add taint step through the json2csv library

erik-krogh · erik-krogh · commit cb3bd4901b76 · 2021-07-12T10:51:42.000+02:00
diff --git a/javascript/change-notes/2021-06-24-json.md b/javascript/change-notes/2021-06-24-json.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow through more JSON utility libraries.
+  Affected packages are
+    [json2csv](https://npmjs.com/package/json2csv)
diff --git a/javascript/ql/src/semmle/javascript/JsonStringifiers.qll b/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
@@ -34,3 +34,22 @@ class JsonStringifyCall extends DataFlow::CallNode {
    */
   DataFlow::SourceNode getOutput() { result = this }
 }
+
+/**
+ * A taint step through the [`json2csv`](https://www.npmjs.com/package/json2csv) library.
+ */
+class JSON2CSVTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call =
+        API::moduleImport("json2csv")
+            .getMember("Parser")
+            .getInstance()
+            .getMember("parse")
+            .getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -90,6 +90,7 @@ typeInferenceMismatch
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:16:8:16:38 | require ... source) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:17:8:17:39 | require ... source) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:18:8:18:40 | require ... source) |
+| json-stringify.js:2:16:2:23 | source() | json-stringify.js:21:8:21:46 | new jso ... source) |
 | json-stringify.js:3:15:3:22 | source() | json-stringify.js:8:8:8:31 | jsonStr ... (taint) |
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |
diff --git a/javascript/ql/test/library-tests/TaintTracking/json-stringify.js b/javascript/ql/test/library-tests/TaintTracking/json-stringify.js
@@ -16,4 +16,7 @@ function foo() {
   sink(require("util").inspect(source)); // NOT OK
   sink(require("pretty-format")(source)); // NOT OK
   sink(require("object-inspect")(source)); // NOT OK
+  
+  const json2csv = require('json2csv');
+  sink(new json2csv.Parser(opts).parse(source)); // NOT OK
 }

Original file line number	Diff line number	Diff line change
`@@ -16,4 +16,7 @@ function foo() {`
`16`	`16`	`sink(require("util").inspect(source)); // NOT OK`
`17`	`17`	`sink(require("pretty-format")(source)); // NOT OK`
`18`	`18`	`sink(require("object-inspect")(source)); // NOT OK`
	`19`	`+`
	`20`	`+ const json2csv = require('json2csv');`
	`21`	`+ sink(new json2csv.Parser(opts).parse(source)); // NOT OK`
`19`	`22`	`}`