Add models for webix

Co-authored-by: Kevin Stubbings <[email protected]>

Author: jorgectf

javascript/ql/lib/javascript.qll

@@ -134,6 +134,7 @@ import semmle.javascript.frameworks.TrustedTypes
 import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.Vuex
+import semmle.javascript.frameworks.Webix
 import semmle.javascript.frameworks.WebSocket
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit

javascript/ql/lib/semmle/javascript/Extend.qll

@@ -96,7 +96,8 @@ private class ExtendCallDeep extends ExtendCall {
       callee = LodashUnderscore::member("merge") or
       callee = LodashUnderscore::member("mergeWith") or
       callee = LodashUnderscore::member("defaultsDeep") or
-      callee = AngularJS::angular().getAPropertyRead("merge")
+      callee = AngularJS::angular().getAPropertyRead("merge") or
+      callee = DataFlow::moduleImport("webix").getAPropertyRead("extend")
     )
   }
 

javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll

@@ -312,6 +312,13 @@ module CodeInjection {
     }
   }
 
+  /**
+   * A value interpreted as code by the `webix` library.
+   */
+  class WebixExec extends Sink {
+    WebixExec() { this = DataFlow::moduleImport("webix").getAMemberCall("exec").getArgument(0) }
+  }
+
   /** A sink for code injection via template injection. */
   abstract private class TemplateSink extends Sink {
     deprecated override string getMessageSuffix() {
@@ -419,6 +426,23 @@ module CodeInjection {
     }
   }
 
+  /**
+   * A value interpreted as a template by the `webix` library.
+   */
+  class WebixTemplateSink extends TemplateSink {
+    WebixTemplateSink() {
+      this = DataFlow::moduleImport("webix").getAMemberCall("ui").getOptionArgument(0, "template")
+      or
+      this.asExpr() =
+        DataFlow::moduleImport("webix")
+            .getAMemberCall("ui")
+            .getOptionArgument(0, "template")
+            .asExpr()
+            .(Function)
+            .getAReturnedExpr()
+    }
+  }
+
   /**
    * A call to JSON.stringify() seen as a sanitizer.
    */

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll

@@ -171,5 +171,9 @@ module PrototypePollution {
     call.isDeep() and
     call = AngularJS::angular().getAMemberCall("merge") and
     id = "angular"
+    or
+    call.isDeep() and
+    call = DataFlow::moduleImport("webix").getAMemberCall("extend") and
+    id = "webix"
   }
 }

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -10,10 +10,11 @@ import * as mustache from 'mustache';
 const Hogan = require("hogan.js");
 import * as Eta from 'eta';
 import * as Sqrl from 'squirrelly'
+import * as webix from "webix";
 
 var app = express();
 
-app.get('/some/path', function(req, res) {
+app.get('/some/path', function (req, res) {
     let tainted = req.query.foo;
 
     pug.compile(tainted); // NOT OK
@@ -30,4 +31,6 @@ app.get('/some/path', function(req, res) {
     Hogan.compile(tainted); // NOT OK
     Eta.render(tainted); // NOT OK
     Sqrl.render(tainted); // NOT OK
+    webix.ui({ template: tainted }); // NOT OK
+    webix.ui({ template: function () { return tainted } }) // NOT OK
 });

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/template-sinks.js

@@ -0,0 +1,3 @@
+import * as webix from 'webix';
+
+webix.exec(document.location.hash); // NOT OK

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/webix.js

@@ -17,6 +17,12 @@ nodes
 | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
+| webix.js:3:30:3:34 | event |
+| webix.js:3:30:3:34 | event |
+| webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix.js:4:33:4:37 | event |
+| webix.js:4:33:4:42 | event.data |
 edges
 | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
 | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:32:2:36 | event |
@@ -32,8 +38,14 @@ edges
 | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing |
 | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
 | src-vulnerable-lodash/tst.js:18:16:18:25 | opts.thing | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } |
+| webix.js:3:30:3:34 | event | webix.js:4:33:4:37 | event |
+| webix.js:3:30:3:34 | event | webix.js:4:33:4:37 | event |
+| webix.js:4:33:4:37 | event | webix.js:4:33:4:42 | event.data |
+| webix.js:4:33:4:42 | event.data | webix.js:4:22:4:43 | JSON.pa ... t.data) |
+| webix.js:4:33:4:42 | event.data | webix.js:4:22:4:43 | JSON.pa ... t.data) |
 #select
 | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | angularmerge.js:1:30:1:34 | event | angularmerge.js:2:21:2:42 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | angularmerge.js:1:30:1:34 | event | user-controlled value | angularmerge.js:2:3:2:43 | angular ... .data)) | angular |
 | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:7:17:7:29 | req.query.foo | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
 | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | src-vulnerable-lodash/tst.js:10:17:12:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:11:16:11:30 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
 | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | src-vulnerable-lodash/tst.js:17:17:19:5 | {\\n      ... K\\n    } | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | src-vulnerable-lodash/tst.js:15:14:15:28 | req.query.value | user-controlled value | src-vulnerable-lodash/package.json:3:19:3:26 | "4.17.4" | lodash |
+| webix.js:4:22:4:43 | JSON.pa ... t.data) | webix.js:3:30:3:34 | event | webix.js:4:22:4:43 | JSON.pa ... t.data) | Prototype pollution caused by merging a $@ using a vulnerable version of $@. | webix.js:3:30:3:34 | event | user-controlled value | webix.js:4:5:4:44 | webix.e ... .data)) | webix |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingMergeCall/PrototypePollutingMergeCall.expected

@@ -0,0 +1,5 @@
+import * as webix from "webix";
+
+addEventListener("message", (event) => {
+    webix.extend({}, JSON.parse(event.data)); // NOT OK
+});