Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c2a5350

Browse files
author
Max Schaefer
authored
Merge pull request #982 from asger-semmle/closure-string-lib
JS: model string functions from closure library
2 parents 53de2d8 + 9344001 commit c2a5350

13 files changed

Lines changed: 110 additions & 0 deletions

File tree

javascript/ql/src/javascript.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,7 @@ import semmle.javascript.frameworks.Azure
6161
import semmle.javascript.frameworks.Babel
6262
import semmle.javascript.frameworks.ComposedFunctions
6363
import semmle.javascript.frameworks.ClientRequests
64+
import semmle.javascript.frameworks.ClosureLibrary
6465
import semmle.javascript.frameworks.CookieLibraries
6566
import semmle.javascript.frameworks.Credentials
6667
import semmle.javascript.frameworks.CryptoLibraries

javascript/ql/src/semmle/javascript/HtmlSanitizers.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,8 @@ private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
5454
.getAPropertyRead(name) or
5555
callee = DataFlow::moduleMember("html-entities", _).getAPropertyRead(name)
5656
)
57+
or
58+
callee = Closure::moduleImport("goog.string.htmlEscape")
5759
)
5860
or
5961
// Match home-made sanitizers by name.

javascript/ql/src/semmle/javascript/StringConcatenation.qll

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,11 @@ module StringConcatenation {
4747
n = 0
4848
)
4949
)
50+
or
51+
exists(DataFlow::CallNode call | node = call |
52+
call = Closure::moduleImport("goog.string.buildString").getACall() and
53+
result = call.getArgument(n)
54+
)
5055
}
5156

5257
/** Gets an operand to the string concatenation defining `node`. */

javascript/ql/src/semmle/javascript/frameworks/ClosureLibrary.qll

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
/**
2+
* Provides models for miscellaneous utility functions in the closure standard library.
3+
*/
4+
5+
import javascript
6+
7+
module ClosureLibrary {
8+
private import DataFlow
9+
10+
private class StringStep extends TaintTracking::AdditionalTaintStep, CallNode {
11+
Node pred;
12+
13+
StringStep() {
14+
exists (string name | this = Closure::moduleImport("goog.string." + name).getACall() |
15+
pred = getAnArgument() and
16+
(
17+
name = "canonicalizeNewlines" or
18+
name = "capitalize" or
19+
name = "collapseBreakingSpaces" or
20+
name = "collapseWhitespace" or
21+
name = "format" or
22+
name = "makeSafe" or // makeSafe just guards against null and undefined
23+
name = "newLineOrBr" or
24+
name = "normalizeSpaces" or
25+
name = "normalizeWhitespace" or
26+
name = "preserveSpaces" or
27+
name = "remove" or // removes first occurrence of a substring
28+
name = "repeat" or
29+
name = "splitLimit" or
30+
name = "stripNewlines" or
31+
name = "subs" or
32+
name = "toCamelCase" or
33+
name = "toSelectorCase" or
34+
name = "toTitleCase" or
35+
name = "trim" or
36+
name = "trimLeft" or
37+
name = "trimRight" or
38+
name = "unescapeEntities" or
39+
name = "whitespaceEscape"
40+
)
41+
or
42+
pred = getArgument(0) and
43+
(
44+
name = "truncate" or
45+
name = "truncateMiddle" or
46+
name = "unescapeEntitiesWithDocument"
47+
)
48+
)
49+
}
50+
51+
override predicate step(Node src, Node dst) {
52+
src = pred and
53+
dst = this
54+
}
55+
}
56+
}

javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,13 @@ private module ClosureLibraryUri {
355355
name = "setPath" or
356356
name = "split"
357357
)
358+
or
359+
// static methods in goog.string
360+
arg = 0 and
361+
exists(string name | this = Closure::moduleImport("goog.string." + name).getACall() |
362+
name = "urlDecode" or
363+
name = "urlEncode"
364+
)
358365
}
359366

360367
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {

javascript/ql/test/library-tests/HtmlSanitizers/HtmlSanitizerCalls.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
| closure.js:5:1:5:29 | checkEs ... ipt>')) | OK |
12
| tst.js:17:1:17:47 | checkEs ... ipt>')) | OK |
23
| tst.js:18:1:18:56 | checkEs ... ipt>')) | OK |
34
| tst.js:19:1:19:55 | checkEs ... ipt>')) | OK |

javascript/ql/test/library-tests/HtmlSanitizers/closure.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
goog.module('test');
2+
3+
let esc = goog.require('goog.string.htmlEscape');
4+
5+
checkEscaped(esc('<script>'));

javascript/ql/test/library-tests/StringConcatenation/ContainsTwo.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
| closure.js:5:1:5:37 | build(' ... 'four') |
2+
| closure.js:5:1:5:46 | build(' ... 'five' |
3+
| closure.js:5:14:5:18 | 'two' |
4+
| closure.js:5:14:5:28 | 'two' + 'three' |
15
| tst.js:3:3:3:12 | x += "two" |
26
| tst.js:3:8:3:12 | "two" |
37
| tst.js:4:3:4:3 | x |

javascript/ql/test/library-tests/StringConcatenation/closure.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
goog.module('test');
2+
3+
let build = goog.require('goog.string.buildString');
4+
5+
build('one', 'two' + 'three', 'four') + 'five';

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
| callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
1010
| callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
1111
| callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
12+
| closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
13+
| closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |
14+
| closure.js:6:15:6:22 | source() | closure.js:10:8:10:33 | string. ... nt, 50) |
1215
| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
1316
| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |
1417
| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:26:8:26:14 | d.taint |

0 commit comments

Comments
 (0)