Merge pull request #314 from esben-semmle/js/json-stringify-as-command-line-injection-source-heuristic

semmle-qlci · web-flow · commit b743ee417925 · 2018-11-05T07:37:36.000Z
Approved by xiemaisi
diff --git a/javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll b/javascript/ql/src/semmle/javascript/heuristics/AdditionalSources.qll
@@ -6,6 +6,7 @@
 
 import javascript
 import SyntacticHeuristics
+private import semmle.javascript.security.dataflow.CommandInjection
 
 /**
  * A heuristic source of data flow in a security query.
@@ -26,3 +27,13 @@ private class RemoteFlowPassword extends HeuristicSource, RemoteFlowSource {
   }
 
 }
+
+/**
+ * A use of `JSON.stringify`, viewed as a source for command line injections
+ * since it does not properly escape single quotes and dollar symbols.
+ */
+private class JSONStringifyAsCommandInjectionSource extends HeuristicSource, CommandInjection::Source {
+  JSONStringifyAsCommandInjectionSource() {
+    this = DataFlow::globalVarRef("JSON").getAMemberCall("stringify")
+  }
+}
diff --git a/javascript/ql/test/library-tests/Security/heuristics/HeuristicSource.expected b/javascript/ql/test/library-tests/Security/heuristics/HeuristicSource.expected
@@ -1,2 +1,3 @@
 | additionalCommandInjections.js:2:28:2:35 | password |
 | sources.js:2:5:2:12 | password |
+| sources.js:3:5:3:20 | JSON.stringify() |
diff --git a/javascript/ql/test/library-tests/Security/heuristics/sources.js b/javascript/ql/test/library-tests/Security/heuristics/sources.js
@@ -1,3 +1,4 @@
 (function() {
     password;
+    JSON.stringify();
 })();

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`\| additionalCommandInjections.js:2:28:2:35 \| password \|`
`2`	`2`	`\| sources.js:2:5:2:12 \| password \|`
	`3`	`+\| sources.js:3:5:3:20 \| JSON.stringify() \|`