Merge pull request github#6009 from erik-krogh/whatwg-fetch

codeql-ci · web-flow · commit eb0491598a7f · 2021-06-04T08:19:36.000-07:00
Approved by esbena
diff --git a/javascript/change-notes/2021-06-04-whatwg-fetch.md b/javascript/change-notes/2021-06-04-whatwg-fetch.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* URIs used in the [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch) library are now recognized as sinks for `js/request-forgery`.
+  Affected packages are
+    [whatwg-fetch](https://www.npmjs.com/package/whatwg-fetch)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -302,6 +302,8 @@ module ClientRequest {
       exists(DataFlow::SourceNode fetch |
         fetch = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])
         or
+        fetch = DataFlow::moduleMember("whatwg-fetch", "fetch")
+        or
         fetch = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
       |
         this = fetch.getACall() and
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -88,6 +88,7 @@ test_ClientRequest
 | tst.js:274:1:283:2 | httpPro ... true\\n}) |
 | tst.js:286:20:286:55 | new Web ... :8080') |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) |
+| tst.js:312:12:312:36 | fetchPo ... o/bar') |
 test_getADataNode
 | tst.js:53:5:53:23 | axios({data: data}) | tst.js:53:18:53:21 | data |
 | tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:19:57:23 | data1 |
@@ -230,6 +231,7 @@ test_getUrl
 | tst.js:286:20:286:55 | new Web ... :8080') | tst.js:286:34:286:54 | 'ws://l ... t:8080' |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:11:299:5 | {\\n      ... ,\\n    } |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:298:14:298:44 | "http:/ ... -axios" |
+| tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:26:312:35 | '/foo/bar' |
 test_getAResponseDataNode
 | tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
 | tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
@@ -301,3 +303,4 @@ test_getAResponseDataNode
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:302:28:302:39 | err.response | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:37 | err.response | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:304:27:304:38 | err.response | json | false |
+| tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:12:312:36 | fetchPo ... o/bar') | fetch.response | true |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -304,4 +304,13 @@ function moreAxios() {
             const agent = err.response.headers.useragent;
         }
     );
-}
+}
+
+import { fetch as fetchPolyfill } from 'whatwg-fetch'
+
+function usePolyfill() {
+    return fetchPolyfill('/foo/bar')
+        .then(function (response) {
+            return response.text()
+        })
+}

Original file line number	Diff line number	Diff line change
`@@ -302,6 +302,8 @@ module ClientRequest {`
`302`	`302`	`exists(DataFlow::SourceNode fetch \|`
`303`	`303`	`fetch = DataFlow::moduleImport(["node-fetch", "cross-fetch", "isomorphic-fetch"])`
`304`	`304`	`or`
	`305`	`+ fetch = DataFlow::moduleMember("whatwg-fetch", "fetch")`
	`306`	`+ or`
`305`	`307`	`fetch = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api`
`306`	`308`	`\|`
`307`	`309`	`this = fetch.getACall() and`