JS: add new prototype pollution query and reorganize #4778
Conversation
asgerf
added
JS
Awaiting evaluation
javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.qhelp
Outdated
Show resolved
Hide resolved
javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.qhelp
Outdated
Show resolved
Hide resolved
javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutingAssignment.qll
Outdated
Show resolved
Hide resolved
asgerf
force-pushed
the
js/more-prototype-pollution
branch
from
9aae46b
to
254ac7f
Compare
asgerf
removed
the
Awaiting evaluation
|
Thanks for the review! Evaluation and rerun of slowest look good (internal inks). Added the links to the PR description as well. |
|
@mchammer01 may I ask you for a doc review? |
|
Yes sure, will try to fit this in later today or tomorrow. |
There was a problem hiding this comment.
@asgerf 👋🏻
This LGTM ✨
There's a tiny typo, and also, I think the CWE should be CWE-078 and not 079 on the new query)
Apart from that, I have made a few minor comments, feel free to ignore them if you don't agree 🙂
javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
Outdated
Show resolved
Hide resolved
javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.qhelp
Outdated
Show resolved
Hide resolved
javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.qhelp
Outdated
Show resolved
Hide resolved
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
Thanks for the review @mchammer01, I've addressed the comments. |
There was a problem hiding this comment.
Thanks for addressing my comments @asgerf ⚡ ✨
This is good to go from a docs point of view 👍🏻
@erik-krogh any final comments from your end? |
Adds
js/prototype-polluting-assignmentfor flagging property assignments of the formobj[x].prop = valuewherexmay be the user-controlled value__proto__.Since the property read
obj[x]and the assignmentbase.prop = valuecan occur arbitrarily far away from each other, we use a flow label to track the value fromobj[x]tobase.Currently the new query does not do anything special to account for the
constructor.prototypepayload, as such sinks are often exploitable by__proto__as well (the notable exception being when people explicitly guard against__proto__but notconstructor/prototype).Also reorganizes the prototype pollution queries, moving all to the Security/CWE-915 folder and tagging them with CWE-079, CWE-094, CWE-400, and CWE-915.
Also, the query
js/type-confusion-through-parameter-tamperingnow treats thexinx === "__proto__"as a sink, since it can be bypassed by["__proto__"], slightly simplifying the sanitizer logic in the new query.Evaluations: (internal links)