Skip to content

JS: add taint-step for markdown-it when the HTML flag is set #5685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 22, 2021
Merged

JS: add taint-step for markdown-it when the HTML flag is set #5685

merged 5 commits into from
Apr 22, 2021

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Apr 15, 2021
edited
Loading

Adds a taint-step for CVE-2020-27224

@erik-krogh erik-krogh requested a review from a team as a code owner April 15, 2021 14:27
asgerf
asgerf previously approved these changes Apr 15, 2021
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with an optional suggestion

javascript/ql/src/semmle/javascript/frameworks/Markdown.qll Outdated
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(API::CallNode renderer, API::CallNode call |
renderer = API::moduleImport("markdown-it").getACall() and
renderer.getParameter(0).getMember("html").getARhs().asExpr().(BooleanLiteral).getValue() =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you like to go ahead and add DataFlow::Node.getBooleanValue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should have used the existing mayHaveBooleanValue.

@erik-krogh
Copy link
Contributor Author

I improved the model to support a taint-step for CVE-2020-27666

@erik-krogh erik-krogh added the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Apr 20, 2021
asgerf
asgerf reviewed Apr 20, 2021
View reviewed changes
@erik-krogh erik-krogh removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Apr 22, 2021
@erik-krogh
Copy link
Contributor Author

Evaluation is fine.

@codeql-ci codeql-ci merged commit 635fb4c into github:main Apr 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erik-krogh @asgerf @codeql-ci