add taint step through arrify

erik-krogh · erik-krogh · commit 5ff7d208b790 · 2021-07-15T11:24:50.000+02:00
diff --git a/javascript/change-notes/2021-07-15-array-libs.md b/javascript/change-notes/2021-07-15-array-libs.md
@@ -3,4 +3,6 @@ lgtm,codescanning
   Affected packages are
     [array-from](https://npmjs.com/package/array-from),
     [array.prototype.find](https://npmjs.com/package/array.prototype.find),
-    [array-find](https://npmjs.com/package/array-find)
+    [array-find](https://npmjs.com/package/array-find),
+    [arrify](https://npmjs.com/package/arrify),
+    [array-ify](https://npmjs.com/package/array-ify)
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -342,4 +342,15 @@ private module ArrayLibraries {
     result = DataFlow::moduleImport(["array.prototype.find", "array-find"]).getACall() and
     array = result.getArgument(0)
   }
+
+  /**
+   * A taint step through the `arrify` library, or other libraries that (maybe) convert values into arrays.
+   */
+  private class ArrayifyStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(API::CallNode call | call = API::moduleImport(["arrify", "array-ify"]).getACall() |
+        pred = call.getArgument(0) and succ = call
+      )
+    }
+  }
 }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -12,6 +12,8 @@ typeInferenceMismatch
 | array-mutation.js:31:33:31:40 | source() | array-mutation.js:32:8:32:8 | h |
 | array-mutation.js:35:36:35:43 | source() | array-mutation.js:36:8:36:8 | i |
 | array-mutation.js:39:17:39:24 | source() | array-mutation.js:40:8:40:8 | j |
+| arrays.js:2:15:2:22 | source() | arrays.js:5:10:5:20 | arrify(foo) |
+| arrays.js:2:15:2:22 | source() | arrays.js:8:10:8:22 | arrayIfy(foo) |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
diff --git a/javascript/ql/test/library-tests/TaintTracking/arrays.js b/javascript/ql/test/library-tests/TaintTracking/arrays.js
@@ -0,0 +1,9 @@
+function test() {
+    var foo = source();
+
+    const arrify = require("arrify");
+    sink(arrify(foo)); // NOT OK
+
+    const arrayIfy = require("array-ify");
+    sink(arrayIfy(foo)); // NOT OK
+}
