xploitscan-shared-rules 1.8.1 → 1.9.0

package/dist/index.js

@@ -329,8 +329,69 @@ var TAINTED_REQUEST_OBJECTS = /* @__PURE__ */ new Set([
   "event"
   // Lambda
 ]);
+var FS_READ_METHODS = /* @__PURE__ */ new Set(["readFile", "readFileSync"]);
+var PARSE_OBJECTS = /* @__PURE__ */ new Set([
+  "JSON",
+  "csv",
+  "papa",
+  "Papa",
+  "yaml",
+  "YAML",
+  "toml",
+  "qs",
+  "querystring"
+]);
+var PARSE_BARE = /* @__PURE__ */ new Set(["parse", "parseSync"]);
+var ARRAY_ELEMENT_METHODS = /* @__PURE__ */ new Set([
+  "map",
+  "filter",
+  "forEach",
+  "find",
+  "findIndex",
+  "flatMap",
+  "some",
+  "every"
+]);
+var ARRAY_REDUCE_METHODS = /* @__PURE__ */ new Set(["reduce", "reduceRight"]);
+function callPreservesTaint(node, rec) {
+  const callee = node.callee;
+  const anyArgTainted = () => node.arguments.some((a) => a.type !== "SpreadElement" && rec(a));
+  if (callee.type === "MemberExpression" && callee.property.type === "Identifier") {
+    const pname = callee.property.name;
+    if (FS_READ_METHODS.has(pname)) return anyArgTainted();
+    if (pname === "parse" || pname === "parseSync") {
+      const obj = callee.object;
+      if (obj.type === "Identifier" && PARSE_OBJECTS.has(obj.name)) return anyArgTainted();
+    }
+  }
+  if (callee.type === "Identifier") {
+    if (FS_READ_METHODS.has(callee.name)) return anyArgTainted();
+    if (PARSE_BARE.has(callee.name)) return anyArgTainted();
+  }
+  return false;
+}
 function buildTaintMap(parsed) {
   const tainted = /* @__PURE__ */ new Set();
+  function markPatternTainted(target) {
+    if (target.type === "Identifier") {
+      tainted.add(target.name);
+    } else if (target.type === "ObjectPattern") {
+      for (const prop of target.properties) {
+        if (prop.type === "ObjectProperty" && prop.value.type === "Identifier") {
+          tainted.add(prop.value.name);
+        } else if (prop.type === "RestElement" && prop.argument.type === "Identifier") {
+          tainted.add(prop.argument.name);
+        }
+      }
+    } else if (target.type === "ArrayPattern") {
+      for (const el of target.elements) {
+        if (el && el.type === "Identifier") tainted.add(el.name);
+        else if (el && el.type === "RestElement" && el.argument.type === "Identifier") {
+          tainted.add(el.argument.name);
+        }
+      }
+    }
+  }
   function reachesRequestIdent(node) {
     if (!node) return false;
     if (node.type === "Identifier") return TAINTED_REQUEST_OBJECTS.has(node.name);
@@ -401,6 +462,7 @@ function buildTaintMap(parsed) {
     }
     if (node.type === "CallExpression") {
       if (nodeIsTaintedSource(node)) return true;
+      if (callPreservesTaint(node, exprIsTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (exprIsTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -421,6 +483,16 @@ function buildTaintMap(parsed) {
     if (node.type === "AwaitExpression") {
       return exprIsTainted(node.argument);
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && exprIsTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && exprIsTainted(p.argument)
+      );
+    }
     return false;
   }
   traverse(parsed.ast, {
@@ -455,6 +527,32 @@ function buildTaintMap(parsed) {
       if (exprIsTainted(node.right)) {
         tainted.add(node.left.name);
       }
+    },
+    // for (const row of <tainted>) → row tainted (and destructured names).
+    ForOfStatement(path) {
+      const node = path.node;
+      if (node.type !== "ForOfStatement") return;
+      if (!exprIsTainted(node.right)) return;
+      const decl = node.left;
+      const target = decl.type === "VariableDeclaration" && decl.declarations[0] ? decl.declarations[0].id : decl;
+      markPatternTainted(target);
+    },
+    // Array-iteration element taint: <tainted>.map((row) => …) marks `row`
+    // tainted inside the callback. Gated on the receiver already being
+    // tainted, so this never originates taint.
+    CallExpression(path) {
+      const node = path.node;
+      if (node.type !== "CallExpression") return;
+      const callee = node.callee;
+      if (callee.type !== "MemberExpression" || callee.property.type !== "Identifier") return;
+      const method = callee.property.name;
+      const isReduce = ARRAY_REDUCE_METHODS.has(method);
+      if (!ARRAY_ELEMENT_METHODS.has(method) && !isReduce) return;
+      if (!exprIsTainted(callee.object)) return;
+      const cb = node.arguments[0];
+      if (!cb || cb.type !== "ArrowFunctionExpression" && cb.type !== "FunctionExpression") return;
+      const elemParam = cb.params[isReduce ? 1 : 0];
+      if (elemParam) markPatternTainted(elemParam);
     }
   });
   const isTainted = (node) => {
@@ -480,6 +578,7 @@ function buildTaintMap(parsed) {
       return isTainted(node.object);
     }
     if (node.type === "CallExpression") {
+      if (callPreservesTaint(node, isTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (isTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -497,6 +596,16 @@ function buildTaintMap(parsed) {
         }
       }
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && isTainted(p.argument)
+      );
+    }
     return false;
   };
   return {