add taint step through flatten libraries

erik-krogh · erik-krogh · commit d2c74480b9e4 · 2021-07-15T12:36:07.000+02:00
diff --git a/javascript/change-notes/2021-07-15-array-libs.md b/javascript/change-notes/2021-07-15-array-libs.md
@@ -8,4 +8,8 @@ lgtm,codescanning
     [array-ify](https://npmjs.com/package/array-ify),
     [array-union](https://npmjs.com/package/array-union),
     [array-uniq](https://npmjs.com/package/array-uniq),
-    [uniq](https://npmjs.com/package/uniq)
+    [uniq](https://npmjs.com/package/uniq),
+    [array-flatten](https://npmjs.com/package/array-flatten),
+    [arr-flatten](https://npmjs.com/package/arr-flatten),
+    [flatten](https://npmjs.com/package/flatten),
+    [array.prototype.flat](https://npmjs.com/package/array.prototype.flat)
diff --git a/javascript/ql/src/semmle/javascript/Arrays.qll b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -389,4 +389,21 @@ private module ArrayLibraries {
       )
     }
   }
+
+  /**
+   * A taint step through a call to `Array.prototype.flat` or a polyfill implementing array flattening.
+   */
+  private class ArrayFlatStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::CallNode call | succ = call |
+        call.(DataFlow::MethodCallNode).getMethodName() = "flat" and
+        pred = call.getReceiver()
+        or
+        call =
+          API::moduleImport(["array-flatten", "arr-flatten", "flatten", "array.prototype.flat"])
+              .getACall() and
+        pred = call.getAnArgument()
+      )
+    }
+  }
 }
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -15,6 +15,7 @@ typeInferenceMismatch
 | arrays.js:2:15:2:22 | source() | arrays.js:5:10:5:20 | arrify(foo) |
 | arrays.js:2:15:2:22 | source() | arrays.js:8:10:8:22 | arrayIfy(foo) |
 | arrays.js:2:15:2:22 | source() | arrays.js:11:10:11:28 | union(["bla"], foo) |
+| arrays.js:2:15:2:22 | source() | arrays.js:14:10:14:18 | flat(foo) |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
 | booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |
diff --git a/javascript/ql/test/library-tests/TaintTracking/arrays.js b/javascript/ql/test/library-tests/TaintTracking/arrays.js
@@ -9,4 +9,7 @@ function test() {
 
     const union = require("array-union");
     sink(union(["bla"], foo)); // NOT OK
+
+    const flat = require("arr-flatten");
+    sink(flat(foo)); // NOT OK
 }

Original file line number	Diff line number	Diff line change
`@@ -389,4 +389,21 @@ private module ArrayLibraries {`
`389`	`389`	`)`
`390`	`390`	`}`
`391`	`391`	`}`
	`392`	`+`
	`393`	`+ /**`
	`394`	+ * A taint step through a call to `Array.prototype.flat` or a polyfill implementing array flattening.
	`395`	`+ */`
	`396`	`+ private class ArrayFlatStep extends TaintTracking::SharedTaintStep {`
	`397`	`+ override predicate step(DataFlow::Node pred, DataFlow::Node succ) {`
	`398`	`+ exists(DataFlow::CallNode call \| succ = call \|`
	`399`	`+ call.(DataFlow::MethodCallNode).getMethodName() = "flat" and`
	`400`	`+ pred = call.getReceiver()`
	`401`	`+ or`
	`402`	`+ call =`
	`403`	`+ API::moduleImport(["array-flatten", "arr-flatten", "flatten", "array.prototype.flat"])`
	`404`	`+ .getACall() and`
	`405`	`+ pred = call.getAnArgument()`
	`406`	`+ )`
	`407`	`+ }`
	`408`	`+ }`
`392`	`409`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,4 +9,7 @@ function test() {`
`9`	`9`
`10`	`10`	`const union = require("array-union");`
`11`	`11`	`sink(union(["bla"], foo)); // NOT OK`
	`12`	`+`
	`13`	`+ const flat = require("arr-flatten");`
	`14`	`+ sink(flat(foo)); // NOT OK`
`12`	`15`	`}`