Merge pull request github#5993 from erik-krogh/lib-debug

Approved by esbena

Author: codeql-ci

javascript/change-notes/2021-06-02-debug.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Logging calls using the [debug](https://npmjs.com/package/immutable) library are now recognized.
+  Affected packages are
+    [debug](https://npmjs.com/package/debug)

javascript/ql/src/semmle/javascript/frameworks/Logging.qll

@@ -192,3 +192,12 @@ private module Fancylog {
     override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
   }
 }
+
+/**
+ * A class modelling [debug](https://npmjs.org/package/debug) as a logging mechanism.
+ */
+private class DebugLoggerCall extends LoggerCall, API::CallNode {
+  DebugLoggerCall() { this = API::moduleImport("debug").getReturn().getACall() }
+
+  override DataFlow::Node getAMessageComponent() { result = getAnArgument() }
+}

javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -125,6 +125,14 @@ nodes
 | passwords.js:164:14:164:21 | password |
 | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password |
+| passwords.js:169:17:169:24 | password |
+| passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password |
+| passwords.js:170:11:170:18 | password |
+| passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:39 | passwor ... g, "*") |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser1.js:2:13:2:20 | password |
@@ -261,6 +269,14 @@ edges
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
 | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
+| passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") |
 | passwords_in_browser1.js:2:13:2:20 | password | passwords_in_browser1.js:2:13:2:20 | password |
 | passwords_in_browser2.js:2:13:2:20 | password | passwords_in_browser2.js:2:13:2:20 | password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password |
@@ -304,6 +320,8 @@ edges
 | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | passwords.js:156:17:156:27 | process.env | Sensitive data returned by $@ is logged here. | passwords.js:156:17:156:27 | process.env | process environment |
 | passwords.js:163:14:163:41 | passwor ... g, "*") | passwords.js:163:14:163:21 | password | passwords.js:163:14:163:41 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:163:14:163:21 | password | an access to password |
 | passwords.js:164:14:164:42 | passwor ... g, "*") | passwords.js:164:14:164:21 | password | passwords.js:164:14:164:42 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:164:14:164:21 | password | an access to password |
+| passwords.js:169:17:169:45 | passwor ... g, "*") | passwords.js:169:17:169:24 | password | passwords.js:169:17:169:45 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:169:17:169:24 | password | an access to password |
+| passwords.js:170:11:170:39 | passwor ... g, "*") | passwords.js:170:11:170:18 | password | passwords.js:170:11:170:39 | passwor ... g, "*") | Sensitive data returned by $@ is logged here. | passwords.js:170:11:170:18 | password | an access to password |
 | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | passwords_in_server_1.js:6:13:6:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_1.js:6:13:6:20 | password | an access to password |
 | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | passwords_in_server_2.js:3:13:3:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_2.js:3:13:3:20 | password | an access to password |
 | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | passwords_in_server_3.js:2:13:2:20 | password | Sensitive data returned by $@ is logged here. | passwords_in_server_3.js:2:13:2:20 | password | an access to password |

javascript/ql/test/query-tests/Security/CWE-312/passwords.js

@@ -162,4 +162,10 @@ var Util = require('util');
 	console.log(password.replace(/./g, "*")); // OK!
 	console.log(password.replace(/\./g, "*")); // NOT OK!
 	console.log(password.replace(/foo/g, "*")); // NOT OK!
-})();
+})();
+
+const debug = require('debug')('test');
+(function () {
+    console.log(password.replace(/foo/g, "*")); // NOT OK
+    debug(password.replace(/foo/g, "*")); // NOT OK
+});