JS: Some fixes and address review comments

asgerf · asgerf · commit 790526b52955 · 2020-11-06T09:06:20.000Z
diff --git a/javascript/ql/src/semmle/javascript/frameworks/DateFunctions.qll b/javascript/ql/src/semmle/javascript/frameworks/DateFunctions.qll
@@ -1,61 +1,75 @@
+/** Provides taint steps modeling flow through date-manipulation libraries. */
 private import javascript
 
-private API::Node formatFunction() {
-  result = API::moduleImport(["date-fns", "date-fns/utc"]).getMember(["format", "lightFormat"])
-  or
-  result =
-    API::moduleImport(["date-fns/format", "date-fns/lightFormat", "date-fns/utc/format",
-          "date-fns/utc/lightFormat"])
-}
+private module DateFns {
+  private API::Node formatFunction() {
+    result = API::moduleImport(["date-fns", "date-fns/esm"]).getMember(["format", "lightFormat"])
+    or
+    result =
+      API::moduleImport(["date-fns/format", "date-fns/lightFormat", "date-fns/esm/format",
+            "date-fns/esm/lightFormat"])
+  }
 
-private API::Node formatFunctionCurried() {
-  result =
-    API::moduleImport(["date-fns/fp", "date-fns/fp/utc"]).getMember(["format", "lightFormat"])
-  or
-  result =
-    API::moduleImport(["date-fns/fp/format", "date-fns/fp/lightFormat", "date-fns/fp/utc/format",
-          "date-fns/fp/utc/lightFormat"])
-}
+  private API::Node curriedFormatFunction() {
+    result =
+      API::moduleImport(["date-fns/fp", "date-fns/esm/fp"]).getMember(["format", "lightFormat"])
+    or
+    result =
+      API::moduleImport(["date-fns/fp/format", "date-fns/fp/lightFormat", "date-fns/esm/fp/format",
+            "date-fns/esm/fp/lightFormat"])
+  }
 
-/**
- * Taint step of form: `f -> format(date, f)`
- *
- * A format string can use single-quotes to include mostly arbitrary text.
- */
-private class DateFnsFormatStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
-  DateFnsFormatStep() { this = formatFunction().getACall() }
-
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    pred = getArgument(1) and
-    succ = this
+  /**
+   * Taint step of form: `f -> format(date, f)`
+   *
+   * A format string can use single-quotes to include mostly arbitrary text.
+   */
+  private class FormatStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+    FormatStep() { this = formatFunction().getACall() }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getArgument(1) and
+      succ = this
+    }
   }
-}
 
-/**
- * Taint step of form: `f -> format(f)(date)`
- */
-private class DateFnsCurriedFormatStep extends TaintTracking::AdditionalTaintStep,
-  DataFlow::CallNode {
-  DateFnsCurriedFormatStep() { this = formatFunctionCurried().getACall() }
+  /**
+   * Taint step of form: `f -> format(f)(date)`
+   */
+  private class CurriedFormatStep extends TaintTracking::AdditionalTaintStep,
+    DataFlow::CallNode {
+    CurriedFormatStep() { this = curriedFormatFunction().getACall() }
 
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    pred = getArgument(0) and
-    succ = getACall()
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getArgument(0) and
+      succ = getACall()
+    }
   }
 }
 
-/**
- * Taint step of form: `f -> momentObj.format(f)`
- *
- * The format string can use backslash-escaping to include mostly arbitrary text.
- */
-private class MomentFormatStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
-  MomentFormatStep() {
-    this = API::moduleImport("moment").getASuccessor*().getMember("format").getACall()
+private module Moment {
+  /** Gets a reference to a `moment` object. */
+  private API::Node moment() {
+    result = API::moduleImport("moment")
+    or
+    result = moment().getReturn()
+    or
+    result = moment().getAMember()
   }
 
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    pred = getArgument(0) and
-    succ = this
+  /**
+   * Taint step of form: `f -> momentObj.format(f)`
+   *
+   * The format string can use backslash-escaping to include mostly arbitrary text.
+   */
+  private class MomentFormatStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+    MomentFormatStep() {
+      this = moment().getMember("format").getACall()
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getArgument(0) and
+      succ = this
+    }
   }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js
@@ -1,14 +1,14 @@
 import dateFns from 'date-fns';
 import dateFnsFp from 'date-fns/fp';
-import dateFnsUtc from 'date-fns/utc';
+import dateFnsEsm from 'date-fns/esm';
 import moment from 'moment';
 
 function main() {
     let time = new Date();
     let taint = decodeURIComponent(window.location.hash.substring(1));
 
     document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // NOT OK
-    document.body.innerHTML = `Time is ${dateFnsUtc.format(time, taint)}`; // NOT OK
+    document.body.innerHTML = `Time is ${dateFnsEsm.format(time, taint)}`; // NOT OK
     document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // NOT OK
     document.body.innerHTML = `Time is ${dateFns.format(taint, time)}`; // OK - time arg is safe
     document.body.innerHTML = `Time is ${dateFnsFp.format(time)(taint)}`; // OK - time arg is safe
