Added MaD for global firebase variable.

Napalys · Napalys · commit 42604eb3eaf1 · 2025-04-22T12:21:56.000+02:00
diff --git a/javascript/ql/lib/ext/firebase.model.yml b/javascript/ql/lib/ext/firebase.model.yml
@@ -4,6 +4,7 @@ extensions:
       extensible: typeModel
     data:
       - ["FirebaseDBRef", "firebase/app", "Member[database].ReturnValue"]
+      - ["firebase/app", "global", "Member[firebase]"]
       - ["FirebaseDBRef", "FirebaseDBRef", "Member[ref,refFromURL].ReturnValue"]
       - ["FirebaseDBRef", "FirebaseDBRef", "Member[child,once,on,push,set,then].ReturnValue"]
       - ["FirebaseDBRef", "FirebaseDBRef", "Member[ref,root,parent,before,after]"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -27,6 +27,8 @@
 | express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value |
 | express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value |
 | express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value |
+| firebase-server2.js:4:10:4:23 | snapshot.val() | firebase-server2.js:4:10:4:23 | snapshot.val() | firebase-server2.js:4:10:4:23 | snapshot.val() | This code execution depends on a $@. | firebase-server2.js:4:10:4:23 | snapshot.val() | user-provided value |
+| firebase-server2.js:8:14:8:33 | followSnapshot.val() | firebase-server2.js:8:14:8:33 | followSnapshot.val() | firebase-server2.js:8:14:8:33 | followSnapshot.val() | This code execution depends on a $@. | firebase-server2.js:8:14:8:33 | followSnapshot.val() | user-provided value |
 | firebase-server.js:7:10:7:16 | x.val() | firebase-server.js:7:10:7:16 | x.val() | firebase-server.js:7:10:7:16 | x.val() | This code execution depends on a $@. | firebase-server.js:7:10:7:16 | x.val() | user-provided value |
 | firebase-server.js:8:10:8:22 | x.exportVal() | firebase-server.js:8:10:8:22 | x.exportVal() | firebase-server.js:8:10:8:22 | x.exportVal() | This code execution depends on a $@. | firebase-server.js:8:10:8:22 | x.exportVal() | user-provided value |
 | firebase-server.js:10:14:10:33 | parentSnapshot.val() | firebase-server.js:10:14:10:33 | parentSnapshot.val() | firebase-server.js:10:14:10:33 | parentSnapshot.val() | This code execution depends on a $@. | firebase-server.js:10:14:10:33 | parentSnapshot.val() | user-provided value |
@@ -158,6 +160,8 @@ nodes
 | express.js:36:15:36:19 | taint | semmle.label | taint |
 | express.js:42:30:42:32 | msg | semmle.label | msg |
 | express.js:43:10:43:12 | msg | semmle.label | msg |
+| firebase-server2.js:4:10:4:23 | snapshot.val() | semmle.label | snapshot.val() |
+| firebase-server2.js:8:14:8:33 | followSnapshot.val() | semmle.label | followSnapshot.val() |
 | firebase-server.js:7:10:7:16 | x.val() | semmle.label | x.val() |
 | firebase-server.js:8:10:8:22 | x.exportVal() | semmle.label | x.exportVal() |
 | firebase-server.js:10:14:10:33 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -82,6 +82,8 @@ nodes
 | express.js:36:15:36:19 | taint | semmle.label | taint |
 | express.js:42:30:42:32 | msg | semmle.label | msg |
 | express.js:43:10:43:12 | msg | semmle.label | msg |
+| firebase-server2.js:4:10:4:23 | snapshot.val() | semmle.label | snapshot.val() |
+| firebase-server2.js:8:14:8:33 | followSnapshot.val() | semmle.label | followSnapshot.val() |
 | firebase-server.js:7:10:7:16 | x.val() | semmle.label | x.val() |
 | firebase-server.js:8:10:8:22 | x.exportVal() | semmle.label | x.exportVal() |
 | firebase-server.js:10:14:10:33 | parentSnapshot.val() | semmle.label | parentSnapshot.val() |
@@ -95,6 +97,7 @@ nodes
 | firebase-server.js:33:25:33:44 | statusSnapshot.val() | semmle.label | statusSnapshot.val() |
 | firebase-server.js:44:12:44:30 | childSnapshot.val() | semmle.label | childSnapshot.val() |
 | firebase-server.js:55:10:55:19 | snap.val() | semmle.label | snap.val() |
+| firebase-server.js:70:12:70:21 | snap.val() | semmle.label | snap.val() |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/firebase-server2.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/firebase-server2.js
@@ -1,11 +1,11 @@
 function globalFirebaseUsage() {
   var usersRef = firebase.database().ref('users');
   usersRef.on('child_added', function(snapshot) {
-    eval(snapshot.val()); // $ MISSING: Alert[js/code-injection]
+    eval(snapshot.val()); // $ Alert[js/code-injection]
     var followUserRef = firebase.database().ref('followers/' + uid + '/' + this.currentUid);
 
     followUserRef.on('value', function(followSnapshot) {
-        eval(followSnapshot.val()); // $ MISSING: Alert[js/code-injection]
+        eval(followSnapshot.val()); // $ Alert[js/code-injection]
     });
   });
 };
