Merge pull request #6258 from erik-krogh/case

Approved by asgerf

Author: codeql-ci

javascript/change-notes/2021-07-12-case.md

@@ -0,0 +1,26 @@
+lgtm,codescanning
+* The dataflow libraries now model dataflow through case changing libraries.
+  Affected packages are
+    [change-case](https://www.npmjs.com/package/change-case),
+    [camel-case](https://www.npmjs.com/package/camel-case),
+    [pascal-case](https://www.npmjs.com/package/pascal-case),
+    [snake-case](https://www.npmjs.com/package/snake-case),
+    [kebab-case](https://www.npmjs.com/package/kebab-case),
+    [param-case](https://www.npmjs.com/package/param-case),
+    [path-case](https://www.npmjs.com/package/path-case),
+    [sentence-case](https://www.npmjs.com/package/sentence-case),
+    [title-case](https://www.npmjs.com/package/title-case),
+    [upper-case](https://www.npmjs.com/package/upper-case),
+    [lower-case](https://www.npmjs.com/package/lower-case),
+    [no-case](https://www.npmjs.com/package/no-case),
+    [constant-case](https://www.npmjs.com/package/constant-case),
+    [dot-case](https://www.npmjs.com/package/dot-case),
+    [upper-case-first](https://www.npmjs.com/package/upper-case-first),
+    [lower-case-first](https://www.npmjs.com/package/lower-case-first),
+    [header-case](https://www.npmjs.com/package/header-case),
+    [capital-case](https://www.npmjs.com/package/capital-case),
+    [swap-case](https://www.npmjs.com/package/swap-case),
+    [sponge-case](https://www.npmjs.com/package/sponge-case),
+    [titleize](https://www.npmjs.com/package/titleize),
+    [camelcase](https://www.npmjs.com/package/camelcase),
+    [decamelize](https://www.npmjs.com/package/decamelize)

javascript/ql/src/semmle/javascript/frameworks/StringFormatters.qll

@@ -103,3 +103,39 @@ private class LibraryFormatter extends PrintfStyleCall {
 
   override predicate returnsFormatted() { returns = true }
 }
+
+/**
+ * A taint step through a case changing function.
+ */
+private class CaseChangingStep extends TaintTracking::SharedTaintStep {
+  override predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(DataFlow::SourceNode callee, DataFlow::CallNode call |
+      callee = DataFlow::moduleMember("change-case", _) or
+      callee = DataFlow::moduleMember("camel-case", "camelCase") or
+      callee = DataFlow::moduleMember("pascal-case", "pascalCase") or
+      callee = DataFlow::moduleMember("snake-case", "snakeCase") or
+      callee = DataFlow::moduleImport("kebab-case") or
+      callee = DataFlow::moduleMember("kebab-case", "reverse") or
+      callee = DataFlow::moduleMember("param-case", "paramCase") or
+      callee = DataFlow::moduleMember("path-case", "pathCase") or
+      callee = DataFlow::moduleMember("sentence-case", "sentenceCase") or
+      callee = DataFlow::moduleMember("title-case", "titleCase") or
+      callee = DataFlow::moduleMember("upper-case", ["upperCase", "localeUpperCase"]) or
+      callee = DataFlow::moduleMember("lower-case", ["lowerCase", "localeLowerCase"]) or
+      callee = DataFlow::moduleMember("no-case", "noCase") or
+      callee = DataFlow::moduleMember("constant-case", "constantCase") or
+      callee = DataFlow::moduleMember("dot-case", "dotCase") or
+      callee = DataFlow::moduleMember("upper-case-first", "upperCaseFirst") or
+      callee = DataFlow::moduleMember("lower-case-first", "lowerCaseFirst") or
+      callee = DataFlow::moduleMember("header-case", "headerCase") or
+      callee = DataFlow::moduleMember("capital-case", "capitalCase") or
+      callee = DataFlow::moduleMember("swap-case", "swapCase") or
+      callee = DataFlow::moduleMember("sponge-case", "spongeCase") or
+      callee = DataFlow::moduleImport(["titleize", "camelcase", "decamelize"])
+    |
+      call = callee.getACall() and
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -35,6 +35,14 @@ typeInferenceMismatch
 | callbacks.js:53:23:53:30 | source() | callbacks.js:58:10:58:10 | x |
 | capture-flow.js:9:11:9:18 | source() | capture-flow.js:14:10:14:16 | outer() |
 | captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
+| case.js:2:16:2:23 | source() | case.js:5:8:5:35 | changeC ... source) |
+| case.js:2:16:2:23 | source() | case.js:8:8:8:24 | camelCase(source) |
+| case.js:2:16:2:23 | source() | case.js:11:8:11:24 | kebabCase(source) |
+| case.js:2:16:2:23 | source() | case.js:12:8:12:32 | kebabCa ... source) |
+| case.js:2:16:2:23 | source() | case.js:15:8:15:24 | titleCase(source) |
+| case.js:2:16:2:23 | source() | case.js:18:8:18:23 | titleize(source) |
+| case.js:2:16:2:23 | source() | case.js:21:8:21:26 | secondCamel(source) |
+| case.js:2:16:2:23 | source() | case.js:24:8:24:25 | decamelize(source) |
 | closure.js:6:15:6:22 | source() | closure.js:8:8:8:31 | string. ... (taint) |
 | closure.js:6:15:6:22 | source() | closure.js:9:8:9:25 | string.trim(taint) |
 | closure.js:6:15:6:22 | source() | closure.js:10:8:10:33 | string. ... nt, 50) |

javascript/ql/test/library-tests/TaintTracking/case.js

@@ -0,0 +1,25 @@
+function foo() {
+  let source = source();
+  
+  const changeCase = require("change-case");
+  sink(changeCase.camelCase(source)); // NOT OK
+
+  import { camelCase } from "camel-case";
+  sink(camelCase(source)); // NOT OK
+
+  var kebabCase = require("kebab-case");
+  sink(kebabCase(source)); // NOT OK
+  sink(kebabCase.reverse(source)); // NOT OK
+
+  import { titleCase } from "title-case";
+  sink(titleCase(source)); // NOT OK
+
+  import titleize from 'titleize';
+  sink(titleize(source)); // NOT OK
+
+  const secondCamel = require('camelcase');
+  sink(secondCamel(source)); // NOT OK
+
+  const decamelize = require('decamelize');
+  sink(decamelize(source)); // NOT OK
+}