|
| 1 | +.. specifying-additional-remote-flow-sources-for-javascript: |
| 2 | +
|
| 3 | +Specifying additional remote flow sources for JavaScript |
| 4 | +======================================================== |
| 5 | + |
| 6 | +As mentioned in the :doc:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript>`, the CodeQL libraries for JavaScript |
| 7 | +provide a class `RemoteFlowSource <https://codeql.github.com/codeql-standard-libraries/javascript/semmle/javascript/security/dataflow/RemoteFlowSources.qll/type.RemoteFlowSources$RemoteFlowSource.html>`__ to represent sources of untrusted user input, sometimes also referred to as `remote flow |
| 8 | +sources`. |
| 9 | + |
| 10 | +To model a new source of untrusted input, such as a previously unmodelled library API, you can |
| 11 | +define a subclass of ``RemoteFlowSource`` that covers all uses of that API. All standard analyses |
| 12 | +will then automatically pick up this new source of remote flow. |
| 13 | + |
| 14 | +However, this approach requires writing QL code and adding it to the standard library, which is not |
| 15 | +always easy to do. Instead, you can also add a JSON file describing custom sources of untrusted |
| 16 | +input to your code base and have it picked up without needing to modify the standard library. This |
| 17 | +JSON file can be hand-written or generated by another tool, but note that these customizations |
| 18 | +are specific to the code base containing the JSON file. To use them in other code bases, you need |
| 19 | +to copy over the JSON file. |
| 20 | + |
| 21 | +Specification format |
| 22 | +-------------------- |
| 23 | + |
| 24 | +The JSON file must be called ``codeql-javascript-remote-flow-sources.json`` (case-sensitive) and |
| 25 | +can be located anywhere in your code base. It should consist of a single JSON object. The property |
| 26 | +names of this object are interpreted as `source types`. The values they map to should be arrays of |
| 27 | +strings. Each string should be of the form ``window.props``, where ``props`` is a sequence of one |
| 28 | +or more property names separated by dots, specifying that any value reachable from the global window |
| 29 | +object by this sequence of property names should be considered as untrusted user input of the |
| 30 | +associated source type. |
| 31 | + |
| 32 | +Example |
| 33 | +------- |
| 34 | + |
| 35 | +As an example, consider the following specification: |
| 36 | + |
| 37 | +.. code-block:: json |
| 38 | +
|
| 39 | + { |
| 40 | + "user input": [ "window.user.name", "window.user.address", "window.dob" ] |
| 41 | + } |
| 42 | +
|
| 43 | +It declares that the contents of global variable ``dob``, as well as the contents of properties |
| 44 | +``name`` and ``address`` of global variable ``user``, should be considered as remote flow sources, |
| 45 | +with source type "user input". |
0 commit comments