Experimental CodeInjection query for JavaScript doesn't seem to work

[yonajix]

I noticed that the sources and sinks for some of the code injection CVEs in JavaScript were spread out among different queries making it difficult or impossible to find the issues in some cases. I also saw that there is an experimental suite of Javascript Security queries that add additional sources.

I tested the experimental query for code injection located here on some simple js code that contains a use of JSON.stringify as source and eval as sink. I know this should be covered because there is a private class for JSON.stringify in the AdditionalSources.qll that CodeInjection.ql imports.

/**
 * A use of `JSON.stringify`, viewed as a source for command-line injections
 * since it does not properly escape single quotes and dollar symbols.
 */
private class JsonStringifyAsCommandInjectionSource extends HeuristicSource,
  CommandInjection::Source instanceof JsonStringifyCall
{
  override string getSourceType() { result = "a string from JSON.stringify" }
}

When I run it on this code, I get 0 results:

import fs from 'fs';


function encodeStatements(statements) {

    eval(JSON.stringify(statements))

}

module.exports = encodeStatements;

I tested with this query to ensure that the sink was recognized which it was.

import javascript
import semmle.javascript.security.dataflow.CodeInjectionQuery
import CodeInjectionFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources

from DataFlow::Node sink
where CodeInjectionConfig::isSink(sink)
select sink, "Sink found"

When I tried the same thing for sources I got received 0 results in the source code. However I ran this query which confirmed that JSON.stringify is part of the sources added as HeuristicSource, so I'm very confused as to why this doesn't work.

import javascript
import semmle.javascript.security.dataflow.CodeInjectionQuery
import CodeInjectionFlow::PathGraph
import semmle.javascript.heuristics.AdditionalSources



from DataFlow::Node source
where source instanceof HeuristicSource
select source, "User input"

Not sure where the error here lies but I could use some help diagnosing it. Thanks!

[rvermeulen]

Hi @yonajix,

Thanks for your question. I agree this is confusing, but the result is indeed empty.

The JSON.stringify source is not a active threat-model source as expected by the CodeInjection source.

We can add one, however a second problem will prevent any results.
Namely the JsonStringlifySanitizer that sanitizes the result of that call. The opposite of what we want.

I will contact the author to determine if this heuristic source was intended to be supported. Keep you posted.

[rvermeulen]

Hi @yonajix,

It was indeed intended to support this additional heuristic source, however the extensions cannot influence the barrier that prevents it.
Improving experimental queries are not a product priority, but I will create a tracking issue in the case we can pick up this FN.

To resolve this for your use, I would suggest to copy the configuration and modify the barrier to exclude heuristic source.

Let me know if you have any further questions.