Skip to content

Commit ceda5f6

Browse files
committed
recognize returning an instanceof of a class as exporting that class
1 parent a8a7909 commit ceda5f6

File tree

3 files changed

+37
-0
lines changed

3 files changed

+37
-0
lines changed

javascript/ql/lib/semmle/javascript/PackageExports.qll

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,16 @@ private DataFlow::Node getAValueExportedByPackage() {
5252
not isPrivateMethodDeclaration(result)
5353
)
5454
or
55+
// module.exports.foo = function () {
56+
// return new Foo(); // <- result
57+
// };
58+
exists(DataFlow::FunctionNode func, DataFlow::NewNode inst, DataFlow::ClassNode clz |
59+
func = getAValueExportedByPackage().getALocalSource() and inst = unique( | | func.getAReturn())
60+
|
61+
clz.getAnInstanceReference() = inst and
62+
result = clz.getAnInstanceMethod()
63+
)
64+
or
5565
result = getAValueExportedByPackage().getALocalSource()
5666
or
5767
// Nested property reads.

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/PrototypePollutingAssignment.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,12 @@ nodes
111111
| lib.js:119:13:119:24 | obj[path[0]] |
112112
| lib.js:119:17:119:20 | path |
113113
| lib.js:119:17:119:23 | path[0] |
114+
| lib.js:127:14:127:17 | path |
115+
| lib.js:127:14:127:17 | path |
116+
| lib.js:128:9:128:20 | obj[path[0]] |
117+
| lib.js:128:9:128:20 | obj[path[0]] |
118+
| lib.js:128:13:128:16 | path |
119+
| lib.js:128:13:128:19 | path[0] |
114120
| sublib/sub.js:1:37:1:40 | path |
115121
| sublib/sub.js:1:37:1:40 | path |
116122
| sublib/sub.js:2:3:2:14 | obj[path[0]] |
@@ -269,6 +275,11 @@ edges
269275
| lib.js:119:17:119:20 | path | lib.js:119:17:119:23 | path[0] |
270276
| lib.js:119:17:119:23 | path[0] | lib.js:119:13:119:24 | obj[path[0]] |
271277
| lib.js:119:17:119:23 | path[0] | lib.js:119:13:119:24 | obj[path[0]] |
278+
| lib.js:127:14:127:17 | path | lib.js:128:13:128:16 | path |
279+
| lib.js:127:14:127:17 | path | lib.js:128:13:128:16 | path |
280+
| lib.js:128:13:128:16 | path | lib.js:128:13:128:19 | path[0] |
281+
| lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
282+
| lib.js:128:13:128:19 | path[0] | lib.js:128:9:128:20 | obj[path[0]] |
272283
| sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:7:2:10 | path |
273284
| sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:7:2:10 | path |
274285
| sublib/sub.js:2:7:2:10 | path | sublib/sub.js:2:7:2:13 | path[0] |
@@ -329,6 +340,7 @@ edges
329340
| lib.js:87:10:87:14 | proto | lib.js:83:14:83:22 | arguments | lib.js:87:10:87:14 | proto | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:83:14:83:22 | arguments | library input |
330341
| lib.js:108:3:108:10 | obj[one] | lib.js:104:13:104:21 | arguments | lib.js:108:3:108:10 | obj[one] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:104:13:104:21 | arguments | library input |
331342
| lib.js:119:13:119:24 | obj[path[0]] | lib.js:118:29:118:32 | path | lib.js:119:13:119:24 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:118:29:118:32 | path | library input |
343+
| lib.js:128:9:128:20 | obj[path[0]] | lib.js:127:14:127:17 | path | lib.js:128:9:128:20 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | lib.js:127:14:127:17 | path | library input |
332344
| sublib/sub.js:2:3:2:14 | obj[path[0]] | sublib/sub.js:1:37:1:40 | path | sublib/sub.js:2:3:2:14 | obj[path[0]] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | sublib/sub.js:1:37:1:40 | path | library input |
333345
| tst.js:8:5:8:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:8:5:8:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |
334346
| tst.js:9:5:9:17 | object[taint] | tst.js:5:24:5:37 | req.query.data | tst.js:9:5:9:17 | object[taint] | This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@. | tst.js:5:24:5:37 | req.query.data | user controlled input |

javascript/ql/test/query-tests/Security/CWE-915/PrototypePollutingAssignment/lib.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,4 +119,19 @@ module.exports.returnsObj = function () {
119119
obj[path[0]][path[1]] = value; // NOT OK
120120
}
121121
}
122+
}
123+
124+
class MyClass {
125+
constructor() {}
126+
127+
set(obj, path, value) {
128+
obj[path[0]][path[1]] = value; // NOT OK
129+
}
130+
131+
static staticSet(obj, path, value) {
132+
obj[path[0]][path[1]] = value; // OK - not exported
133+
}
134+
}
135+
module.exports.returnsMewMyClass = function () {
136+
return new MyClass();
122137
}

0 commit comments

Comments
 (0)