add taint step through the strip-ansi library

erik-krogh · erik-krogh · commit fa02651542af · 2021-06-23T09:13:03.000+02:00
diff --git a/javascript/change-notes/2021-06-22-colors.md b/javascript/change-notes/2021-06-22-colors.md
@@ -9,4 +9,5 @@ lgtm,codescanning
     [cli-color](https://npmjs.com/package/cli-color),
     [slice-ansi](https://npmjs.com/package/slice-ansi),
     [kleur](https://npmjs.com/package/kleur),
-    [chalk](https://npmjs.com/package/chalk)
+    [chalk](https://npmjs.com/package/chalk),
+    [strip-ansi](https://npmjs.com/package/strip-ansi)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Logging.qll b/javascript/ql/src/semmle/javascript/frameworks/Logging.qll
@@ -320,3 +320,15 @@ class ChalkStep extends TaintTracking::SharedTaintStep {
     )
   }
 }
+
+/**
+ * A step through the [`strip-ansi`](https://npmjs.org/package/strip-ansi) library.
+ */
+class StripAnsiStep extends TaintTracking::SharedTaintStep {
+  override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("strip-ansi").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected b/javascript/ql/test/query-tests/Security/CWE-117/LogInjection.expected
@@ -22,45 +22,49 @@ nodes
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error |
-| logInjectionBad.js:45:9:45:36 | q |
-| logInjectionBad.js:45:13:45:36 | url.par ... , true) |
-| logInjectionBad.js:45:23:45:29 | req.url |
-| logInjectionBad.js:45:23:45:29 | req.url |
-| logInjectionBad.js:46:9:46:35 | username |
-| logInjectionBad.js:46:20:46:20 | q |
-| logInjectionBad.js:46:20:46:26 | q.query |
-| logInjectionBad.js:46:20:46:35 | q.query.username |
-| logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
-| logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
-| logInjectionBad.js:48:46:48:53 | username |
-| logInjectionBad.js:49:18:49:47 | colors. ... ername) |
-| logInjectionBad.js:49:18:49:47 | colors. ... ername) |
-| logInjectionBad.js:49:39:49:46 | username |
-| logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:50:27:50:56 | colors. ... ername) |
-| logInjectionBad.js:50:48:50:55 | username |
-| logInjectionBad.js:51:17:51:47 | underli ... name))) |
-| logInjectionBad.js:51:17:51:47 | underli ... name))) |
-| logInjectionBad.js:51:27:51:46 | bold(blue(username)) |
-| logInjectionBad.js:51:32:51:45 | blue(username) |
-| logInjectionBad.js:51:37:51:44 | username |
-| logInjectionBad.js:52:17:52:76 | highlig ...  true}) |
-| logInjectionBad.js:52:17:52:76 | highlig ...  true}) |
-| logInjectionBad.js:52:27:52:34 | username |
-| logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
-| logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
-| logInjectionBad.js:53:43:53:50 | username |
-| logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
-| logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
-| logInjectionBad.js:54:27:54:56 | colors. ... ername) |
-| logInjectionBad.js:54:48:54:55 | username |
-| logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
-| logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
-| logInjectionBad.js:55:47:55:54 | username |
-| logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
-| logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
-| logInjectionBad.js:56:40:56:47 | username |
+| logInjectionBad.js:46:9:46:36 | q |
+| logInjectionBad.js:46:13:46:36 | url.par ... , true) |
+| logInjectionBad.js:46:23:46:29 | req.url |
+| logInjectionBad.js:46:23:46:29 | req.url |
+| logInjectionBad.js:47:9:47:35 | username |
+| logInjectionBad.js:47:20:47:20 | q |
+| logInjectionBad.js:47:20:47:26 | q.query |
+| logInjectionBad.js:47:20:47:35 | q.query.username |
+| logInjectionBad.js:49:18:49:54 | ansiCol ... ername) |
+| logInjectionBad.js:49:18:49:54 | ansiCol ... ername) |
+| logInjectionBad.js:49:46:49:53 | username |
+| logInjectionBad.js:50:18:50:47 | colors. ... ername) |
+| logInjectionBad.js:50:18:50:47 | colors. ... ername) |
+| logInjectionBad.js:50:39:50:46 | username |
+| logInjectionBad.js:51:18:51:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:51:18:51:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:51:27:51:56 | colors. ... ername) |
+| logInjectionBad.js:51:48:51:55 | username |
+| logInjectionBad.js:52:17:52:47 | underli ... name))) |
+| logInjectionBad.js:52:17:52:47 | underli ... name))) |
+| logInjectionBad.js:52:27:52:46 | bold(blue(username)) |
+| logInjectionBad.js:52:32:52:45 | blue(username) |
+| logInjectionBad.js:52:37:52:44 | username |
+| logInjectionBad.js:53:17:53:76 | highlig ...  true}) |
+| logInjectionBad.js:53:17:53:76 | highlig ...  true}) |
+| logInjectionBad.js:53:27:53:34 | username |
+| logInjectionBad.js:54:17:54:51 | clc.red ... ername) |
+| logInjectionBad.js:54:17:54:51 | clc.red ... ername) |
+| logInjectionBad.js:54:43:54:50 | username |
+| logInjectionBad.js:55:17:55:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:55:17:55:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:55:27:55:56 | colors. ... ername) |
+| logInjectionBad.js:55:48:55:55 | username |
+| logInjectionBad.js:56:17:56:55 | kleur.b ... ername) |
+| logInjectionBad.js:56:17:56:55 | kleur.b ... ername) |
+| logInjectionBad.js:56:47:56:54 | username |
+| logInjectionBad.js:57:17:57:48 | chalk.u ... ername) |
+| logInjectionBad.js:57:17:57:48 | chalk.u ... ername) |
+| logInjectionBad.js:57:40:57:47 | username |
+| logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
+| logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
+| logInjectionBad.js:58:27:58:58 | chalk.u ... ername) |
+| logInjectionBad.js:58:50:58:57 | username |
 edges
 | logInjectionBad.js:19:9:19:36 | q | logInjectionBad.js:20:20:20:20 | q |
 | logInjectionBad.js:19:13:19:36 | url.par ... , true) | logInjectionBad.js:19:9:19:36 | q |
@@ -84,56 +88,61 @@ edges
 | logInjectionBad.js:29:14:29:18 | error | logInjectionBad.js:30:42:30:46 | error |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
 | logInjectionBad.js:30:42:30:46 | error | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` |
-| logInjectionBad.js:45:9:45:36 | q | logInjectionBad.js:46:20:46:20 | q |
-| logInjectionBad.js:45:13:45:36 | url.par ... , true) | logInjectionBad.js:45:9:45:36 | q |
-| logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:45:13:45:36 | url.par ... , true) |
-| logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:45:13:45:36 | url.par ... , true) |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:48:46:48:53 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:49:39:49:46 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:50:48:50:55 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:51:37:51:44 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:52:27:52:34 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:53:43:53:50 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:54:48:54:55 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:55:47:55:54 | username |
-| logInjectionBad.js:46:9:46:35 | username | logInjectionBad.js:56:40:56:47 | username |
-| logInjectionBad.js:46:20:46:20 | q | logInjectionBad.js:46:20:46:26 | q.query |
-| logInjectionBad.js:46:20:46:26 | q.query | logInjectionBad.js:46:20:46:35 | q.query.username |
-| logInjectionBad.js:46:20:46:35 | q.query.username | logInjectionBad.js:46:9:46:35 | username |
-| logInjectionBad.js:48:46:48:53 | username | logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
-| logInjectionBad.js:48:46:48:53 | username | logInjectionBad.js:48:18:48:54 | ansiCol ... ername) |
-| logInjectionBad.js:49:39:49:46 | username | logInjectionBad.js:49:18:49:47 | colors. ... ername) |
-| logInjectionBad.js:49:39:49:46 | username | logInjectionBad.js:49:18:49:47 | colors. ... ername) |
-| logInjectionBad.js:50:27:50:56 | colors. ... ername) | logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:50:27:50:56 | colors. ... ername) | logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) |
-| logInjectionBad.js:50:48:50:55 | username | logInjectionBad.js:50:27:50:56 | colors. ... ername) |
-| logInjectionBad.js:51:27:51:46 | bold(blue(username)) | logInjectionBad.js:51:17:51:47 | underli ... name))) |
-| logInjectionBad.js:51:27:51:46 | bold(blue(username)) | logInjectionBad.js:51:17:51:47 | underli ... name))) |
-| logInjectionBad.js:51:32:51:45 | blue(username) | logInjectionBad.js:51:27:51:46 | bold(blue(username)) |
-| logInjectionBad.js:51:37:51:44 | username | logInjectionBad.js:51:32:51:45 | blue(username) |
-| logInjectionBad.js:52:27:52:34 | username | logInjectionBad.js:52:17:52:76 | highlig ...  true}) |
-| logInjectionBad.js:52:27:52:34 | username | logInjectionBad.js:52:17:52:76 | highlig ...  true}) |
-| logInjectionBad.js:53:43:53:50 | username | logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
-| logInjectionBad.js:53:43:53:50 | username | logInjectionBad.js:53:17:53:51 | clc.red ... ername) |
-| logInjectionBad.js:54:27:54:56 | colors. ... ername) | logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
-| logInjectionBad.js:54:27:54:56 | colors. ... ername) | logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) |
-| logInjectionBad.js:54:48:54:55 | username | logInjectionBad.js:54:27:54:56 | colors. ... ername) |
-| logInjectionBad.js:55:47:55:54 | username | logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
-| logInjectionBad.js:55:47:55:54 | username | logInjectionBad.js:55:17:55:55 | kleur.b ... ername) |
-| logInjectionBad.js:56:40:56:47 | username | logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
-| logInjectionBad.js:56:40:56:47 | username | logInjectionBad.js:56:17:56:48 | chalk.u ... ername) |
+| logInjectionBad.js:46:9:46:36 | q | logInjectionBad.js:47:20:47:20 | q |
+| logInjectionBad.js:46:13:46:36 | url.par ... , true) | logInjectionBad.js:46:9:46:36 | q |
+| logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:46:13:46:36 | url.par ... , true) |
+| logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:46:13:46:36 | url.par ... , true) |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:49:46:49:53 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:50:39:50:46 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:51:48:51:55 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:52:37:52:44 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:53:27:53:34 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:54:43:54:50 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:55:48:55:55 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:56:47:56:54 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:57:40:57:47 | username |
+| logInjectionBad.js:47:9:47:35 | username | logInjectionBad.js:58:50:58:57 | username |
+| logInjectionBad.js:47:20:47:20 | q | logInjectionBad.js:47:20:47:26 | q.query |
+| logInjectionBad.js:47:20:47:26 | q.query | logInjectionBad.js:47:20:47:35 | q.query.username |
+| logInjectionBad.js:47:20:47:35 | q.query.username | logInjectionBad.js:47:9:47:35 | username |
+| logInjectionBad.js:49:46:49:53 | username | logInjectionBad.js:49:18:49:54 | ansiCol ... ername) |
+| logInjectionBad.js:49:46:49:53 | username | logInjectionBad.js:49:18:49:54 | ansiCol ... ername) |
+| logInjectionBad.js:50:39:50:46 | username | logInjectionBad.js:50:18:50:47 | colors. ... ername) |
+| logInjectionBad.js:50:39:50:46 | username | logInjectionBad.js:50:18:50:47 | colors. ... ername) |
+| logInjectionBad.js:51:27:51:56 | colors. ... ername) | logInjectionBad.js:51:18:51:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:51:27:51:56 | colors. ... ername) | logInjectionBad.js:51:18:51:61 | wrapAns ... e), 20) |
+| logInjectionBad.js:51:48:51:55 | username | logInjectionBad.js:51:27:51:56 | colors. ... ername) |
+| logInjectionBad.js:52:27:52:46 | bold(blue(username)) | logInjectionBad.js:52:17:52:47 | underli ... name))) |
+| logInjectionBad.js:52:27:52:46 | bold(blue(username)) | logInjectionBad.js:52:17:52:47 | underli ... name))) |
+| logInjectionBad.js:52:32:52:45 | blue(username) | logInjectionBad.js:52:27:52:46 | bold(blue(username)) |
+| logInjectionBad.js:52:37:52:44 | username | logInjectionBad.js:52:32:52:45 | blue(username) |
+| logInjectionBad.js:53:27:53:34 | username | logInjectionBad.js:53:17:53:76 | highlig ...  true}) |
+| logInjectionBad.js:53:27:53:34 | username | logInjectionBad.js:53:17:53:76 | highlig ...  true}) |
+| logInjectionBad.js:54:43:54:50 | username | logInjectionBad.js:54:17:54:51 | clc.red ... ername) |
+| logInjectionBad.js:54:43:54:50 | username | logInjectionBad.js:54:17:54:51 | clc.red ... ername) |
+| logInjectionBad.js:55:27:55:56 | colors. ... ername) | logInjectionBad.js:55:17:55:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:55:27:55:56 | colors. ... ername) | logInjectionBad.js:55:17:55:65 | sliceAn ... 20, 30) |
+| logInjectionBad.js:55:48:55:55 | username | logInjectionBad.js:55:27:55:56 | colors. ... ername) |
+| logInjectionBad.js:56:47:56:54 | username | logInjectionBad.js:56:17:56:55 | kleur.b ... ername) |
+| logInjectionBad.js:56:47:56:54 | username | logInjectionBad.js:56:17:56:55 | kleur.b ... ername) |
+| logInjectionBad.js:57:40:57:47 | username | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) |
+| logInjectionBad.js:57:40:57:47 | username | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) |
+| logInjectionBad.js:58:27:58:58 | chalk.u ... ername) | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
+| logInjectionBad.js:58:27:58:58 | chalk.u ... ername) | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) |
+| logInjectionBad.js:58:50:58:57 | username | logInjectionBad.js:58:27:58:58 | chalk.u ... ername) |
 #select
 | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:22:18:22:43 | `[INFO] ... rname}` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:23:37:23:44 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:23:37:23:44 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:24:35:24:42 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:24:35:24:42 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:25:36:25:43 | username | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:25:36:25:43 | username | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
 | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | logInjectionBad.js:19:23:19:29 | req.url | logInjectionBad.js:30:23:30:49 | `[ERROR ... rror}"` | $@ flows to log entry. | logInjectionBad.js:19:23:19:29 | req.url | User-provided value |
-| logInjectionBad.js:48:18:48:54 | ansiCol ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:48:18:48:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:49:18:49:47 | colors. ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:49:18:49:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:50:18:50:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:51:17:51:47 | underli ... name))) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:51:17:51:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:52:17:52:76 | highlig ...  true}) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:52:17:52:76 | highlig ...  true}) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:53:17:53:51 | clc.red ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:53:17:53:51 | clc.red ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:54:17:54:65 | sliceAn ... 20, 30) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:55:17:55:55 | kleur.b ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:55:17:55:55 | kleur.b ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
-| logInjectionBad.js:56:17:56:48 | chalk.u ... ername) | logInjectionBad.js:45:23:45:29 | req.url | logInjectionBad.js:56:17:56:48 | chalk.u ... ername) | $@ flows to log entry. | logInjectionBad.js:45:23:45:29 | req.url | User-provided value |
+| logInjectionBad.js:49:18:49:54 | ansiCol ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:49:18:49:54 | ansiCol ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:50:18:50:47 | colors. ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:50:18:50:47 | colors. ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:51:18:51:61 | wrapAns ... e), 20) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:51:18:51:61 | wrapAns ... e), 20) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:52:17:52:47 | underli ... name))) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:52:17:52:47 | underli ... name))) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:53:17:53:76 | highlig ...  true}) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:53:17:53:76 | highlig ...  true}) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:54:17:54:51 | clc.red ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:54:17:54:51 | clc.red ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:55:17:55:65 | sliceAn ... 20, 30) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:55:17:55:65 | sliceAn ... 20, 30) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:56:17:56:55 | kleur.b ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:56:17:56:55 | kleur.b ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:57:17:57:48 | chalk.u ... ername) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
+| logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | logInjectionBad.js:46:23:46:29 | req.url | logInjectionBad.js:58:17:58:59 | stripAn ... rname)) | $@ flows to log entry. | logInjectionBad.js:46:23:46:29 | req.url | User-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionBad.js
@@ -40,6 +40,7 @@ var clc = require("cli-color");
 import sliceAnsi from 'slice-ansi';
 import kleur from 'kleur';
 const chalk = require('chalk');
+import stripAnsi from 'strip-ansi';
 
 const server2 = http.createServer((req, res) => {
     let q = url.parse(req.url, true);
@@ -54,4 +55,5 @@ const server2 = http.createServer((req, res) => {
     console.log(sliceAnsi(colors.red.underline(username), 20, 30)); // NOT OK
     console.log(kleur.blue().bold().underline(username)); // NOT OK
     console.log(chalk.underline.bgBlue(username)); // NOT OK
+    console.log(stripAnsi(chalk.underline.bgBlue(username))); // NOT OK
 });

Original file line number	Diff line number	Diff line change
`@@ -320,3 +320,15 @@ class ChalkStep extends TaintTracking::SharedTaintStep {`
`320`	`320`	`)`
`321`	`321`	`}`
`322`	`322`	`}`
	`323`	`+`
	`324`	`+/**`
	`325`	+ * A step through the [`strip-ansi`](https://npmjs.org/package/strip-ansi) library.
	`326`	`+ */`
	`327`	`+class StripAnsiStep extends TaintTracking::SharedTaintStep {`
	`328`	`+ override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {`
	`329`	`+ exists(API::CallNode call \| call = API::moduleImport("strip-ansi").getACall() \|`
	`330`	`+ pred = call.getArgument(0) and`
	`331`	`+ succ = call`
	`332`	`+ )`
	`333`	`+ }`
	`334`	`+}`