add support for the json-cycle library

Author: erik-krogh

javascript/change-notes/2021-06-24-json.md

@@ -8,4 +8,5 @@ lgtm,codescanning
     [teleport-javascript](https://npmjs.com/package/teleport-javascript),
     [replicator](https://npmjs.com/package/replicator),
     [safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify),
-    [fclone](https://npmjs.com/package/fclone)
+    [fclone](https://npmjs.com/package/fclone),
+    [json-cycle](https://npmjs.com/package/json-cycle)

javascript/ql/src/semmle/javascript/Extend.qll

@@ -182,7 +182,11 @@ private import semmle.javascript.dataflow.internal.PreCallGraphStep
  */
 private class CloneStep extends PreCallGraphStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call | call = DataFlow::moduleImport(["clone", "fclone"]).getACall() |
+    exists(DataFlow::CallNode call |
+      call = DataFlow::moduleImport(["clone", "fclone"]).getACall()
+      or
+      call = DataFlow::moduleMember("json-cycle", ["decycle", "retrocycle"]).getACall()
+    |
       pred = call.getArgument(0) and
       succ = call
     )

javascript/ql/src/semmle/javascript/JsonParsers.qll

@@ -26,7 +26,9 @@ private class PlainJsonParserCall extends JsonParserCall {
   PlainJsonParserCall() {
     exists(DataFlow::SourceNode callee | this = callee.getACall() |
       callee = DataFlow::globalVarRef("JSON").getAPropertyRead("parse") or
-      callee = DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript"], "parse") or
+      callee =
+        DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
+          "parse") or
       callee = API::moduleImport("replicator").getInstance().getMember("decode").getAnImmediateUse() or
       callee = DataFlow::moduleImport("parse-json") or
       callee = DataFlow::moduleImport("json-parse-better-errors") or

javascript/ql/src/semmle/javascript/JsonStringifiers.qll

@@ -12,7 +12,8 @@ class JsonStringifyCall extends DataFlow::CallNode {
     exists(DataFlow::SourceNode callee | this = callee.getACall() |
       callee = DataFlow::globalVarRef("JSON").getAPropertyRead("stringify") or
       callee =
-        DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript"], "stringify") or
+        DataFlow::moduleMember(["json3", "json5", "flatted", "teleport-javascript", "json-cycle"],
+          "stringify") or
       callee = API::moduleImport("replicator").getInstance().getMember("encode").getAnImmediateUse() or
       callee =
         DataFlow::moduleImport([

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -96,6 +96,7 @@ typeInferenceMismatch
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:30:8:30:49 | telepor ... ource)) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:34:8:34:51 | replica ... ource)) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:36:8:36:47 | require ... source) |
+| json-stringify.js:2:16:2:23 | source() | json-stringify.js:39:8:39:37 | jc.stri ... ource)) |
 | json-stringify.js:3:15:3:22 | source() | json-stringify.js:8:8:8:31 | jsonStr ... (taint) |
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |

javascript/ql/test/library-tests/TaintTracking/json-stringify.js

@@ -34,4 +34,7 @@ function foo() {
   sink(replicator.encode(replicator.decode(source))); // NOT OK
 
   sink(require("safe-stable-stringify")(source)); // NOT OK
+
+  const jc = require('json-cycle');
+  sink(jc.stringify(jc.parse(source))); // NOT OK
 }

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -198,6 +198,14 @@ nodes
 | tst2.js:63:12:63:12 | p |
 | tst2.js:64:12:64:18 | other.p |
 | tst2.js:64:12:64:18 | other.p |
+| tst2.js:69:7:69:24 | p |
+| tst2.js:69:9:69:9 | p |
+| tst2.js:69:9:69:9 | p |
+| tst2.js:72:11:72:11 | p |
+| tst2.js:75:12:75:12 | p |
+| tst2.js:75:12:75:12 | p |
+| tst2.js:76:12:76:18 | other.p |
+| tst2.js:76:12:76:18 | other.p |
 | tst3.js:5:7:5:24 | p |
 | tst3.js:5:9:5:9 | p |
 | tst3.js:5:9:5:9 | p |
@@ -374,6 +382,13 @@ edges
 | tst2.js:57:9:57:9 | p | tst2.js:57:7:57:24 | p |
 | tst2.js:60:11:60:11 | p | tst2.js:64:12:64:18 | other.p |
 | tst2.js:60:11:60:11 | p | tst2.js:64:12:64:18 | other.p |
+| tst2.js:69:7:69:24 | p | tst2.js:72:11:72:11 | p |
+| tst2.js:69:7:69:24 | p | tst2.js:75:12:75:12 | p |
+| tst2.js:69:7:69:24 | p | tst2.js:75:12:75:12 | p |
+| tst2.js:69:9:69:9 | p | tst2.js:69:7:69:24 | p |
+| tst2.js:69:9:69:9 | p | tst2.js:69:7:69:24 | p |
+| tst2.js:72:11:72:11 | p | tst2.js:76:12:76:18 | other.p |
+| tst2.js:72:11:72:11 | p | tst2.js:76:12:76:18 | other.p |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
@@ -429,5 +444,7 @@ edges
 | tst2.js:51:12:51:17 | unsafe | tst2.js:43:9:43:9 | p | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:43:9:43:9 | p | user-provided value |
 | tst2.js:63:12:63:12 | p | tst2.js:57:9:57:9 | p | tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
 | tst2.js:64:12:64:18 | other.p | tst2.js:57:9:57:9 | p | tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
+| tst2.js:75:12:75:12 | p | tst2.js:69:9:69:9 | p | tst2.js:75:12:75:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:69:9:69:9 | p | user-provided value |
+| tst2.js:76:12:76:18 | other.p | tst2.js:69:9:69:9 | p | tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:69:9:69:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
 | tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -42,5 +42,7 @@
 | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:43:9:43:9 | p | user-provided value |
 | tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
 | tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
+| tst2.js:75:12:75:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:69:9:69:9 | p | user-provided value |
+| tst2.js:76:12:76:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:69:9:69:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
 | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js

@@ -60,6 +60,18 @@ app.get('/baz', function(req, res) {
   obj.p = p;
   var other = fclone(obj);
 
+  res.send(p); // NOT OK
+  res.send(other.p); // NOT OK
+});
+
+const jc = require('json-cycle');
+app.get('/baz', function(req, res) {
+  let { p } = req.params;
+
+  var obj = {};
+  obj.p = p;
+  var other = jc.retrocycle(jc.decycle(obj));
+
   res.send(p); // NOT OK
   res.send(other.p); // NOT OK
 });