-
Notifications
You must be signed in to change notification settings - Fork 1.8k
JS: Model Nest.js #5719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
JS: Model Nest.js #5719
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
ad12f38
JS: Reduce reliance on RouteHandler in Express model
asgerf 822d452
JS: Drive-by change in LogInjection
asgerf 109d1ad
JS: Model fs.promises
asgerf 671e968
JS: Model NestJS
asgerf d0b8b32
JS: Add change notes
asgerf 4f53a1a
JS: Cache ClassNode::Range
asgerf 71e3041
JS: Fewer spurious reflected xss sinks
asgerf 0da0670
JS: Add Nest.js to list of supported framworks
asgerf f4e636d
Update javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
asgerf File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| lgtm,codescanning | ||
| * Support for `fs.promises` has been added, leading to more results for security queries | ||
| related to file system access. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| lgtm,codescanning | ||
| * Support for Nest.js has been added. The security queries now recognize sources and sinks | ||
| specific to the Nest.js framework. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
67 changes: 67 additions & 0 deletions
67
javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| /** | ||
| * Provides predicates for reasoning about sanitization via the `class-validator` library. | ||
| */ | ||
|
|
||
| import javascript | ||
|
|
||
| /** | ||
| * Provides predicates for reasoning about sanitization via the `class-validator` library. | ||
| */ | ||
| module ClassValidator { | ||
| /** | ||
| * Holds if the decorator with the given name sanitizes the input, for the purpose of taint tracking. | ||
| */ | ||
| bindingset[name] | ||
| private predicate isSanitizingDecoratorName(string name) { | ||
| // Most decorators do sanitize the input, so only list those that don't. | ||
| not name = | ||
| [ | ||
| "IsDefined", "IsOptional", "NotEquals", "IsNotEmpty", "IsNotIn", "IsString", "IsArray", | ||
| "Contains", "NotContains", "IsAscii", "IsByteLength", "IsDataURI", "IsFQDN", "IsJSON", | ||
| "IsJWT", "IsObject", "IsNotEmptyObject", "IsLowercase", "IsSurrogatePair", "IsUrl", | ||
| "IsUppercase", "Length", "MinLength", "MaxLength", "ArrayContains", "ArrayNotContains", | ||
| "ArrayNotEmpty", "ArrayMinSize", "ArrayMaxSize", "ArrayUnique", "Allow", "ValidateNested", | ||
| "Validate", | ||
| // Consider "Matches" to be non-sanitizing as it is special-cased below | ||
| "Matches" | ||
| ] | ||
| } | ||
|
|
||
| /** Holds if the given call is a decorator that sanitizes values for the purpose of taint tracking, such as `IsBoolean()`. */ | ||
| API::CallNode sanitizingDecorator() { | ||
| exists(string name | result = API::moduleImport("class-validator").getMember(name).getACall() | | ||
| isSanitizingDecoratorName(name) | ||
| or | ||
| name = "Matches" and | ||
| RegExp::isGenericRegExpSanitizer(RegExp::getRegExpFromNode(result.getArgument(0)), true) | ||
| ) | ||
| } | ||
|
|
||
| /** Holds if the given field has a decorator that sanitizes its value for the purpose of taint tracking. */ | ||
| predicate isFieldSanitizedByDecorator(FieldDefinition field) { | ||
| field.getADecorator().getExpression().flow() = sanitizingDecorator().getReturn().getAUse() | ||
| } | ||
|
|
||
| pragma[noinline] | ||
| private predicate isFieldSanitizedByDecorator(ClassDefinition cls, string name) { | ||
| isFieldSanitizedByDecorator(cls.getField(name)) | ||
| } | ||
|
|
||
| pragma[noinline] | ||
| private ClassDefinition getClassReferencedByPropRead(DataFlow::PropRead read) { | ||
| read.getBase().asExpr().getType().unfold().(ClassType).getClass() = result | ||
| } | ||
|
|
||
| /** | ||
| * Holds if the given property read refers to a field that has a sanitizing decorator. | ||
| * | ||
| * Only holds when TypeScript types are available. | ||
| */ | ||
| pragma[noinline] | ||
| predicate isAccessToSanitizedField(DataFlow::PropRead read) { | ||
| exists(ClassDefinition class_ | | ||
| class_ = getClassReferencedByPropRead(read) and | ||
| isFieldSanitizedByDecorator(class_, read.getPropertyName()) | ||
| ) | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.