Merge pull request #9756 from erik-krogh/greyMatter

JS: add model for the gray-matter library to js/code-injection

Author: erik-krogh

javascript/ql/lib/change-notes/2022-06-22-sensitive-common-words copy.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `gray-matter` library is now modeled as a sink for the `js/code-injection` query.

javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll

@@ -51,6 +51,18 @@ module CodeInjection {
     }
   }
 
+  /** An expression parsed by the `gray-matter` library. */
+  class GrayMatterSink extends Sink {
+    GrayMatterSink() {
+      exists(API::CallNode call |
+        call = DataFlow::moduleImport("gray-matter").getACall() and
+        this = call.getArgument(0) and
+        // if the js/javascript engine is set, then we assume they are set to something safe.
+        not exists(call.getParameter(1).getMember("engines").getMember(["js", "javascript"]))
+      )
+    }
+  }
+
   /**
    * A template tag occurring in JS code, viewed as a code injection sink.
    */

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/UnsafeCodeConstruction.expected

@@ -11,6 +11,10 @@ nodes
 | lib/index.js:13:38:13:41 | data |
 | lib/index.js:14:21:14:24 | data |
 | lib/index.js:14:21:14:24 | data |
+| lib/index.js:19:26:19:29 | data |
+| lib/index.js:19:26:19:29 | data |
+| lib/index.js:22:7:22:10 | data |
+| lib/index.js:22:7:22:10 | data |
 edges
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
 | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data |
@@ -24,7 +28,12 @@ edges
 | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
 | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
 | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
+| lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data |
 #select
 | lib/index.js:2:21:2:24 | data | lib/index.js:1:35:1:38 | data | lib/index.js:2:21:2:24 | data | $@ flows to here and is later $@. | lib/index.js:1:35:1:38 | data | Library input | lib/index.js:2:15:2:30 | "(" + data + ")" | interpreted as code |
 | lib/index.js:6:26:6:29 | name | lib/index.js:5:35:5:38 | name | lib/index.js:6:26:6:29 | name | $@ flows to here and is later $@. | lib/index.js:5:35:5:38 | name | Library input | lib/index.js:6:17:6:29 | "obj." + name | interpreted as code |
 | lib/index.js:14:21:14:24 | data | lib/index.js:13:38:13:41 | data | lib/index.js:14:21:14:24 | data | $@ flows to here and is later $@. | lib/index.js:13:38:13:41 | data | Library input | lib/index.js:14:15:14:30 | "(" + data + ")" | interpreted as code |
+| lib/index.js:22:7:22:10 | data | lib/index.js:19:26:19:29 | data | lib/index.js:22:7:22:10 | data | $@ flows to here and is later $@. | lib/index.js:19:26:19:29 | data | Library input | lib/index.js:25:24:25:26 | str | interpreted as code |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/lib/index.js

@@ -12,4 +12,24 @@ export function safeAssignment(obj, value) {
 
 global.unsafeDeserialize = function (data) {
   return eval("(" + data + ")"); // NOT OK
-}
+}
+
+const matter = require("gray-matter");
+
+export function greySink(data) {
+    const str = `
+    ---js
+    ${data}
+    ---
+    `
+    const res = matter(str);
+    console.log(res);
+
+    matter(str, { // OK
+        engines: {
+            js: function (data) {
+                console.log("NOPE");
+            }
+        }
+    });
+}