function-call-from-module

No tags

No CWE or CVE

Ast Rule: function call

// Function to check that a module with name moduleName is imported into variable variableName
function isModuleImported(node, variableName, moduleName) {
  // Get all the assignments and check to get an assignment like
  // const variableName = require("moduleName");
  const n = node.context.assignments.filter(a => a.left && a.left.astType === "string" && a.left.value === variableName);
  if(n && n.length > 0 ){
    const call = n[0].right;
    if(call.astType === "functioncall" && call.arguments && call.arguments.values && call.arguments.values.length > 0) {
      const arg = call.arguments.values[0].value;

      if(arg.astType === "string" && (arg.value === `"${moduleName}"` || arg.value === `'${moduleName}'`)) {
        return true;
      }
    }
  }
  return false;
}
                        

// main entrypoint
function visit(node) {  
  const functionName = node.functionName;

  // the function name called is a member that has a parent and a name.
  // Ideally, the name is toJson and the parent is a variable that imports 
  // the "xml2json" module.
  if(functionName && functionName.astType === "member" && functionName.name.value === "toJson"){
    if(functionName.parent && functionName.parent.astType === "string") {
      const parentName = functionName.parent.value;

      const isUsingModule = isModuleImported(node, parentName, "xml2json");
      if(isUsingModule) {
        const error = buildError(node.functionName.start.line, node.functionName.start.col, node.functionName.end.line, node.functionName.end.col, "unsafe deserialization", "CRITICAL", "SAFETY");
        addError(error);
      }
    }



  }
}

xml2json-use.js

Expected test result: has error

function test1(body) {
  const xml2json = require('xml2json')
  const result = xml2json.toJson(body, { object: true, arrayNotation: true })
  return result
}

Add comment

Be the first one to leave a comment!