add values written to the global scope as exports

erik-krogh · erik-krogh · commit 147b4a951674 · 2021-09-06T21:21:55.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/PackageExports.qll b/javascript/ql/lib/semmle/javascript/PackageExports.qll
@@ -171,4 +171,8 @@ private DataFlow::Node getAnExportFromModule(Module mod) {
   result.analyze().getAValue() = mod.(AmdModule).getDefine().getAModuleExportsValue()
   or
   result = mod.getAnExportedValue(_)
+  or
+  // exports saved to the global object
+  result = DataFlow::globalObjectRef().getAPropertyWrite().getRhs() and
+  result.getTopLevel() = mod
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected
@@ -7,6 +7,10 @@ nodes
 | lib/index.js:5:35:5:38 | name |
 | lib/index.js:6:26:6:29 | name |
 | lib/index.js:6:26:6:29 | name |
+| lib/index.js:13:38:13:41 | data |
+| lib/index.js:13:38:13:41 | data |
+| lib/index.js:14:21:14:24 | data |
+| lib/index.js:14:21:14:24 | data |
 edges
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -16,6 +20,11 @@ edges
 | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
 | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
 | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
 #select
 | lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
 | lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
+| lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | $@ flows to here and is later $@. | lib/index.js:13:38:13:41 | data | Library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js
@@ -9,3 +9,7 @@ export function unsafeGetter(obj, name) {
 export function safeAssignment(obj, value) {
     eval("obj.foo = " + JSON.stringify(value)); // OK
 }
+
+global.unsafeDeserialize = function (data) {
+  return eval("(" + data + ")"); // NOT OK
+}

Original file line number	Diff line number	Diff line change
`@@ -171,4 +171,8 @@ private DataFlow::Node getAnExportFromModule(Module mod) {`
`171`	`171`	`result.analyze().getAValue() = mod.(AmdModule).getDefine().getAModuleExportsValue()`
`172`	`172`	`or`
`173`	`173`	`result = mod.getAnExportedValue(_)`
	`174`	`+ or`
	`175`	`+ // exports saved to the global object`
	`176`	`+ result = DataFlow::globalObjectRef().getAPropertyWrite().getRhs() and`
	`177`	`+ result.getTopLevel() = mod`
`174`	`178`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,3 +9,7 @@ export function unsafeGetter(obj, name) {`
`9`	`9`	`export function safeAssignment(obj, value) {`
`10`	`10`	`eval("obj.foo = " + JSON.stringify(value)); // OK`
`11`	`11`	`}`
	`12`	`+`
	`13`	`+global.unsafeDeserialize = function (data) {`
	`14`	`+ return eval("(" + data + ")"); // NOT OK`
	`15`	`+}`