add taint step through the wrap-ansi library

erik-krogh · erik-krogh · commit e4427bb34a9f · 2021-06-22T22:59:03.000+02:00
diff --git a/javascript/change-notes/2021-06-22-colors.md b/javascript/change-notes/2021-06-22-colors.md
@@ -2,4 +2,5 @@ lgtm,codescanning
 * The dataflow libraries now model dataflow through console styling libraries.
   Affected packages are
     [ansi-colors](https://npmjs.com/package/ansi-colors),
-    [colors](https://npmjs.com/package/colors)
+    [colors](https://npmjs.com/package/colors),
+    [wrap-ansi](https://npmjs.com/package/wrap-ansi)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -228,3 +228,15 @@ class ColorsStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+/**
+ * A step through the [`wrap-ansi`](https://npmjs.org/package/wrap-ansi) library.
+ */
+class WrapAnsiStep extends TaintTracking::SharedTaintStep {
+  override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("wrap-ansi").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -22,20 +22,24 @@ nodes
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error |
-| logInjectionBad.js:38:9:38:36 | q |
-| logInjectionBad.js:38:13:38:36 | url.par ... , true) |
-| logInjectionBad.js:38:23:38:29 | req.url |
-| logInjectionBad.js:38:23:38:29 | req.url |
-| logInjectionBad.js:39:9:39:35 | username |
-| logInjectionBad.js:39:20:39:20 | q |
-| logInjectionBad.js:39:20:39:26 | q.query |
-| logInjectionBad.js:39:20:39:35 | q.query.username |
-| logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
-| logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
-| logInjectionBad.js:41:46:41:53 | username |
-| logInjectionBad.js:42:18:42:47 | colors. ... ername) |
-| logInjectionBad.js:42:18:42:47 | colors. ... ername) |
-| logInjectionBad.js:42:39:42:46 | username |
+| logInjectionBad.js:39:9:39:36 | q |
+| logInjectionBad.js:39:13:39:36 | url.par ... , true) |
+| logInjectionBad.js:39:23:39:29 | req.url |
+| logInjectionBad.js:39:23:39:29 | req.url |
+| logInjectionBad.js:40:9:40:35 | username |
+| logInjectionBad.js:40:20:40:20 | q |
+| logInjectionBad.js:40:20:40:26 | q.query |
+| logInjectionBad.js:40:20:40:35 | q.query.username |
+| logInjectionBad.js:42:18:42:54 | ansiCol ... ername) |
+| logInjectionBad.js:42:18:42:54 | ansiCol ... ername) |
+| logInjectionBad.js:42:46:42:53 | username |
+| logInjectionBad.js:43:18:43:47 | colors. ... ername) |
+| logInjectionBad.js:43:18:43:47 | colors. ... ername) |
+| logInjectionBad.js:43:39:43:46 | username |
+| logInjectionBad.js:44:18:44:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:44:18:44:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:44:27:44:56 | colors. ... ername) |
+| logInjectionBad.js:44:48:44:55 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -59,24 +63,29 @@ edges
 | logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
-| logInjectionBad.js:38:9:38:36 | q | logInjectionBad.js:39:20:39:20 | q |
-| logInjectionBad.js:38:13:38:36 | url.par ... , true) | logInjectionBad.js:38:9:38:36 | q |
-| logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:38:13:38:36 | url.par ... , true) |
-| logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:38:13:38:36 | url.par ... , true) |
-| logInjectionBad.js:39:9:39:35 | username | logInjectionBad.js:41:46:41:53 | username |
-| logInjectionBad.js:39:9:39:35 | username | logInjectionBad.js:42:39:42:46 | username |
-| logInjectionBad.js:39:20:39:20 | q | logInjectionBad.js:39:20:39:26 | q.query |
-| logInjectionBad.js:39:20:39:26 | q.query | logInjectionBad.js:39:20:39:35 | q.query.username |
-| logInjectionBad.js:39:20:39:35 | q.query.username | logInjectionBad.js:39:9:39:35 | username |
-| logInjectionBad.js:41:46:41:53 | username | logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
-| logInjectionBad.js:41:46:41:53 | username | logInjectionBad.js:41:18:41:54 | ansiCol ... ername) |
-| logInjectionBad.js:42:39:42:46 | username | logInjectionBad.js:42:18:42:47 | colors. ... ername) |
-| logInjectionBad.js:42:39:42:46 | username | logInjectionBad.js:42:18:42:47 | colors. ... ername) |
+| logInjectionBad.js:39:9:39:36 | q | logInjectionBad.js:40:20:40:20 | q |
+| logInjectionBad.js:39:13:39:36 | url.par ... , true) | logInjectionBad.js:39:9:39:36 | q |
+| logInjectionBad.js:39:23:39:29 | req.url | logInjectionBad.js:39:13:39:36 | url.par ... , true) |
+| logInjectionBad.js:39:23:39:29 | req.url | logInjectionBad.js:39:13:39:36 | url.par ... , true) |
+| logInjectionBad.js:40:9:40:35 | username | logInjectionBad.js:42:46:42:53 | username |
+| logInjectionBad.js:40:9:40:35 | username | logInjectionBad.js:43:39:43:46 | username |
+| logInjectionBad.js:40:9:40:35 | username | logInjectionBad.js:44:48:44:55 | username |
+| logInjectionBad.js:40:20:40:20 | q | logInjectionBad.js:40:20:40:26 | q.query |
+| logInjectionBad.js:40:20:40:26 | q.query | logInjectionBad.js:40:20:40:35 | q.query.username |
+| logInjectionBad.js:40:20:40:35 | q.query.username | logInjectionBad.js:40:9:40:35 | username |
+| logInjectionBad.js:42:46:42:53 | username | logInjectionBad.js:42:18:42:54 | ansiCol ... ername) |
+| logInjectionBad.js:42:46:42:53 | username | logInjectionBad.js:42:18:42:54 | ansiCol ... ername) |
+| logInjectionBad.js:43:39:43:46 | username | logInjectionBad.js:43:18:43:47 | colors. ... ername) |
+| logInjectionBad.js:43:39:43:46 | username | logInjectionBad.js:43:18:43:47 | colors. ... ername) |
+| logInjectionBad.js:44:27:44:56 | colors. ... ername) | logInjectionBad.js:44:18:44:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:44:27:44:56 | colors. ... ername) | logInjectionBad.js:44:18:44:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:44:48:44:55 | username | logInjectionBad.js:44:27:44:56 | colors. ... ername) |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
-| logInjectionBad.js:41:18:41:54 | ansiCol ... ername) | logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:41:18:41:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:38:23:38:29 | req.url | User-provided value |
-| logInjectionBad.js:42:18:42:47 | colors. ... ername) | logInjectionBad.js:38:23:38:29 | req.url | logInjectionBad.js:42:18:42:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:38:23:38:29 | req.url | User-provided value |
+| logInjectionBad.js:42:18:42:54 | ansiCol ... ername) | logInjectionBad.js:39:23:39:29 | req.url | logInjectionBad.js:42:18:42:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:39:23:39:29 | req.url | User-provided value |
+| logInjectionBad.js:43:18:43:47 | colors. ... ername) | logInjectionBad.js:39:23:39:29 | req.url | logInjectionBad.js:43:18:43:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:39:23:39:29 | req.url | User-provided value |
+| logInjectionBad.js:44:18:44:61 | wrapAns ... e), 20) | logInjectionBad.js:39:23:39:29 | req.url | logInjectionBad.js:44:18:44:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:39:23:39:29 | req.url | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -33,11 +33,13 @@ const server = http.createServer((req, res) => {
 
 const ansiColors = require('ansi-colors');
 const colors = require('colors');
+import wrapAnsi from 'wrap-ansi';
 
 const server2 = http.createServer((req, res) => {
     let q = url.parse(req.url, true);
     let username = q.query.username;
 
     console.info(ansiColors.yellow.underline(username)); // NOT OK
     console.info(colors.red.underline(username)); // NOT OK
+    console.info(wrapAnsi(colors.red.underline(username), 20)); // NOT OK
 });

Original file line number	Diff line number	Diff line change
`@@ -228,3 +228,15 @@ class ColorsStep extends TaintTracking::SharedTaintStep {`
`228`	`228`	`)`
`229`	`229`	`}`
`230`	`230`	`}`
	`231`	`+`
	`232`	`+/**`
	`233`	+ * A step through the [`wrap-ansi`](https://npmjs.org/package/wrap-ansi) library.
	`234`	`+ */`
	`235`	`+class WrapAnsiStep extends TaintTracking::SharedTaintStep {`
	`236`	`+ override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {`
	`237`	`+ exists(API::CallNode call \| call = API::moduleImport("wrap-ansi").getACall() \|`
	`238`	`+ pred = call.getArgument(0) and`
	`239`	`+ succ = call`
	`240`	`+ )`
	`241`	`+ }`
	`242`	`+}`