Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b4704f7

Browse files
erik-krogherik-krogh
committed
add taint-step for the marked library
1 parent 18225fa commit b4704f7

5 files changed

Lines changed: 44 additions & 0 deletions

File tree

javascript/ql/src/javascript.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ import semmle.javascript.frameworks.LazyCache
9393
import semmle.javascript.frameworks.LodashUnderscore
9494
import semmle.javascript.frameworks.Logging
9595
import semmle.javascript.frameworks.HttpFrameworks
96+
import semmle.javascript.frameworks.Markdown
9697
import semmle.javascript.frameworks.NoSQL
9798
import semmle.javascript.frameworks.PkgCloud
9899
import semmle.javascript.frameworks.PropertyProjection

javascript/ql/src/semmle/javascript/frameworks/Markdown.qll

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
/**
2+
* Provides classes for modelling common markdown parsers and generators.
3+
*/
4+
5+
import javascript
6+
7+
/**
8+
* A taint step for the `marked` library, that converts markdown to HTML.
9+
*/
10+
private class MarkedStep extends TaintTracking::AdditionalTaintStep, DataFlow::CallNode {
11+
MarkedStep() {
12+
this = DataFlow::globalVarRef("marked").getACall()
13+
or
14+
this = DataFlow::moduleImport("marked").getACall()
15+
}
16+
17+
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
18+
succ = this and
19+
pred = this.getAnArgument()
20+
}
21+
}

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,13 @@ nodes
77
| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
88
| ReflectedXss.js:17:31:17:39 | params.id |
99
| ReflectedXss.js:17:31:17:39 | params.id |
10+
| ReflectedXss.js:22:12:22:19 | req.body |
11+
| ReflectedXss.js:22:12:22:19 | req.body |
12+
| ReflectedXss.js:22:12:22:19 | req.body |
13+
| ReflectedXss.js:23:12:23:27 | marked(req.body) |
14+
| ReflectedXss.js:23:12:23:27 | marked(req.body) |
15+
| ReflectedXss.js:23:19:23:26 | req.body |
16+
| ReflectedXss.js:23:19:23:26 | req.body |
1017
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
1118
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
1219
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id |
@@ -100,6 +107,11 @@ edges
100107
| ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
101108
| ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
102109
| ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id |
110+
| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body |
111+
| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
112+
| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
113+
| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
114+
| ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) |
103115
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
104116
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
105117
| ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id |
@@ -178,6 +190,8 @@ edges
178190
#select
179191
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
180192
| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
193+
| ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
194+
| ReflectedXss.js:23:12:23:27 | marked(req.body) | ReflectedXss.js:23:19:23:26 | req.body | ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
181195
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
182196
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
183197
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,3 +16,9 @@ app.get('/user/:id', function(req, res) {
1616
function moreBadStuff(params, res) {
1717
res.send("Unknown user: " + params.id); // NOT OK
1818
}
19+
20+
var marked = require("marked");
21+
app.get('/user/:id', function(req, res) {
22+
res.send(req.body); // NOT OK
23+
res.send(marked(req.body)); // NOT OK
24+
});

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
| ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
22
| ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
3+
| ReflectedXss.js:22:12:22:19 | req.body | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:22:12:22:19 | req.body | user-provided value |
4+
| ReflectedXss.js:23:12:23:27 | marked(req.body) | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:23:19:23:26 | req.body | user-provided value |
35
| ReflectedXssContentTypes.js:10:14:10:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:10:24:10:36 | req.params.id | user-provided value |
46
| ReflectedXssContentTypes.js:20:14:20:36 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:20:24:20:36 | req.params.id | user-provided value |
57
| ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |

0 commit comments

Comments
 (0)