add taint step through the prettyjson library

erik-krogh · erik-krogh · commit 1792c9a61199 · 2021-07-12T10:51:43.000+02:00
diff --git a/javascript/change-notes/2021-06-24-json.md b/javascript/change-notes/2021-06-24-json.md
@@ -2,4 +2,5 @@ lgtm,codescanning
 * The dataflow libraries now model dataflow through more JSON utility libraries.
   Affected packages are
     [json2csv](https://npmjs.com/package/json2csv),
-    [json5](https://npmjs.com/package/json5)
+    [json5](https://npmjs.com/package/json5),
+    [prettyjson](https://npmjs.com/package/prettyjson)
diff --git a/javascript/ql/src/semmle/javascript/JsonStringifiers.qll b/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
@@ -53,3 +53,19 @@ class JSON2CSVTaintStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+/**
+ * A step through the [`prettyjson`](https://www.npmjs.com/package/prettyjson) library.
+ * This is not quite a `JSON.stringify` call, as it e.g. does not wrap keys in double quotes.
+ * It's therefore modelled as a taint-step rather than as a `JSON.stringify` call.
+ */
+class PrettyJSONTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call = API::moduleImport("prettyjson").getMember("render").getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -65,6 +65,17 @@ nodes
 | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
 | logInjectionBad.js:58:27:58:58 | chalk.u ... ername) |
 | logInjectionBad.js:58:50:58:57 | username |
+| logInjectionBad.js:63:9:63:36 | q |
+| logInjectionBad.js:63:13:63:36 | url.par ... , true) |
+| logInjectionBad.js:63:23:63:29 | req.url |
+| logInjectionBad.js:63:23:63:29 | req.url |
+| logInjectionBad.js:64:9:64:35 | username |
+| logInjectionBad.js:64:20:64:20 | q |
+| logInjectionBad.js:64:20:64:26 | q.query |
+| logInjectionBad.js:64:20:64:35 | q.query.username |
+| logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
+| logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
+| logInjectionBad.js:66:35:66:42 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -130,6 +141,16 @@ edges
 | logInjectionBad.js:58:27:58:58 | chalk.u ... ername) | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
 | logInjectionBad.js:58:27:58:58 | chalk.u ... ername) | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
 | logInjectionBad.js:58:50:58:57 | username | logInjectionBad.js:58:27:58:58 | chalk.u ... ername) |
+| logInjectionBad.js:63:9:63:36 | q | logInjectionBad.js:64:20:64:20 | q |
+| logInjectionBad.js:63:13:63:36 | url.par ... , true) | logInjectionBad.js:63:9:63:36 | q |
+| logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:63:13:63:36 | url.par ... , true) |
+| logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:63:13:63:36 | url.par ... , true) |
+| logInjectionBad.js:64:9:64:35 | username | logInjectionBad.js:66:35:66:42 | username |
+| logInjectionBad.js:64:20:64:20 | q | logInjectionBad.js:64:20:64:26 | q.query |
+| logInjectionBad.js:64:20:64:26 | q.query | logInjectionBad.js:64:20:64:35 | q.query.username |
+| logInjectionBad.js:64:20:64:35 | q.query.username | logInjectionBad.js:64:9:64:35 | username |
+| logInjectionBad.js:66:35:66:42 | username | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
+| logInjectionBad.js:66:35:66:42 | username | logInjectionBad.js:66:17:66:43 | prettyj ... ername) |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
@@ -146,3 +167,4 @@ edges
 | logInjectionBad.js:56:17:56:55 | kleur.b ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:56:17:56:55 | kleur.b ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
 | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
 | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:66:17:66:43 | prettyj ... ername) | logInjectionBad.js:63:23:63:29 | req.url | logInjectionBad.js:66:17:66:43 | prettyj ... ername) | $@ flows to log entry. | logInjectionBad.js:63:23:63:29 | req.url | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -56,4 +56,12 @@ const server2 = http.createServer((req, res) => {
     console.log(kleur.blue().bold().underline(username)); // NOT OK
     console.log(chalk.underline.bgBlue(username)); // NOT OK
     console.log(stripAnsi(chalk.underline.bgBlue(username))); // NOT OK
+});
+
+var prettyjson = require('prettyjson');
+const server3 = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+    let username = q.query.username;
+
+    console.log(prettyjson.render(username)); // NOT OK
 });
