add taint step through the cli-highlight library

erik-krogh · erik-krogh · commit ec9c885908fa · 2021-06-22T23:06:50.000+02:00
diff --git a/javascript/change-notes/2021-06-22-colors.md b/javascript/change-notes/2021-06-22-colors.md
@@ -4,4 +4,5 @@ lgtm,codescanning
     [ansi-colors](https://npmjs.com/package/ansi-colors),
     [colors](https://npmjs.com/package/colors),
     [wrap-ansi](https://npmjs.com/package/wrap-ansi),
-    [colorette](https://npmjs.com/package/colorette)
+    [colorette](https://npmjs.com/package/colorette),
+    [cli-highlight](https://npmjs.com/package/cli-highlight)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -252,3 +252,17 @@ class ColoretteStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+/**
+ * A step through the [`cli-highlight`](https://npmjs.org/package/cli-highlight) library.
+ */
+class CliHighlightStep extends TaintTracking::SharedTaintStep {
+  override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      call = API::moduleImport("cli-highlight").getMember("highlight").getACall()
+    |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -22,29 +22,32 @@ nodes
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error |
-| logInjectionBad.js:40:9:40:36 | q |
-| logInjectionBad.js:40:13:40:36 | url.par ... , true) |
-| logInjectionBad.js:40:23:40:29 | req.url |
-| logInjectionBad.js:40:23:40:29 | req.url |
-| logInjectionBad.js:41:9:41:35 | username |
-| logInjectionBad.js:41:20:41:20 | q |
-| logInjectionBad.js:41:20:41:26 | q.query |
-| logInjectionBad.js:41:20:41:35 | q.query.username |
-| logInjectionBad.js:43:18:43:54 | ansiCol ... ername) |
-| logInjectionBad.js:43:18:43:54 | ansiCol ... ername) |
-| logInjectionBad.js:43:46:43:53 | username |
-| logInjectionBad.js:44:18:44:47 | colors. ... ername) |
-| logInjectionBad.js:44:18:44:47 | colors. ... ername) |
-| logInjectionBad.js:44:39:44:46 | username |
-| logInjectionBad.js:45:18:45:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:45:18:45:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:45:27:45:56 | colors. ... ername) |
-| logInjectionBad.js:45:48:45:55 | username |
-| logInjectionBad.js:46:17:46:47 | underli ... name))) |
-| logInjectionBad.js:46:17:46:47 | underli ... name))) |
-| logInjectionBad.js:46:27:46:46 | bold(blue(username)) |
-| logInjectionBad.js:46:32:46:45 | blue(username) |
-| logInjectionBad.js:46:37:46:44 | username |
+| logInjectionBad.js:41:9:41:36 | q |
+| logInjectionBad.js:41:13:41:36 | url.par ... , true) |
+| logInjectionBad.js:41:23:41:29 | req.url |
+| logInjectionBad.js:41:23:41:29 | req.url |
+| logInjectionBad.js:42:9:42:35 | username |
+| logInjectionBad.js:42:20:42:20 | q |
+| logInjectionBad.js:42:20:42:26 | q.query |
+| logInjectionBad.js:42:20:42:35 | q.query.username |
+| logInjectionBad.js:44:18:44:54 | ansiCol ... ername) |
+| logInjectionBad.js:44:18:44:54 | ansiCol ... ername) |
+| logInjectionBad.js:44:46:44:53 | username |
+| logInjectionBad.js:45:18:45:47 | colors. ... ername) |
+| logInjectionBad.js:45:18:45:47 | colors. ... ername) |
+| logInjectionBad.js:45:39:45:46 | username |
+| logInjectionBad.js:46:18:46:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:46:18:46:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:46:27:46:56 | colors. ... ername) |
+| logInjectionBad.js:46:48:46:55 | username |
+| logInjectionBad.js:47:17:47:47 | underli ... name))) |
+| logInjectionBad.js:47:17:47:47 | underli ... name))) |
+| logInjectionBad.js:47:27:47:46 | bold(blue(username)) |
+| logInjectionBad.js:47:32:47:45 | blue(username) |
+| logInjectionBad.js:47:37:47:44 | username |
+| logInjectionBad.js:48:17:48:76 | highlig ...  true}) |
+| logInjectionBad.js:48:17:48:76 | highlig ...  true}) |
+| logInjectionBad.js:48:27:48:34 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -68,35 +71,39 @@ edges
 | logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
-| logInjectionBad.js:40:9:40:36 | q | logInjectionBad.js:41:20:41:20 | q |
-| logInjectionBad.js:40:13:40:36 | url.par ... , true) | logInjectionBad.js:40:9:40:36 | q |
-| logInjectionBad.js:40:23:40:29 | req.url | logInjectionBad.js:40:13:40:36 | url.par ... , true) |
-| logInjectionBad.js:40:23:40:29 | req.url | logInjectionBad.js:40:13:40:36 | url.par ... , true) |
-| logInjectionBad.js:41:9:41:35 | username | logInjectionBad.js:43:46:43:53 | username |
-| logInjectionBad.js:41:9:41:35 | username | logInjectionBad.js:44:39:44:46 | username |
-| logInjectionBad.js:41:9:41:35 | username | logInjectionBad.js:45:48:45:55 | username |
-| logInjectionBad.js:41:9:41:35 | username | logInjectionBad.js:46:37:46:44 | username |
-| logInjectionBad.js:41:20:41:20 | q | logInjectionBad.js:41:20:41:26 | q.query |
-| logInjectionBad.js:41:20:41:26 | q.query | logInjectionBad.js:41:20:41:35 | q.query.username |
-| logInjectionBad.js:41:20:41:35 | q.query.username | logInjectionBad.js:41:9:41:35 | username |
-| logInjectionBad.js:43:46:43:53 | username | logInjectionBad.js:43:18:43:54 | ansiCol ... ername) |
-| logInjectionBad.js:43:46:43:53 | username | logInjectionBad.js:43:18:43:54 | ansiCol ... ername) |
-| logInjectionBad.js:44:39:44:46 | username | logInjectionBad.js:44:18:44:47 | colors. ... ername) |
-| logInjectionBad.js:44:39:44:46 | username | logInjectionBad.js:44:18:44:47 | colors. ... ername) |
-| logInjectionBad.js:45:27:45:56 | colors. ... ername) | logInjectionBad.js:45:18:45:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:45:27:45:56 | colors. ... ername) | logInjectionBad.js:45:18:45:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:45:48:45:55 | username | logInjectionBad.js:45:27:45:56 | colors. ... ername) |
-| logInjectionBad.js:46:27:46:46 | bold(blue(username)) | logInjectionBad.js:46:17:46:47 | underli ... name))) |
-| logInjectionBad.js:46:27:46:46 | bold(blue(username)) | logInjectionBad.js:46:17:46:47 | underli ... name))) |
-| logInjectionBad.js:46:32:46:45 | blue(username) | logInjectionBad.js:46:27:46:46 | bold(blue(username)) |
-| logInjectionBad.js:46:37:46:44 | username | logInjectionBad.js:46:32:46:45 | blue(username) |
+| logInjectionBad.js:41:9:41:36 | q | logInjectionBad.js:42:20:42:20 | q |
+| logInjectionBad.js:41:13:41:36 | url.par ... , true) | logInjectionBad.js:41:9:41:36 | q |
+| logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:41:13:41:36 | url.par ... , true) |
+| logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:41:13:41:36 | url.par ... , true) |
+| logInjectionBad.js:42:9:42:35 | username | logInjectionBad.js:44:46:44:53 | username |
+| logInjectionBad.js:42:9:42:35 | username | logInjectionBad.js:45:39:45:46 | username |
+| logInjectionBad.js:42:9:42:35 | username | logInjectionBad.js:46:48:46:55 | username |
+| logInjectionBad.js:42:9:42:35 | username | logInjectionBad.js:47:37:47:44 | username |
+| logInjectionBad.js:42:9:42:35 | username | logInjectionBad.js:48:27:48:34 | username |
+| logInjectionBad.js:42:20:42:20 | q | logInjectionBad.js:42:20:42:26 | q.query |
+| logInjectionBad.js:42:20:42:26 | q.query | logInjectionBad.js:42:20:42:35 | q.query.username |
+| logInjectionBad.js:42:20:42:35 | q.query.username | logInjectionBad.js:42:9:42:35 | username |
+| logInjectionBad.js:44:46:44:53 | username | logInjectionBad.js:44:18:44:54 | ansiCol ... ername) |
+| logInjectionBad.js:44:46:44:53 | username | logInjectionBad.js:44:18:44:54 | ansiCol ... ername) |
+| logInjectionBad.js:45:39:45:46 | username | logInjectionBad.js:45:18:45:47 | colors. ... ername) |
+| logInjectionBad.js:45:39:45:46 | username | logInjectionBad.js:45:18:45:47 | colors. ... ername) |
+| logInjectionBad.js:46:27:46:56 | colors. ... ername) | logInjectionBad.js:46:18:46:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:46:27:46:56 | colors. ... ername) | logInjectionBad.js:46:18:46:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:46:48:46:55 | username | logInjectionBad.js:46:27:46:56 | colors. ... ername) |
+| logInjectionBad.js:47:27:47:46 | bold(blue(username)) | logInjectionBad.js:47:17:47:47 | underli ... name))) |
+| logInjectionBad.js:47:27:47:46 | bold(blue(username)) | logInjectionBad.js:47:17:47:47 | underli ... name))) |
+| logInjectionBad.js:47:32:47:45 | blue(username) | logInjectionBad.js:47:27:47:46 | bold(blue(username)) |
+| logInjectionBad.js:47:37:47:44 | username | logInjectionBad.js:47:32:47:45 | blue(username) |
+| logInjectionBad.js:48:27:48:34 | username | logInjectionBad.js:48:17:48:76 | highlig ...  true}) |
+| logInjectionBad.js:48:27:48:34 | username | logInjectionBad.js:48:17:48:76 | highlig ...  true}) |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
-| logInjectionBad.js:43:18:43:54 | ansiCol ... ername) | logInjectionBad.js:40:23:40:29 | req.url | logInjectionBad.js:43:18:43:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:40:23:40:29 | req.url | User-provided value |
-| logInjectionBad.js:44:18:44:47 | colors. ... ername) | logInjectionBad.js:40:23:40:29 | req.url | logInjectionBad.js:44:18:44:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:40:23:40:29 | req.url | User-provided value |
-| logInjectionBad.js:45:18:45:61 | wrapAns ... e), 20) | logInjectionBad.js:40:23:40:29 | req.url | logInjectionBad.js:45:18:45:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:40:23:40:29 | req.url | User-provided value |
-| logInjectionBad.js:46:17:46:47 | underli ... name))) | logInjectionBad.js:40:23:40:29 | req.url | logInjectionBad.js:46:17:46:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:40:23:40:29 | req.url | User-provided value |
+| logInjectionBad.js:44:18:44:54 | ansiCol ... ername) | logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:44:18:44:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:41:23:41:29 | req.url | User-provided value |
+| logInjectionBad.js:45:18:45:47 | colors. ... ername) | logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:45:18:45:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:41:23:41:29 | req.url | User-provided value |
+| logInjectionBad.js:46:18:46:61 | wrapAns ... e), 20) | logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:46:18:46:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:41:23:41:29 | req.url | User-provided value |
+| logInjectionBad.js:47:17:47:47 | underli ... name))) | logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:47:17:47:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:41:23:41:29 | req.url | User-provided value |
+| logInjectionBad.js:48:17:48:76 | highlig ...  true}) | logInjectionBad.js:41:23:41:29 | req.url | logInjectionBad.js:48:17:48:76 | highlig ...  true}) | $@ flows to log entry. | logInjectionBad.js:41:23:41:29 | req.url | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -35,6 +35,7 @@ const ansiColors = require('ansi-colors');
 const colors = require('colors');
 import wrapAnsi from 'wrap-ansi';
 import { blue, bold, underline } from "colorette"
+const highlight = require('cli-highlight').highlight;
 
 const server2 = http.createServer((req, res) => {
     let q = url.parse(req.url, true);
@@ -44,4 +45,5 @@ const server2 = http.createServer((req, res) => {
     console.info(colors.red.underline(username)); // NOT OK
     console.info(wrapAnsi(colors.red.underline(username), 20)); // NOT OK
     console.log(underline(bold(blue(username)))); // NOT OK
+    console.log(highlight(username, {language: 'sql', ignoreIllegals: true})); // NOT OK
 });

Original file line number	Diff line number	Diff line change
`@@ -252,3 +252,17 @@ class ColoretteStep extends TaintTracking::SharedTaintStep {`
`252`	`252`	`)`
`253`	`253`	`}`
`254`	`254`	`}`
	`255`	`+`
	`256`	`+/**`
	`257`	+ * A step through the [`cli-highlight`](https://npmjs.org/package/cli-highlight) library.
	`258`	`+ */`
	`259`	`+class CliHighlightStep extends TaintTracking::SharedTaintStep {`
	`260`	`+ override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {`
	`261`	`+ exists(API::CallNode call \|`
	`262`	`+ call = API::moduleImport("cli-highlight").getMember("highlight").getACall()`
	`263`	`+ \|`
	`264`	`+ pred = call.getArgument(0) and`
	`265`	`+ succ = call`
	`266`	`+ )`
	`267`	`+ }`
	`268`	`+}`