Skip to content

Commit 3605269

Browse files
KwstubbsKwstubbs
committed
Add webix copy function
1 parent 7e7e2aa commit 3605269

File tree

4 files changed

+13
-2
lines changed

4 files changed

+13
-2
lines changed

javascript/ql/lib/semmle/javascript/Extend.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ private class ExtendCallDeep extends ExtendCall {
9797
callee = LodashUnderscore::member("mergeWith") or
9898
callee = LodashUnderscore::member("defaultsDeep") or
9999
callee = AngularJS::angular().getAPropertyRead("merge") or
100-
callee = DataFlow::moduleImport("webix").getAPropertyRead("extend")
100+
callee = DataFlow::moduleImport("webix").getAPropertyRead(["extend", "copy"])
101101
)
102102
}
103103

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -173,7 +173,7 @@ module PrototypePollution {
173173
id = "angular"
174174
or
175175
call.isDeep() and
176-
call = DataFlow::moduleImport("webix").getAMemberCall("extend") and
176+
call = DataFlow::moduleImport("webix").getAMemberCall(["extend", "copy"]) and
177177
id = "webix"
178178
}
179179
}

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@ nodes
2323
| webix.js:4:22:4:43 | JSON.pa ... t.data) |
2424
| webix.js:4:33:4:37 | event |
2525
| webix.js:4:33:4:42 | event.data |
26+
| webix.js:5:19:5:40 | JSON.pa ... t.data) |
27+
| webix.js:5:19:5:40 | JSON.pa ... t.data) |
28+
| webix.js:5:30:5:34 | event |
29+
| webix.js:5:30:5:39 | event.data |
2630
edges
2731
| angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
2832
| angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
@@ -40,12 +44,18 @@ edges
4044
| src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } |
4145
| webix.js:3:30:3:34 | event | webix.js:4:33:4:37 | event |
4246
| webix.js:3:30:3:34 | event | webix.js:4:33:4:37 | event |
47+
| webix.js:3:30:3:34 | event | webix.js:5:30:5:34 | event |
48+
| webix.js:3:30:3:34 | event | webix.js:5:30:5:34 | event |
4349
| webix.js:4:33:4:37 | event | webix.js:4:33:4:42 | event.data |
4450
| webix.js:4:33:4:42 | event.data | webix.js:4:22:4:43 | JSON.pa ... t.data) |
4551
| webix.js:4:33:4:42 | event.data | webix.js:4:22:4:43 | JSON.pa ... t.data) |
52+
| webix.js:5:30:5:34 | event | webix.js:5:30:5:39 | event.data |
53+
| webix.js:5:30:5:39 | event.data | webix.js:5:19:5:40 | JSON.pa ... t.data) |
54+
| webix.js:5:30:5:39 | event.data | webix.js:5:19:5:40 | JSON.pa ... t.data) |
4655
#select
4756
| angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | user-controlled value | angularmerge.js:2:3:2:43 | angular ... .data)) | angular |
4857
| src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
4958
| src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n ... K\\n } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
5059
| src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n ... K\\n } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
5160
| webix.js:4:22:4:43 | JSON.pa ... t.data) | webix.js:3:30:3:34 | event | webix.js:4:22:4:43 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix.js:3:30:3:34 | event | user-controlled value | webix.js:4:5:4:44 | webix.e ... .data)) | webix |
61+
| webix.js:5:19:5:40 | JSON.pa ... t.data) | webix.js:3:30:3:34 | event | webix.js:5:19:5:40 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix.js:3:30:3:34 | event | user-controlled value | webix.js:5:5:5:41 | webix.c ... .data)) | webix |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/webix.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,5 @@ import * as webix from "webix";
22

33
addEventListener("message", (event) => {
44
webix.extend({}, JSON.parse(event.data)); // NOT OK
5+
webix.copy({},JSON.parse(event.data)); // NOT OK
56
});

0 commit comments

Comments
 (0)