JS: Track deep flow through qs.stringify

asgerf · asgerf · commit 319ee2ccd522 · 2025-02-28T13:28:04.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll b/javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll
@@ -421,3 +421,22 @@ private module ClosureLibraryUri {
     }
   }
 }
+
+private class QueryStringStringification extends DataFlow::SummarizedCallable {
+  QueryStringStringification() { this = "query-string stringification" }
+
+  override DataFlow::InvokeNode getACall() {
+    result =
+      API::moduleImport(["querystring", "query-string", "querystringify", "qs"])
+          .getMember("stringify")
+          .getACall() or
+    result = API::moduleImport("url-parse").getMember("qs").getMember("stringify").getACall() or
+    result = API::moduleImport("parseqs").getMember("encode").getACall()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = false and
+    input = ["Argument[0]", "Argument[0].AnyMemberDeep"] and
+    output = "ReturnValue"
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js b/javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js
@@ -34,7 +34,7 @@ function PostCode(codestring) {
       });
   });
 
-  post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body
+  post_req.write(post_data); // $ Alert - post the data from file to request body
   post_req.end();
 
 }
@@ -58,4 +58,4 @@ fs.readFile('LinkedList.js', 'utf-8', function (err, data) {
     console.log("No data to post");
     process.exit(-1);
   }
-});
+});

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ function PostCode(codestring) {`
`34`	`34`	`});`
`35`	`35`	`});`
`36`	`36`
`37`		`- post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body`
	`37`	`+ post_req.write(post_data); // $ Alert - post the data from file to request body`
`38`	`38`	`post_req.end();`
`39`	`39`
`40`	`40`	`}`
`@@ -58,4 +58,4 @@ fs.readFile('LinkedList.js', 'utf-8', function (err, data) {`
`58`	`58`	`console.log("No data to post");`
`59`	`59`	`process.exit(-1);`
`60`	`60`	`}`
`61`		`-});`
	`61`	`+});`