JS: Add steps through date-formatting functions

asgerf · asgerf · commit 8a3fba05e992 · 2020-11-06T09:06:18.000Z
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
@@ -79,6 +79,7 @@ import semmle.javascript.frameworks.ClosureLibrary
 import semmle.javascript.frameworks.CookieLibraries
 import semmle.javascript.frameworks.Credentials
 import semmle.javascript.frameworks.CryptoLibraries
+import semmle.javascript.frameworks.DateFunctions
 import semmle.javascript.frameworks.DigitalOcean
 import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
diff --git a/javascript/ql/src/semmle/javascript/frameworks/DateFunctions.qll b/javascript/ql/src/semmle/javascript/frameworks/DateFunctions.qll
@@ -0,0 +1,61 @@
+private import javascript
+
+private API::Node formatFunction() {
+  result = API::moduleImport(["date-fns", "date-fns/utc"]).getMember(["format", "lightFormat"])
+  or
+  result =
+    API::moduleImport(["date-fns/format", "date-fns/lightFormat", "date-fns/utc/format",
+          "date-fns/utc/lightFormat"])
+}
+
+private API::Node formatFunctionCurried() {
+  result =
+    API::moduleImport(["date-fns/fp", "date-fns/fp/utc"]).getMember(["format", "lightFormat"])
+  or
+  result =
+    API::moduleImport(["date-fns/fp/format", "date-fns/fp/lightFormat", "date-fns/fp/utc/format",
+          "date-fns/fp/utc/lightFormat"])
+}
+
+/**
+ * Taint step of form: `f -> format(date, f)`
+ *
+ * A format string can use single-quotes to include mostly arbitrary text.
+ */
+private class DateFnsFormatStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  DateFnsFormatStep() { this = formatFunction().getACall() }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    pred = getArgument(1) and
+    succ = this
+  }
+}
+
+/**
+ * Taint step of form: `f -> format(f)(date)`
+ */
+private class DateFnsCurriedFormatStep extends TaintTracking::AdditionalTaintStep,
+  DataFlow::CallNode {
+  DateFnsCurriedFormatStep() { this = formatFunctionCurried().getACall() }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    pred = getArgument(0) and
+    succ = getACall()
+  }
+}
+
+/**
+ * Taint step of form: `f -> momentObj.format(f)`
+ *
+ * The format string can use backslash-escaping to include mostly arbitrary text.
+ */
+private class MomentFormatStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
+  MomentFormatStep() {
+    this = API::moduleImport("moment").getASuccessor*().getMember("format").getACall()
+  }
+
+  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+    pred = getArgument(0) and
+    succ = this
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/dates.js
@@ -0,0 +1,17 @@
+import dateFns from 'date-fns';
+import dateFnsFp from 'date-fns/fp';
+import dateFnsUtc from 'date-fns/utc';
+import moment from 'moment';
+
+function main() {
+    let time = new Date();
+    let taint = decodeURIComponent(window.location.hash.substring(1));
+
+    document.body.innerHTML = `Time is ${dateFns.format(time, taint)}`; // NOT OK
+    document.body.innerHTML = `Time is ${dateFnsUtc.format(time, taint)}`; // NOT OK
+    document.body.innerHTML = `Time is ${dateFnsFp.format(taint)(time)}`; // NOT OK
+    document.body.innerHTML = `Time is ${dateFns.format(taint, time)}`; // OK - time arg is safe
+    document.body.innerHTML = `Time is ${dateFnsFp.format(time)(taint)}`; // OK - time arg is safe
+    document.body.innerHTML = `Time is ${moment(time).format(taint)}`; // NOT OK
+    document.body.innerHTML = `Time is ${moment(taint).format()}`; // OK
+}
