add taint step through the slice-ansi library

erik-krogh · erik-krogh · commit 6e2b92468fdd · 2021-06-22T23:14:14.000+02:00
diff --git a/javascript/change-notes/2021-06-22-colors.md b/javascript/change-notes/2021-06-22-colors.md
@@ -6,4 +6,5 @@ lgtm,codescanning
     [wrap-ansi](https://npmjs.com/package/wrap-ansi),
     [colorette](https://npmjs.com/package/colorette),
     [cli-highlight](https://npmjs.com/package/cli-highlight),
-    [cli-color](https://npmjs.com/package/cli-color)
+    [cli-color](https://npmjs.com/package/cli-color),
+    [slice-ansi](https://npmjs.com/package/slice-ansi)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -278,3 +278,15 @@ class CliColorStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+/**
+ * A step through the [`slice-ansi`](https://npmjs.org/package/slice-ansi) library.
+ */
+class SliceAnsiStep extends TaintTracking::SharedTaintStep {
+  override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("slice-ansi").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -22,35 +22,39 @@ nodes
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error |
-| logInjectionBad.js:42:9:42:36 | q |
-| logInjectionBad.js:42:13:42:36 | url.par ... , true) |
-| logInjectionBad.js:42:23:42:29 | req.url |
-| logInjectionBad.js:42:23:42:29 | req.url |
-| logInjectionBad.js:43:9:43:35 | username |
-| logInjectionBad.js:43:20:43:20 | q |
-| logInjectionBad.js:43:20:43:26 | q.query |
-| logInjectionBad.js:43:20:43:35 | q.query.username |
-| logInjectionBad.js:45:18:45:54 | ansiCol ... ername) |
-| logInjectionBad.js:45:18:45:54 | ansiCol ... ername) |
-| logInjectionBad.js:45:46:45:53 | username |
-| logInjectionBad.js:46:18:46:47 | colors. ... ername) |
-| logInjectionBad.js:46:18:46:47 | colors. ... ername) |
-| logInjectionBad.js:46:39:46:46 | username |
-| logInjectionBad.js:47:18:47:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:47:18:47:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:47:27:47:56 | colors. ... ername) |
-| logInjectionBad.js:47:48:47:55 | username |
-| logInjectionBad.js:48:17:48:47 | underli ... name))) |
-| logInjectionBad.js:48:17:48:47 | underli ... name))) |
-| logInjectionBad.js:48:27:48:46 | bold(blue(username)) |
-| logInjectionBad.js:48:32:48:45 | blue(username) |
-| logInjectionBad.js:48:37:48:44 | username |
-| logInjectionBad.js:49:17:49:76 | highlig ...  true}) |
-| logInjectionBad.js:49:17:49:76 | highlig ...  true}) |
-| logInjectionBad.js:49:27:49:34 | username |
-| logInjectionBad.js:50:17:50:51 | clc.red ... ername) |
-| logInjectionBad.js:50:17:50:51 | clc.red ... ername) |
-| logInjectionBad.js:50:43:50:50 | username |
+| logInjectionBad.js:43:9:43:36 | q |
+| logInjectionBad.js:43:13:43:36 | url.par ... , true) |
+| logInjectionBad.js:43:23:43:29 | req.url |
+| logInjectionBad.js:43:23:43:29 | req.url |
+| logInjectionBad.js:44:9:44:35 | username |
+| logInjectionBad.js:44:20:44:20 | q |
+| logInjectionBad.js:44:20:44:26 | q.query |
+| logInjectionBad.js:44:20:44:35 | q.query.username |
+| logInjectionBad.js:46:18:46:54 | ansiCol ... ername) |
+| logInjectionBad.js:46:18:46:54 | ansiCol ... ername) |
+| logInjectionBad.js:46:46:46:53 | username |
+| logInjectionBad.js:47:18:47:47 | colors. ... ername) |
+| logInjectionBad.js:47:18:47:47 | colors. ... ername) |
+| logInjectionBad.js:47:39:47:46 | username |
+| logInjectionBad.js:48:18:48:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:48:18:48:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:48:27:48:56 | colors. ... ername) |
+| logInjectionBad.js:48:48:48:55 | username |
+| logInjectionBad.js:49:17:49:47 | underli ... name))) |
+| logInjectionBad.js:49:17:49:47 | underli ... name))) |
+| logInjectionBad.js:49:27:49:46 | bold(blue(username)) |
+| logInjectionBad.js:49:32:49:45 | blue(username) |
+| logInjectionBad.js:49:37:49:44 | username |
+| logInjectionBad.js:50:17:50:76 | highlig ...  true}) |
+| logInjectionBad.js:50:17:50:76 | highlig ...  true}) |
+| logInjectionBad.js:50:27:50:34 | username |
+| logInjectionBad.js:51:17:51:51 | clc.red ... ername) |
+| logInjectionBad.js:51:17:51:51 | clc.red ... ername) |
+| logInjectionBad.js:51:43:51:50 | username |
+| logInjectionBad.js:52:17:52:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:52:17:52:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:52:27:52:56 | colors. ... ername) |
+| logInjectionBad.js:52:48:52:55 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -74,43 +78,48 @@ edges
 | logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
-| logInjectionBad.js:42:9:42:36 | q | logInjectionBad.js:43:20:43:20 | q |
-| logInjectionBad.js:42:13:42:36 | url.par ... , true) | logInjectionBad.js:42:9:42:36 | q |
-| logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:42:13:42:36 | url.par ... , true) |
-| logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:42:13:42:36 | url.par ... , true) |
-| logInjectionBad.js:43:9:43:35 | username | logInjectionBad.js:45:46:45:53 | username |
-| logInjectionBad.js:43:9:43:35 | username | logInjectionBad.js:46:39:46:46 | username |
-| logInjectionBad.js:43:9:43:35 | username | logInjectionBad.js:47:48:47:55 | username |
-| logInjectionBad.js:43:9:43:35 | username | logInjectionBad.js:48:37:48:44 | username |
-| logInjectionBad.js:43:9:43:35 | username | logInjectionBad.js:49:27:49:34 | username |
-| logInjectionBad.js:43:9:43:35 | username | logInjectionBad.js:50:43:50:50 | username |
-| logInjectionBad.js:43:20:43:20 | q | logInjectionBad.js:43:20:43:26 | q.query |
-| logInjectionBad.js:43:20:43:26 | q.query | logInjectionBad.js:43:20:43:35 | q.query.username |
-| logInjectionBad.js:43:20:43:35 | q.query.username | logInjectionBad.js:43:9:43:35 | username |
-| logInjectionBad.js:45:46:45:53 | username | logInjectionBad.js:45:18:45:54 | ansiCol ... ername) |
-| logInjectionBad.js:45:46:45:53 | username | logInjectionBad.js:45:18:45:54 | ansiCol ... ername) |
-| logInjectionBad.js:46:39:46:46 | username | logInjectionBad.js:46:18:46:47 | colors. ... ername) |
-| logInjectionBad.js:46:39:46:46 | username | logInjectionBad.js:46:18:46:47 | colors. ... ername) |
-| logInjectionBad.js:47:27:47:56 | colors. ... ername) | logInjectionBad.js:47:18:47:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:47:27:47:56 | colors. ... ername) | logInjectionBad.js:47:18:47:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:47:48:47:55 | username | logInjectionBad.js:47:27:47:56 | colors. ... ername) |
-| logInjectionBad.js:48:27:48:46 | bold(blue(username)) | logInjectionBad.js:48:17:48:47 | underli ... name))) |
-| logInjectionBad.js:48:27:48:46 | bold(blue(username)) | logInjectionBad.js:48:17:48:47 | underli ... name))) |
-| logInjectionBad.js:48:32:48:45 | blue(username) | logInjectionBad.js:48:27:48:46 | bold(blue(username)) |
-| logInjectionBad.js:48:37:48:44 | username | logInjectionBad.js:48:32:48:45 | blue(username) |
-| logInjectionBad.js:49:27:49:34 | username | logInjectionBad.js:49:17:49:76 | highlig ...  true}) |
-| logInjectionBad.js:49:27:49:34 | username | logInjectionBad.js:49:17:49:76 | highlig ...  true}) |
-| logInjectionBad.js:50:43:50:50 | username | logInjectionBad.js:50:17:50:51 | clc.red ... ername) |
-| logInjectionBad.js:50:43:50:50 | username | logInjectionBad.js:50:17:50:51 | clc.red ... ername) |
+| logInjectionBad.js:43:9:43:36 | q | logInjectionBad.js:44:20:44:20 | q |
+| logInjectionBad.js:43:13:43:36 | url.par ... , true) | logInjectionBad.js:43:9:43:36 | q |
+| logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:43:13:43:36 | url.par ... , true) |
+| logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:43:13:43:36 | url.par ... , true) |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:46:46:46:53 | username |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:47:39:47:46 | username |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:48:48:48:55 | username |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:49:37:49:44 | username |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:50:27:50:34 | username |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:51:43:51:50 | username |
+| logInjectionBad.js:44:9:44:35 | username | logInjectionBad.js:52:48:52:55 | username |
+| logInjectionBad.js:44:20:44:20 | q | logInjectionBad.js:44:20:44:26 | q.query |
+| logInjectionBad.js:44:20:44:26 | q.query | logInjectionBad.js:44:20:44:35 | q.query.username |
+| logInjectionBad.js:44:20:44:35 | q.query.username | logInjectionBad.js:44:9:44:35 | username |
+| logInjectionBad.js:46:46:46:53 | username | logInjectionBad.js:46:18:46:54 | ansiCol ... ername) |
+| logInjectionBad.js:46:46:46:53 | username | logInjectionBad.js:46:18:46:54 | ansiCol ... ername) |
+| logInjectionBad.js:47:39:47:46 | username | logInjectionBad.js:47:18:47:47 | colors. ... ername) |
+| logInjectionBad.js:47:39:47:46 | username | logInjectionBad.js:47:18:47:47 | colors. ... ername) |
+| logInjectionBad.js:48:27:48:56 | colors. ... ername) | logInjectionBad.js:48:18:48:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:48:27:48:56 | colors. ... ername) | logInjectionBad.js:48:18:48:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:48:48:48:55 | username | logInjectionBad.js:48:27:48:56 | colors. ... ername) |
+| logInjectionBad.js:49:27:49:46 | bold(blue(username)) | logInjectionBad.js:49:17:49:47 | underli ... name))) |
+| logInjectionBad.js:49:27:49:46 | bold(blue(username)) | logInjectionBad.js:49:17:49:47 | underli ... name))) |
+| logInjectionBad.js:49:32:49:45 | blue(username) | logInjectionBad.js:49:27:49:46 | bold(blue(username)) |
+| logInjectionBad.js:49:37:49:44 | username | logInjectionBad.js:49:32:49:45 | blue(username) |
+| logInjectionBad.js:50:27:50:34 | username | logInjectionBad.js:50:17:50:76 | highlig ...  true}) |
+| logInjectionBad.js:50:27:50:34 | username | logInjectionBad.js:50:17:50:76 | highlig ...  true}) |
+| logInjectionBad.js:51:43:51:50 | username | logInjectionBad.js:51:17:51:51 | clc.red ... ername) |
+| logInjectionBad.js:51:43:51:50 | username | logInjectionBad.js:51:17:51:51 | clc.red ... ername) |
+| logInjectionBad.js:52:27:52:56 | colors. ... ername) | logInjectionBad.js:52:17:52:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:52:27:52:56 | colors. ... ername) | logInjectionBad.js:52:17:52:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:52:48:52:55 | username | logInjectionBad.js:52:27:52:56 | colors. ... ername) |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
-| logInjectionBad.js:45:18:45:54 | ansiCol ... ername) | logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:45:18:45:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:42:23:42:29 | req.url | User-provided value |
-| logInjectionBad.js:46:18:46:47 | colors. ... ername) | logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:46:18:46:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:42:23:42:29 | req.url | User-provided value |
-| logInjectionBad.js:47:18:47:61 | wrapAns ... e), 20) | logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:47:18:47:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:42:23:42:29 | req.url | User-provided value |
-| logInjectionBad.js:48:17:48:47 | underli ... name))) | logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:48:17:48:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:42:23:42:29 | req.url | User-provided value |
-| logInjectionBad.js:49:17:49:76 | highlig ...  true}) | logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:49:17:49:76 | highlig ...  true}) | $@ flows to log entry. | logInjectionBad.js:42:23:42:29 | req.url | User-provided value |
-| logInjectionBad.js:50:17:50:51 | clc.red ... ername) | logInjectionBad.js:42:23:42:29 | req.url | logInjectionBad.js:50:17:50:51 | clc.red ... ername) | $@ flows to log entry. | logInjectionBad.js:42:23:42:29 | req.url | User-provided value |
+| logInjectionBad.js:46:18:46:54 | ansiCol ... ername) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:46:18:46:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
+| logInjectionBad.js:47:18:47:47 | colors. ... ername) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:47:18:47:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
+| logInjectionBad.js:48:18:48:61 | wrapAns ... e), 20) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:48:18:48:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
+| logInjectionBad.js:49:17:49:47 | underli ... name))) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:49:17:49:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
+| logInjectionBad.js:50:17:50:76 | highlig ...  true}) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:50:17:50:76 | highlig ...  true}) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
+| logInjectionBad.js:51:17:51:51 | clc.red ... ername) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:51:17:51:51 | clc.red ... ername) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
+| logInjectionBad.js:52:17:52:65 | sliceAn ... 20, 30) | logInjectionBad.js:43:23:43:29 | req.url | logInjectionBad.js:52:17:52:65 | sliceAn ... 20, 30) | $@ flows to log entry. | logInjectionBad.js:43:23:43:29 | req.url | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -37,6 +37,7 @@ import wrapAnsi from 'wrap-ansi';
 import { blue, bold, underline } from "colorette"
 const highlight = require('cli-highlight').highlight;
 var clc = require("cli-color");
+import sliceAnsi from 'slice-ansi';
 
 const server2 = http.createServer((req, res) => {
     let q = url.parse(req.url, true);
@@ -48,4 +49,5 @@ const server2 = http.createServer((req, res) => {
     console.log(underline(bold(blue(username)))); // NOT OK
     console.log(highlight(username, {language: 'sql', ignoreIllegals: true})); // NOT OK
     console.log(clc.red.bgWhite.underline(username)); // NOT OK
+    console.log(sliceAnsi(colors.red.underline(username), 20, 30)); // NOT OK
 });

Original file line number	Diff line number	Diff line change
`@@ -278,3 +278,15 @@ class CliColorStep extends TaintTracking::SharedTaintStep {`
`278`	`278`	`)`
`279`	`279`	`}`
`280`	`280`	`}`
	`281`	`+`
	`282`	`+/**`
	`283`	+ * A step through the [`slice-ansi`](https://npmjs.org/package/slice-ansi) library.
	`284`	`+ */`
	`285`	`+class SliceAnsiStep extends TaintTracking::SharedTaintStep {`
	`286`	`+ override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {`
	`287`	`+ exists(API::CallNode call \| call = API::moduleImport("slice-ansi").getACall() \|`
	`288`	`+ pred = call.getArgument(0) and`
	`289`	`+ succ = call`
	`290`	`+ )`
	`291`	`+ }`
	`292`	`+}`