add sort-keys as a clone call

Author: erik-krogh

javascript/change-notes/2021-07-15-sort-keys.md

@@ -0,0 +1,5 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow in the `sort-keys` and `camelcase-keys` library.
+  Affected packages are
+    [sort-keys](https://npmjs.com/package/sort-keys),
+    [camelcase-keys](https://npmjs.com/package/camelcase-keys)

javascript/ql/src/semmle/javascript/Extend.qll

@@ -183,7 +183,8 @@ private import semmle.javascript.dataflow.internal.PreCallGraphStep
 private class CloneStep extends PreCallGraphStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     exists(DataFlow::CallNode call |
-      call = DataFlow::moduleImport(["clone", "fclone"]).getACall()
+      // `camelcase-keys` isn't quite a cloning library. But it's pretty close.
+      call = DataFlow::moduleImport(["clone", "fclone", "sort-keys", "camelcase-keys"]).getACall()
       or
       call = DataFlow::moduleMember("json-cycle", ["decycle", "retrocycle"]).getACall()
     |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst2.js

@@ -72,6 +72,19 @@ app.get('/baz', function(req, res) {
   obj.p = p;
   var other = jc.retrocycle(jc.decycle(obj));
 
+  res.send(p); // NOT OK
+  res.send(other.p); // NOT OK
+});
+
+const sortKeys = require('sort-keys');
+
+app.get('/baz', function(req, res) {
+  let { p } = req.params;
+
+  var obj = {};
+  obj.p = p;
+  var other = sortKeys(obj);
+
   res.send(p); // NOT OK
   res.send(other.p); // NOT OK
 });