add taint step through the ansi-colors library

Author: erik-krogh

javascript/change-notes/2021-06-22-colors.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow through console styling libraries.
+  Affected packages are
+    [ansi-colors](https://npmjs.com/package/ansi-colors)

javascript/ql/src/semmle/javascript/frameworks/Logging.qll

@@ -201,3 +201,15 @@ private class DebugLoggerCall extends LoggerCall, API::CallNode {
 
   override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
 }
+
+/**
+ * A step through the [`ansi-colors`](https://https://npmjs.org/package/ansi-colors) library.
+ */
+class AnsiColorsStep extends TaintTracking::SharedTaintStep {
+  override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("ansi-colors").getAMember*().getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}

javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected

@@ -22,6 +22,17 @@ nodes
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error |
+| logInjectionBad.js:37:9:37:36 | q |
+| logInjectionBad.js:37:13:37:36 | url.par ... , true) |
+| logInjectionBad.js:37:23:37:29 | req.url |
+| logInjectionBad.js:37:23:37:29 | req.url |
+| logInjectionBad.js:38:9:38:35 | username |
+| logInjectionBad.js:38:20:38:20 | q |
+| logInjectionBad.js:38:20:38:26 | q.query |
+| logInjectionBad.js:38:20:38:35 | q.query.username |
+| logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
+| logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
+| logInjectionBad.js:40:46:40:53 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -45,9 +56,20 @@ edges
 | logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
+| logInjectionBad.js:37:9:37:36 | q | logInjectionBad.js:38:20:38:20 | q |
+| logInjectionBad.js:37:13:37:36 | url.par ... , true) | logInjectionBad.js:37:9:37:36 | q |
+| logInjectionBad.js:37:23:37:29 | req.url | logInjectionBad.js:37:13:37:36 | url.par ... , true) |
+| logInjectionBad.js:37:23:37:29 | req.url | logInjectionBad.js:37:13:37:36 | url.par ... , true) |
+| logInjectionBad.js:38:9:38:35 | username | logInjectionBad.js:40:46:40:53 | username |
+| logInjectionBad.js:38:20:38:20 | q | logInjectionBad.js:38:20:38:26 | q.query |
+| logInjectionBad.js:38:20:38:26 | q.query | logInjectionBad.js:38:20:38:35 | q.query.username |
+| logInjectionBad.js:38:20:38:35 | q.query.username | logInjectionBad.js:38:9:38:35 | username |
+| logInjectionBad.js:40:46:40:53 | username | logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
+| logInjectionBad.js:40:46:40:53 | username | logInjectionBad.js:40:18:40:54 | ansiCol ... ername) |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
+| logInjectionBad.js:40:18:40:54 | ansiCol ... ername) | logInjectionBad.js:37:23:37:29 | req.url | logInjectionBad.js:40:18:40:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:37:23:37:29 | req.url | User-provided value |

javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js

@@ -29,4 +29,13 @@ const server = http.createServer((req, res) => {
     } catch (error) {
         console.error(`[ERROR] Error: "${error}"`); // NOT OK
     }
+});
+
+const ansiColors = require('ansi-colors');
+
+const server2 = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+    let username = q.query.username;
+
+    console.info(ansiColors.yellow.underline(username)); // NOT OK
 });