add step through the fclone library

erik-krogh · erik-krogh · commit 94cbc4b2c0b3 · 2021-07-12T10:51:43.000+02:00
diff --git a/javascript/change-notes/2021-06-24-json.md b/javascript/change-notes/2021-06-24-json.md
@@ -7,4 +7,5 @@ lgtm,codescanning
     [flatted](https://npmjs.com/package/flatted),
     [teleport-javascript](https://npmjs.com/package/teleport-javascript),
     [replicator](https://npmjs.com/package/replicator),
-    [safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify)
+    [safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify),
+    [fclone](https://npmjs.com/package/fclone)
diff --git a/javascript/ql/src/semmle/javascript/Extend.qll b/javascript/ql/src/semmle/javascript/Extend.qll
@@ -178,11 +178,11 @@ private class ExtendCallTaintStep extends TaintTracking::SharedTaintStep {
 private import semmle.javascript.dataflow.internal.PreCallGraphStep
 
 /**
- * A step for the `clone` package.
+ * A step through a cloning library, such as `clone` or `fclone`.
  */
 private class CloneStep extends PreCallGraphStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode call | call = DataFlow::moduleImport("clone").getACall() |
+    exists(DataFlow::CallNode call | call = DataFlow::moduleImport(["clone", "fclone"]).getACall() |
       pred = call.getArgument(0) and
       succ = call
     )
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -190,6 +190,14 @@ nodes
 | tst2.js:49:36:49:36 | p |
 | tst2.js:51:12:51:17 | unsafe |
 | tst2.js:51:12:51:17 | unsafe |
+| tst2.js:57:7:57:24 | p |
+| tst2.js:57:9:57:9 | p |
+| tst2.js:57:9:57:9 | p |
+| tst2.js:60:11:60:11 | p |
+| tst2.js:63:12:63:12 | p |
+| tst2.js:63:12:63:12 | p |
+| tst2.js:64:12:64:18 | other.p |
+| tst2.js:64:12:64:18 | other.p |
 | tst3.js:5:7:5:24 | p |
 | tst3.js:5:9:5:9 | p |
 | tst3.js:5:9:5:9 | p |
@@ -359,6 +367,13 @@ edges
 | tst2.js:49:7:49:53 | unsafe | tst2.js:51:12:51:17 | unsafe |
 | tst2.js:49:16:49:53 | seriali ...  true}) | tst2.js:49:7:49:53 | unsafe |
 | tst2.js:49:36:49:36 | p | tst2.js:49:16:49:53 | seriali ...  true}) |
+| tst2.js:57:7:57:24 | p | tst2.js:60:11:60:11 | p |
+| tst2.js:57:7:57:24 | p | tst2.js:63:12:63:12 | p |
+| tst2.js:57:7:57:24 | p | tst2.js:63:12:63:12 | p |
+| tst2.js:57:9:57:9 | p | tst2.js:57:7:57:24 | p |
+| tst2.js:57:9:57:9 | p | tst2.js:57:7:57:24 | p |
+| tst2.js:60:11:60:11 | p | tst2.js:64:12:64:18 | other.p |
+| tst2.js:60:11:60:11 | p | tst2.js:64:12:64:18 | other.p |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
 | tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
@@ -412,5 +427,7 @@ edges
 | tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:51:12:51:17 | unsafe | tst2.js:43:9:43:9 | p | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:43:9:43:9 | p | user-provided value |
+| tst2.js:63:12:63:12 | p | tst2.js:57:9:57:9 | p | tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
+| tst2.js:64:12:64:18 | other.p | tst2.js:57:9:57:9 | p | tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
 | tst3.js:12:12:12:15 | code | tst3.js:11:32:11:39 | reg.body | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -40,5 +40,7 @@
 | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:51:12:51:17 | unsafe | Cross-site scripting vulnerability due to $@. | tst2.js:43:9:43:9 | p | user-provided value |
+| tst2.js:63:12:63:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
+| tst2.js:64:12:64:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:57:9:57:9 | p | user-provided value |
 | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |
 | tst3.js:12:12:12:15 | code | Cross-site scripting vulnerability due to $@. | tst3.js:11:32:11:39 | reg.body | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js
@@ -49,4 +49,17 @@ app.get('/baz', function(req, res) {
   var unsafe = serializeJavaScript(p, {unsafe: true});
 
   res.send(unsafe); // NOT OK
+});
+
+const fclone = require('fclone');
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params;
+
+  var obj = {};
+  obj.p = p;
+  var other = fclone(obj);
+
+  res.send(p); // NOT OK
+  res.send(other.p); // NOT OK
 });
