DataFlow can't pass taint flow for functions not found defined in Node.js? #7405
Description
For example, the SQL injection in the code in the example below does not get the scan result with the following codeql statement.
javascript code:
const route = require('koa-route');
const Koa = require('koa');
const mysql = require('mysql2');
const app = new Koa();
const xss = require('xss');
const connection = mysql.createConnection({
host: 'localhost',
user: 'root',
database: 'test'
});
app.use(route.get('/test1', (context, param1) => {
param1 = xss(param1)
connection.query(
`SELECT * FROM \`table\` WHERE \`name\` =` + param1,
);
}));
codeql scan rule:
/**
* @name sql-injection
* @kind path-problem
* @precision high
* @id js/sql-injection
*/
import javascript
import semmle.javascript.security.dataflow.SqlInjection
import DataFlow::PathGraph
import udc.SourceClass
class CostumSqlInjectionConfig extends SqlInjection::Configuration {
override predicate isSource(DataFlow::Node n) {
n instanceof udc::Source
or n instanceof SqlInjection::Source
}
}
from CostumSqlInjectionConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight,
DataFlow::Node sourceNode
where
cfg.hasFlowPath(source, sink)
and highlight = sink.getNode()
and sourceNode = source.getNode()
select highlight, source, sink, "This Sql query depends on $@.", sourceNode
, sourceNode.toString()
I currently believe that the localFlowStep function in Node.js does not take into account functions defined in the npm library, and does not make conservative assumptions about undefined functions.
Is this an unintended situation? I have currently fixed the issue by modifying the query rules under my local DataFlow namespace.
But codeql's internal library doesn't give pr guidelines, so I open issue for now.