add support for the strip-json-comments library

erik-krogh · erik-krogh · commit 40aa970db3d9 · 2021-07-12T11:08:50.000+02:00
diff --git a/javascript/change-notes/2021-06-24-json.md b/javascript/change-notes/2021-06-24-json.md
@@ -9,4 +9,5 @@ lgtm,codescanning
     [replicator](https://npmjs.com/package/replicator),
     [safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify),
     [fclone](https://npmjs.com/package/fclone),
-    [json-cycle](https://npmjs.com/package/json-cycle)
+    [json-cycle](https://npmjs.com/package/json-cycle),
+    [strip-json-comments](https://npmjs.com/package/strip-json-comments)
diff --git a/javascript/ql/src/semmle/javascript/JsonParsers.qll b/javascript/ql/src/semmle/javascript/JsonParsers.qll
@@ -78,3 +78,15 @@ private class JsonParserCallWithCallback extends JsonParserCall {
 
   override DataFlow::SourceNode getOutput() { result = getCallback(1).getParameter(1) }
 }
+
+/**
+ * A taint step through the `strip-json-comments` library.
+ */
+private class StripJsonCommentsStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("strip-json-comments").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -97,6 +97,7 @@ typeInferenceMismatch
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:34:8:34:51 | replica ... ource)) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:36:8:36:47 | require ... source) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:39:8:39:37 | jc.stri ... ource)) |
+| json-stringify.js:2:16:2:23 | source() | json-stringify.js:42:8:42:51 | JSON.st ... urce))) |
 | json-stringify.js:3:15:3:22 | source() | json-stringify.js:8:8:8:31 | jsonStr ... (taint) |
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |
diff --git a/javascript/ql/test/library-tests/TaintTracking/json-stringify.js b/javascript/ql/test/library-tests/TaintTracking/json-stringify.js
@@ -37,4 +37,7 @@ function foo() {
 
   const jc = require('json-cycle');
   sink(jc.stringify(jc.parse(source))); // NOT OK
+
+  const stripper = require("strip-json-comments");
+  sink(JSON.stringify(JSON.parse(stripper(source)))); // NOT OK
 }

Original file line number	Diff line number	Diff line change
`@@ -37,4 +37,7 @@ function foo() {`
`37`	`37`
`38`	`38`	`const jc = require('json-cycle');`
`39`	`39`	`sink(jc.stringify(jc.parse(source))); // NOT OK`
	`40`	`+`
	`41`	`+ const stripper = require("strip-json-comments");`
	`42`	`+ sink(JSON.stringify(JSON.parse(stripper(source)))); // NOT OK`
`40`	`43`	`}`