JavaScript: Model taint propagation through new Buffer and Buffer.from.

Author: Max Schaefer

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -297,7 +297,22 @@ module NodeJSLib {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
       pred = tainted and succ = this
     }
+  }
+
+  /**
+   * A model of taint propagation through `new Buffer` and `Buffer.from`.
+   */
+  private class BufferTaintStep extends TaintTracking::AdditionalTaintStep, DataFlow::InvokeNode {
+    BufferTaintStep() {
+      this = DataFlow::globalVarRef("Buffer").getAnInstantiation()
+      or
+      this = DataFlow::globalVarRef("Buffer").getAMemberInvocation("from")
+    }
 
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = getArgument(0) and
+      succ = this
+    }
   }
 
   /**

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -23,3 +23,5 @@
 | tst.js:2:13:2:20 | source() | tst.js:41:14:41:16 | ary |
 | tst.js:2:13:2:20 | source() | tst.js:44:10:44:30 | innocen ... ) => x) |
 | tst.js:2:13:2:20 | source() | tst.js:45:10:45:24 | x.map(x2 => x2) |
+| tst.js:2:13:2:20 | source() | tst.js:47:10:47:30 | Buffer. ...  'hex') |
+| tst.js:2:13:2:20 | source() | tst.js:48:10:48:22 | new Buffer(x) |

javascript/ql/test/library-tests/TaintTracking/tst.js

@@ -44,4 +44,6 @@ function test() {
     sink(innocent.map(() => x)); // NOT OK
     sink(x.map(x2 => x2)); // NOT OK
 
+    sink(Buffer.from(x, 'hex')); // NOT OK
+    sink(new Buffer(x));         // NOT OK
 }