Skip to content

Commit a02a82c

Browse files
codeql-cicodeql-ci
authored
Merge pull request #6284 from erik-krogh/qs
Approved by asgerf
2 parents c1d0e52 + f462c9b commit a02a82c

File tree

4 files changed

+457
-39
lines changed

4 files changed

+457
-39
lines changed

javascript/change-notes/2021-07-14-querystring.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
lgtm,codescanning
2+
* The security queries now track taint through more query string parsers.
3+
Affected packages are
4+
[qs](https://npmjs.com/package/qs),
5+
[normailize-url](https://npmjs.com/package/normalize-url),
6+
[parseqs](https://npmjs.com/package/parseqs)

javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll

Lines changed: 51 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -96,13 +96,8 @@ module uridashjs {
9696
*/
9797
private class Step extends TaintTracking::SharedTaintStep {
9898
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
99-
exists(string name, DataFlow::CallNode call |
100-
name = "parse" or
101-
name = "serialize" or
102-
name = "resolve" or
103-
name = "normalize"
104-
|
105-
call = uridashjsMember(name).getACall() and
99+
exists(DataFlow::CallNode call |
100+
call = uridashjsMember(["parse", "serialize", "resolve", "normalize"]).getACall() and
106101
pred = call.getAnArgument() and
107102
succ = call
108103
)
@@ -126,13 +121,8 @@ module punycode {
126121
*/
127122
private class Step extends TaintTracking::SharedTaintStep {
128123
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
129-
exists(string name, DataFlow::CallNode call |
130-
name = "decode" or
131-
name = "encode" or
132-
name = "toUnicode" or
133-
name = "toASCII"
134-
|
135-
call = punycodeMember(name).getACall() and
124+
exists(DataFlow::CallNode call |
125+
call = punycodeMember(["decode", "encode", "toUnicode", "toASCII"]).getACall() and
136126
pred = call.getAnArgument() and
137127
succ = call
138128
)
@@ -193,11 +183,8 @@ module querystringify {
193183
*/
194184
private class Step extends TaintTracking::SharedTaintStep {
195185
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
196-
exists(string name, DataFlow::CallNode call |
197-
name = "parse" or
198-
name = "stringify"
199-
|
200-
call = querystringifyMember(name).getACall() and
186+
exists(DataFlow::CallNode call |
187+
call = querystringifyMember(["parse", "stringify"]).getACall() and
201188
pred = call.getAnArgument() and
202189
succ = call
203190
)
@@ -221,13 +208,8 @@ module querydashstring {
221208
*/
222209
private class Step extends TaintTracking::SharedTaintStep {
223210
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
224-
exists(string name, DataFlow::CallNode call |
225-
name = "parse" or
226-
name = "extract" or
227-
name = "parseUrl" or
228-
name = "stringify"
229-
|
230-
call = querydashstringMember(name).getACall() and
211+
exists(DataFlow::CallNode call |
212+
call = querydashstringMember(["parse", "extract", "parseUrl", "stringify"]).getACall() and
231213
pred = call.getAnArgument() and
232214
succ = call
233215
)
@@ -249,12 +231,8 @@ module url {
249231
*/
250232
private class Step extends TaintTracking::SharedTaintStep {
251233
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
252-
exists(string name, DataFlow::CallNode call |
253-
name = "parse" or
254-
name = "format" or
255-
name = "resolve"
256-
|
257-
call = urlMember(name).getACall() and
234+
exists(DataFlow::CallNode call |
235+
call = urlMember(["parse", "format", "resolve"]).getACall() and
258236
pred = call.getAnArgument() and
259237
succ = call
260238
)
@@ -278,20 +256,54 @@ module querystring {
278256
*/
279257
private class Step extends TaintTracking::SharedTaintStep {
280258
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
281-
exists(string name, DataFlow::CallNode call |
282-
name = "escape" or
283-
name = "unescape" or
284-
name = "parse" or
285-
name = "stringify"
286-
|
287-
call = querystringMember(name).getACall() and
259+
exists(DataFlow::CallNode call |
260+
call = querystringMember(["escape", "unescape", "parse", "stringify"]).getACall() and
288261
pred = call.getAnArgument() and
289262
succ = call
290263
)
291264
}
292265
}
293266
}
294267

268+
/**
269+
* A taint step through a call to [qs](https://npmjs.com/package/qs)
270+
*/
271+
private class QsStep extends TaintTracking::SharedTaintStep {
272+
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
273+
exists(API::CallNode call |
274+
call = API::moduleImport("qs").getMember(["parse", "stringify"]).getACall()
275+
|
276+
pred = call.getArgument(0) and
277+
succ = call
278+
)
279+
}
280+
}
281+
282+
/**
283+
* A taint step through a call to [normalize-url](https://npmjs.com/package/normalize-url)
284+
*/
285+
private class NormalizeUrlStep extends TaintTracking::SharedTaintStep {
286+
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
287+
exists(API::CallNode call | call = API::moduleImport("normalize-url").getACall() |
288+
pred = call.getArgument(0) and
289+
succ = call
290+
)
291+
}
292+
}
293+
294+
/**
295+
* A taint step through a call to [parseqs](https://npmjs.com/package/parseqs).
296+
*/
297+
private class ParseQsStep extends TaintTracking::SharedTaintStep {
298+
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
299+
exists(API::CallNode call |
300+
call = API::moduleImport("parseqs").getMember(["encode", "decode"]).getACall() and
301+
pred = call.getArgument(0) and
302+
succ = call
303+
)
304+
}
305+
}
306+
295307
/**
296308
* Provides steps for the `goog.Uri` class in the closure library.
297309
*/

0 commit comments

Comments
 (0)