add support for the safe-stable-stringify library

erik-krogh · erik-krogh · commit f99a33598f88 · 2021-07-12T10:51:43.000+02:00
diff --git a/javascript/change-notes/2021-06-24-json.md b/javascript/change-notes/2021-06-24-json.md
@@ -6,4 +6,5 @@ lgtm,codescanning
     [prettyjson](https://npmjs.com/package/prettyjson),
     [flatted](https://npmjs.com/package/flatted),
     [teleport-javascript](https://npmjs.com/package/teleport-javascript),
-    [replicator](https://npmjs.com/package/replicator)
+    [replicator](https://npmjs.com/package/replicator),
+    [safe-stable-stringify](https://npmjs.com/package/safe-stable-stringify)
diff --git a/javascript/ql/src/semmle/javascript/JsonStringifiers.qll b/javascript/ql/src/semmle/javascript/JsonStringifiers.qll
@@ -18,7 +18,7 @@ class JsonStringifyCall extends DataFlow::CallNode {
         DataFlow::moduleImport([
             "json-stringify-safe", "json-stable-stringify", "stringify-object",
             "fast-json-stable-stringify", "fast-safe-stringify", "javascript-stringify",
-            "js-stringify"
+            "js-stringify", "safe-stable-stringify"
           ]) or
       // require("util").inspect() and similar
       callee = DataFlow::moduleMember("util", "inspect") or
diff --git a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -95,6 +95,7 @@ typeInferenceMismatch
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:27:8:27:47 | flatted ... ource)) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:30:8:30:49 | telepor ... ource)) |
 | json-stringify.js:2:16:2:23 | source() | json-stringify.js:34:8:34:51 | replica ... ource)) |
+| json-stringify.js:2:16:2:23 | source() | json-stringify.js:36:8:36:47 | require ... source) |
 | json-stringify.js:3:15:3:22 | source() | json-stringify.js:8:8:8:31 | jsonStr ... (taint) |
 | nested-props.js:4:13:4:20 | source() | nested-props.js:5:10:5:14 | obj.x |
 | nested-props.js:9:18:9:25 | source() | nested-props.js:10:10:10:16 | obj.x.y |
diff --git a/javascript/ql/test/library-tests/TaintTracking/json-stringify.js b/javascript/ql/test/library-tests/TaintTracking/json-stringify.js
@@ -32,4 +32,6 @@ function foo() {
   const Replicator = require('replicator');
   const replicator = new Replicator();
   sink(replicator.encode(replicator.decode(source))); // NOT OK
+
+  sink(require("safe-stable-stringify")(source)); // NOT OK
 }

Original file line number	Diff line number	Diff line change
`@@ -32,4 +32,6 @@ function foo() {`
`32`	`32`	`const Replicator = require('replicator');`
`33`	`33`	`const replicator = new Replicator();`
`34`	`34`	`sink(replicator.encode(replicator.decode(source))); // NOT OK`
	`35`	`+`
	`36`	`+ sink(require("safe-stable-stringify")(source)); // NOT OK`
`35`	`37`	`}`