add taint step for the snarkdown libary

erik-krogh · erik-krogh · commit 69d8aa143c65 · 2021-02-11T16:16:46.000+01:00
diff --git a/javascript/change-notes/2021-02-10-markdown.md b/javascript/change-notes/2021-02-10-markdown.md
@@ -4,5 +4,6 @@ lgtm,codescanning
     [marked](https://npmjs.com/package/marked), 
     [markdown-table](https://npmjs.com/package/markdown-table), 
     [showdown](https://npmjs.com/package/showdown), 
+    [snarkdown](https://npmjs.com/package/snarkdown), 
     [unified](https://npmjs.com/package/unified), and
     [remark](https://npmjs.com/package/remark)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll b/javascript/ql/src/semmle/javascript/frameworks/Markdown.qll
@@ -106,3 +106,15 @@ private module Unified {
     }
   }
 }
+
+/**
+ * A taint step for the `snarkdown` library.
+ */
+private class SnarkdownStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  SnarkdownStep() { this = DataFlow::moduleImport("snarkdown").getACall() }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    this = succ and
+    pred = this.getArgument(0)
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -55,6 +55,17 @@ nodes
 | ReflectedXss.js:74:34:74:34 | f |
 | ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body |
+| ReflectedXss.js:84:22:84:29 | req.body |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body |
+| ReflectedXss.js:85:23:85:30 | req.body |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -183,6 +194,15 @@ edges
 | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:74:34:74:34 | f |
 | ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
 | ReflectedXss.js:74:34:74:34 | f | ReflectedXss.js:75:14:75:14 | f |
+| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
+| ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
 | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -272,6 +292,9 @@ edges
 | ReflectedXss.js:68:12:68:52 | remark( ... tring() | ReflectedXss.js:68:33:68:40 | req.body | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
 | ReflectedXss.js:72:12:72:65 | unified ... oString | ReflectedXss.js:72:48:72:55 | req.body | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
 | ReflectedXss.js:75:14:75:14 | f | ReflectedXss.js:74:20:74:27 | req.body | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
+| ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | ReflectedXss.js:84:22:84:29 | req.body | ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | ReflectedXss.js:85:23:85:30 | req.body | ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js
@@ -75,3 +75,12 @@ app.get('/user/:id', function (req, res) {
     res.send(f); // NOT OK
   })
 });
+
+import snarkdown from 'snarkdown';
+var snarkdown2 = require("snarkdown");
+
+app.get('/user/:id', function (req, res) {
+  res.send(req.body); // NOT OK
+  res.send(snarkdown(req.body)); // NOT OK
+  res.send(snarkdown2(req.body)); // NOT OK
+});
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -11,6 +11,9 @@
 | ReflectedXss.js:68:12:68:52 | remark( ... tring() | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:68:33:68:40 | req.body | user-provided value |
 | ReflectedXss.js:72:12:72:65 | unified ... oString | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:72:48:72:55 | req.body | user-provided value |
 | ReflectedXss.js:75:14:75:14 | f | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:74:20:74:27 | req.body | user-provided value |
+| ReflectedXss.js:83:12:83:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:83:12:83:19 | req.body | user-provided value |
+| ReflectedXss.js:84:12:84:30 | snarkdown(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:84:22:84:29 | req.body | user-provided value |
+| ReflectedXss.js:85:12:85:31 | snarkdown2(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:85:23:85:30 | req.body | user-provided value |
 | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

Original file line number	Diff line number	Diff line change
`@@ -106,3 +106,15 @@ private module Unified {`
`106`	`106`	`}`
`107`	`107`	`}`
`108`	`108`	`}`
	`109`	`+`
	`110`	`+/**`
	`111`	+ * A taint step for the `snarkdown` library.
	`112`	`+ */`
	`113`	`+private class SnarkdownStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {`
	`114`	`+ SnarkdownStep() { this = DataFlow::moduleImport("snarkdown").getACall() }`
	`115`	`+`
	`116`	`+ override predicate step(DataFlow::Node pred, DataFlow::Node succ) {`
	`117`	`+ this = succ and`
	`118`	`+ pred = this.getArgument(0)`
	`119`	`+ }`
	`120`	`+}`