105:17 | object[taint] |
+| tst.js:130:9:130:19 | req.query.x | tst.js:130:9:130:52 | req.que ... '), '') |
+| tst.js:130:9:130:19 | req.query.x | tst.js:130:9:130:52 | req.que ... '), '') |
+| tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] |
+| tst.js:130:9:130:52 | req.que ... '), '') | tst.js:130:5:130:53 | obj[req ... ), '')] |
+| tst.js:131:9:131:19 | req.query.x | tst.js:131:9:131:64 | req.que ... )), '') |
+| tst.js:131:9:131:19 | req.query.x | tst.js:131:9:131:64 | req.que ... )), '') |
+| tst.js:131:9:131:64 | req.que ... )), '') | tst.js:131:5:131:65 | obj[req ... ), '')] |
+| tst.js:131:9:131:64 | req.que ... )), '') | tst.js:131:5:131:65 | obj[req ... ), '')] |
 #select
 | lib.js:6:7:6:9 | obj | lib.js:1:43:1:46 | path | lib.js:6:7:6:9 | obj | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:1:43:1:46 | path | library input |
 | lib.js:15:3:15:14 | obj[path[0]] | lib.js:14:38:14:41 | path | lib.js:15:3:15:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:14:38:14:41 | path | library input |
@@ -394,3 +412,5 @@ edges
 | tst.js:94:5:94:37 | obj[req ... ', '')] | tst.js:94:9:94:19 | req.query.x | tst.js:94:5:94:37 | obj[req ... ', '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:94:9:94:19 | req.query.x | user controlled input |
 | tst.js:97:5:97:46 | obj[req ... g, '')] | tst.js:97:9:97:19 | req.query.x | tst.js:97:5:97:46 | obj[req ... g, '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:97:9:97:19 | req.query.x | user controlled input |
 | tst.js:105:5:105:17 | object[taint] | tst.js:102:24:102:37 | req.query.data | tst.js:105:5:105:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:102:24:102:37 | req.query.data | user controlled input |
+| tst.js:130:5:130:53 | obj[req ... ), '')] | tst.js:130:9:130:19 | req.query.x | tst.js:130:5:130:53 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:130:9:130:19 | req.query.x | user controlled input |
+| tst.js:131:5:131:65 | obj[req ... ), '')] | tst.js:131:9:131:19 | req.query.x | tst.js:131:5:131:65 | obj[req ... ), '')] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:131:9:131:19 | req.query.x | user controlled input |
diff --git a/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js b/javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/tst.js
@@ -123,3 +123,10 @@ app.get('/assign', (req, res) => {
     Object.assign(dest, plainObj[taint]);
     dest[taint] = taint; // OK - 'dest' is not Object.prototype itself (but possibly a copy)
 });
+
+app.get('/foo', (req, res) => {
+    let obj = {};
+    obj[req.query.x.replace(new RegExp('_', 'g'), '')].x = 'foo'; // OK
+    obj[req.query.x.replace(new RegExp('_', ''), '')].x = 'foo'; // NOT OK
+    obj[req.query.x.replace(new RegExp('_', unknownFlags()), '')].x = 'foo'; // OK -- Might be okay but it is currently flagged as a problem
+});
