|
2 | 2 | * Provides classes for modelling common markdown parsers and generators.
|
3 | 3 | */
|
4 | 4 |
|
| 5 | +import semmle.javascript.Unit |
5 | 6 | import javascript
|
6 | 7 |
|
7 | 8 | /**
|
8 |
| - * A taint step for the `marked` library, that converts markdown to HTML. |
| 9 | + * A module providing taint-steps for common markdown parsers and generators. |
9 | 10 | */
|
10 |
| -private class MarkedStep extends TaintTracking::SharedTaintStep { |
11 |
| - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
12 |
| - exists(DataFlow::CallNode call | |
13 |
| - call = DataFlow::globalVarRef("marked").getACall() |
14 |
| - or |
15 |
| - call = DataFlow::moduleImport("marked").getACall() |
16 |
| - | |
17 |
| - succ = call and |
18 |
| - pred = call.getArgument(0) |
19 |
| - ) |
| 11 | +module Markdown { |
| 12 | + /** |
| 13 | + * A taint-step that parses a markdown document, but preserves taint.import |
| 14 | + */ |
| 15 | + class MarkdownStep extends Unit { |
| 16 | + abstract predicate step(DataFlow::Node pred, DataFlow::Node succ); |
20 | 17 | }
|
21 |
| -} |
22 | 18 |
|
23 |
| -/** |
24 |
| - * A taint step for the `markdown-table` library. |
25 |
| - */ |
26 |
| -private class MarkdownTableStep extends TaintTracking::SharedTaintStep { |
27 |
| - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
28 |
| - exists(DataFlow::CallNode call | call = DataFlow::moduleImport("markdown-table").getACall() | |
29 |
| - succ = call and |
30 |
| - pred = call.getArgument(0) |
31 |
| - ) |
| 19 | + private class MarkdownStepAsTaintStep extends TaintTracking::SharedTaintStep { |
| 20 | + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
| 21 | + any(MarkdownStep step).step(pred, succ) |
| 22 | + } |
32 | 23 | }
|
33 |
| -} |
34 | 24 |
|
35 |
| -/** |
36 |
| - * A taint step for the `showdown` library. |
37 |
| - */ |
38 |
| -private class ShowDownStep extends TaintTracking::SharedTaintStep { |
39 |
| - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
40 |
| - exists(DataFlow::CallNode call | |
41 |
| - call = |
42 |
| - [DataFlow::globalVarRef("showdown"), DataFlow::moduleImport("showdown")] |
43 |
| - .getAConstructorInvocation("Converter") |
44 |
| - .getAMemberCall(["makeHtml", "makeMd"]) |
45 |
| - | |
46 |
| - succ = call and |
47 |
| - pred = call.getArgument(0) |
48 |
| - ) |
| 25 | + /** |
| 26 | + * A taint step for the `marked` library, that converts markdown to HTML. |
| 27 | + */ |
| 28 | + private class MarkedStep extends MarkdownStep { |
| 29 | + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
| 30 | + exists(DataFlow::CallNode call | |
| 31 | + call = DataFlow::globalVarRef("marked").getACall() |
| 32 | + or |
| 33 | + call = DataFlow::moduleImport("marked").getACall() |
| 34 | + | |
| 35 | + succ = call and |
| 36 | + pred = call.getArgument(0) |
| 37 | + ) |
| 38 | + } |
49 | 39 | }
|
50 |
| -} |
51 | 40 |
|
52 |
| -/** |
53 |
| - * Classes and predicates for modelling taint steps in `unified` and `remark`. |
54 |
| - */ |
55 |
| -private module Unified { |
56 | 41 | /**
|
57 |
| - * The creation of a parser from `unified`. |
58 |
| - * The `remark` module is a shorthand that initializes `unified` with a markdown parser. |
| 42 | + * A taint step for the `markdown-table` library. |
59 | 43 | */
|
60 |
| - DataFlow::CallNode unified() { result = DataFlow::moduleImport(["unified", "remark"]).getACall() } |
| 44 | + private class MarkdownTableStep extends MarkdownStep { |
| 45 | + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
| 46 | + exists(DataFlow::CallNode call | call = DataFlow::moduleImport("markdown-table").getACall() | |
| 47 | + succ = call and |
| 48 | + pred = call.getArgument(0) |
| 49 | + ) |
| 50 | + } |
| 51 | + } |
61 | 52 |
|
62 | 53 | /**
|
63 |
| - * A chain of method calls that process an input with `unified`. |
| 54 | + * A taint step for the `showdown` library. |
64 | 55 | */
|
65 |
| - class UnifiedChain extends DataFlow::CallNode { |
66 |
| - DataFlow::CallNode root; |
67 |
| - |
68 |
| - UnifiedChain() { |
69 |
| - root = unified() and |
70 |
| - this = root.getAChainedMethodCall(["process", "processSync"]) |
| 56 | + private class ShowDownStep extends MarkdownStep { |
| 57 | + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
| 58 | + exists(DataFlow::CallNode call | |
| 59 | + call = |
| 60 | + [DataFlow::globalVarRef("showdown"), DataFlow::moduleImport("showdown")] |
| 61 | + .getAConstructorInvocation("Converter") |
| 62 | + .getAMemberCall(["makeHtml", "makeMd"]) |
| 63 | + | |
| 64 | + succ = call and |
| 65 | + pred = call.getArgument(0) |
| 66 | + ) |
71 | 67 | }
|
| 68 | + } |
72 | 69 |
|
| 70 | + /** |
| 71 | + * Classes and predicates for modelling taint steps in `unified` and `remark`. |
| 72 | + */ |
| 73 | + private module Unified { |
73 | 74 | /**
|
74 |
| - * Gets a plugin that is used in this chain. |
| 75 | + * The creation of a parser from `unified`. |
| 76 | + * The `remark` module is a shorthand that initializes `unified` with a markdown parser. |
75 | 77 | */
|
76 |
| - DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) } |
| 78 | + DataFlow::CallNode unified() { |
| 79 | + result = DataFlow::moduleImport(["unified", "remark"]).getACall() |
| 80 | + } |
77 | 81 |
|
78 | 82 | /**
|
79 |
| - * Gets the input that is processed. |
| 83 | + * A chain of method calls that process an input with `unified`. |
80 | 84 | */
|
81 |
| - DataFlow::Node getInput() { result = getArgument(0) } |
| 85 | + class UnifiedChain extends DataFlow::CallNode { |
| 86 | + DataFlow::CallNode root; |
| 87 | + |
| 88 | + UnifiedChain() { |
| 89 | + root = unified() and |
| 90 | + this = root.getAChainedMethodCall(["process", "processSync"]) |
| 91 | + } |
| 92 | + |
| 93 | + /** |
| 94 | + * Gets a plugin that is used in this chain. |
| 95 | + */ |
| 96 | + DataFlow::Node getAUsedPlugin() { result = root.getAChainedMethodCall("use").getArgument(0) } |
| 97 | + |
| 98 | + /** |
| 99 | + * Gets the input that is processed. |
| 100 | + */ |
| 101 | + DataFlow::Node getInput() { result = getArgument(0) } |
| 102 | + |
| 103 | + /** |
| 104 | + * Gets the processed output. |
| 105 | + */ |
| 106 | + DataFlow::Node getOutput() { |
| 107 | + this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1) |
| 108 | + or |
| 109 | + this.getCalleeName() = "processSync" and result = this |
| 110 | + } |
| 111 | + } |
82 | 112 |
|
83 | 113 | /**
|
84 |
| - * Gets the processed output. |
| 114 | + * A taint step for the `unified` library. |
85 | 115 | */
|
86 |
| - DataFlow::Node getOutput() { |
87 |
| - this.getCalleeName() = "process" and result = getABoundCallbackParameter(1, 1) |
88 |
| - or |
89 |
| - this.getCalleeName() = "processSync" and result = this |
| 116 | + class UnifiedStep extends MarkdownStep { |
| 117 | + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
| 118 | + exists(UnifiedChain chain | |
| 119 | + // sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name. |
| 120 | + not chain.getAUsedPlugin().getALocalSource() = |
| 121 | + DataFlow::moduleImport(any(string s | s.matches("%sanitize%"))) |
| 122 | + | |
| 123 | + pred = chain.getInput() and |
| 124 | + succ = chain.getOutput() |
| 125 | + ) |
| 126 | + } |
90 | 127 | }
|
91 | 128 | }
|
92 | 129 |
|
93 | 130 | /**
|
94 |
| - * A taint step for the `unified` library. |
| 131 | + * A taint step for the `snarkdown` library. |
95 | 132 | */
|
96 |
| - class UnifiedStep extends TaintTracking::SharedTaintStep { |
| 133 | + private class SnarkdownStep extends MarkdownStep { |
97 | 134 | override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
|
98 |
| - exists(UnifiedChain chain | |
99 |
| - // sanitizer. Mostly looking for `rehype-sanitize`, but also other plugins with `sanitize` in their name. |
100 |
| - not chain.getAUsedPlugin().getALocalSource() = |
101 |
| - DataFlow::moduleImport(any(string s | s.matches("%sanitize%"))) |
102 |
| - | |
103 |
| - pred = chain.getInput() and |
104 |
| - succ = chain.getOutput() |
| 135 | + exists(DataFlow::CallNode call | call = DataFlow::moduleImport("snarkdown").getACall() | |
| 136 | + call = succ and |
| 137 | + pred = call.getArgument(0) |
105 | 138 | )
|
106 | 139 | }
|
107 | 140 | }
|
108 |
| -} |
109 | 141 |
|
110 |
| -/** |
111 |
| - * A taint step for the `snarkdown` library. |
112 |
| - */ |
113 |
| -private class SnarkdownStep extends TaintTracking::SharedTaintStep { |
114 |
| - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
115 |
| - exists(DataFlow::CallNode call | call = DataFlow::moduleImport("snarkdown").getACall() | |
116 |
| - call = succ and |
117 |
| - pred = call.getArgument(0) |
118 |
| - ) |
119 |
| - } |
120 |
| -} |
121 |
| - |
122 |
| -/** |
123 |
| - * Classes and predicates for modelling taint steps the `markdown-it` library. |
124 |
| - */ |
125 |
| -private module MarkdownIt { |
126 | 142 | /**
|
127 |
| - * The creation of a parser from `markdown-it`. |
| 143 | + * Classes and predicates for modelling taint steps the `markdown-it` library. |
128 | 144 | */
|
129 |
| - private API::Node markdownIt() { |
130 |
| - exists(API::InvokeNode call | |
131 |
| - call = API::moduleImport("markdown-it").getAnInvocation() |
| 145 | + private module MarkdownIt { |
| 146 | + /** |
| 147 | + * The creation of a parser from `markdown-it`. |
| 148 | + */ |
| 149 | + private API::Node markdownIt() { |
| 150 | + exists(API::InvokeNode call | |
| 151 | + call = API::moduleImport("markdown-it").getAnInvocation() |
| 152 | + or |
| 153 | + call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation() |
| 154 | + | |
| 155 | + call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and |
| 156 | + result = call.getReturn() |
| 157 | + ) |
132 | 158 | or
|
133 |
| - call = API::moduleImport("markdown-it").getMember("Markdown").getAnInvocation() |
134 |
| - | |
135 |
| - call.getParameter(0).getMember("html").getARhs().mayHaveBooleanValue(true) and |
136 |
| - result = call.getReturn() |
137 |
| - ) |
138 |
| - or |
139 |
| - exists(API::CallNode call | |
140 |
| - call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and |
141 |
| - result = call.getReturn() and |
142 |
| - not call.getParameter(0).getAValueReachingRhs() = |
143 |
| - DataFlow::moduleImport("markdown-it-sanitizer") |
144 |
| - ) |
145 |
| - } |
146 |
| - |
147 |
| - /** |
148 |
| - * A taint step for the `markdown-it` library. |
149 |
| - */ |
150 |
| - private class MarkdownItStep extends TaintTracking::SharedTaintStep { |
151 |
| - override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
152 | 159 | exists(API::CallNode call |
|
153 |
| - call = markdownIt().getMember(["render", "renderInline"]).getACall() |
154 |
| - | |
155 |
| - succ = call and |
156 |
| - pred = call.getArgument(0) |
| 160 | + call = markdownIt().getMember(["use", "set", "configure", "enable", "disable"]).getACall() and |
| 161 | + result = call.getReturn() and |
| 162 | + not call.getParameter(0).getAValueReachingRhs() = |
| 163 | + DataFlow::moduleImport("markdown-it-sanitizer") |
157 | 164 | )
|
158 | 165 | }
|
| 166 | + |
| 167 | + /** |
| 168 | + * A taint step for the `markdown-it` library. |
| 169 | + */ |
| 170 | + private class MarkdownItStep extends MarkdownStep { |
| 171 | + override predicate step(DataFlow::Node pred, DataFlow::Node succ) { |
| 172 | + exists(API::CallNode call | |
| 173 | + call = markdownIt().getMember(["render", "renderInline"]).getACall() |
| 174 | + | |
| 175 | + succ = call and |
| 176 | + pred = call.getArgument(0) |
| 177 | + ) |
| 178 | + } |
| 179 | + } |
159 | 180 | }
|
160 | 181 | }
|
0 commit comments