Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 114d4a1

Browse files
asgerfasgerf
committed
JS: Move FlowState definition into CommonFlowState
Needed for migrating the XSS query
1 parent 3cf14d8 commit 114d4a1

4 files changed

Lines changed: 64 additions & 54 deletions

File tree

javascript/ql/lib/semmle/javascript/security/CommonFlowState.qll

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
/**
2+
* Contains a class with flow states that are used by multiple queries.
3+
*/
4+
5+
private import javascript
6+
private import TaintedUrlSuffixCustomizations
7+
8+
private newtype TFlowState =
9+
TTaint() or
10+
TTaintedUrlSuffix() or
11+
12+
/**
13+
* A flow state indicating which part of a value is tainted.
14+
*/
15+
class FlowState extends TFlowState {
16+
/**
17+
* Holds if this represents a value that is considered entirely tainted, except the first character
18+
* might not be user-controlled.
19+
*/
20+
predicate isTaint() { this = TTaint() }
21+
22+
/**
23+
* Holds if this represents a URL whose fragment and/or query parts are considered tainted.
24+
*/
25+
predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() }
26+
27+
/** Gets a string representation of this flow state. */
28+
string toString() {
29+
this.isTaint() and result = "taint"
30+
or
31+
this.isTaintedUrlSuffix() and result = "tainted-url-suffix"
32+
or
33+
this.isTaintedPrefix() and result = "tainted-prefix"
34+
}
35+
36+
/** DEPRECATED. Gets the corresponding flow label. */
37+
deprecated DataFlow::FlowLabel toFlowLabel() {
38+
this.isTaint() and result.isTaint()
39+
or
40+
this.isTaintedUrlSuffix() and result = TaintedUrlSuffix::label()
41+
or
42+
this.isTaintedPrefix() and result = "PrefixString"
43+
}
44+
}
45+
46+
/** Convenience predicates for working with common flow states. */
47+
module FlowState {
48+
/**
49+
* Gets the flow state representing a value that is considered entirely tainted, except the first character
50+
* might not be user-controlled.
51+
*/
52+
FlowState taint() { result.isTaint() }
53+
54+
/**
55+
* Gets the flow state representing a URL whose fragment and/or query parts are considered tainted.
56+
*/
57+
FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() }
58+
59+
/** DEPRECATED. Gets the flow state corresponding to `label`. */
60+
deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
61+
}

javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll

Lines changed: 1 addition & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -12,56 +12,7 @@ private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPr
1212
*/
1313
module TaintedUrlSuffix {
1414
private import DataFlow
15-
16-
private newtype TFlowState =
17-
TTaint() or
18-
TTaintedUrlSuffix()
19-
20-
/**
21-
* A flow state with two values, `taint` and `tainted-url-suffix`.
22-
*
23-
* The `tainted-url-suffix` state represents a URL with a tainted query and fragment part,
24-
* which we collectively refer to as the "suffix" of the URL.
25-
*
26-
* The `taint` state corresponds to ordinary taint.
27-
*/
28-
class FlowState extends TFlowState {
29-
/**
30-
* Holds if this represents a value that is considered entirely tainted.
31-
*/
32-
predicate isTaint() { this = TTaint() }
33-
34-
/**
35-
* Holds if this represents a URL whose fragment and/or query parts are considered tainted.
36-
*/
37-
predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() }
38-
39-
/** Gets a string representation of this flow state. */
40-
string toString() {
41-
this.isTaint() and result = "taint"
42-
or
43-
this.isTaintedUrlSuffix() and result = "tainted-url-suffix"
44-
}
45-
46-
/** DEPRECATED. Gets the corresponding flow label. */
47-
deprecated DataFlow::FlowLabel toFlowLabel() {
48-
this.isTaint() and result.isTaint()
49-
or
50-
this.isTaintedUrlSuffix() and result instanceof TaintedUrlSuffixLabel
51-
}
52-
}
53-
54-
/** Convenience predicates for working with flow states. */
55-
module FlowState {
56-
/** Gets the `taint` flow state. */
57-
FlowState taint() { result.isTaint() }
58-
59-
/** Gets the `tainted-url-suffix` flow state. */
60-
FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() }
61-
62-
/** DEPRECATED. Gets the flow state correpsonding to `label`. */
63-
deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
64-
}
15+
import CommonFlowState
6516

6617
/**
6718
* The flow label representing a URL with a tainted query and fragment part.

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,7 @@ import javascript
88
private import semmle.javascript.security.TaintedUrlSuffixCustomizations
99

1010
module ClientSideUrlRedirect {
11-
class FlowState = TaintedUrlSuffix::FlowState;
12-
13-
module FlowState = TaintedUrlSuffix::FlowState;
11+
import semmle.javascript.security.CommonFlowState
1412

1513
/**
1614
* A data flow source for unvalidated URL redirect vulnerabilities.

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ deprecated private class ConcreteDocumentUrl extends DocumentUrl {
2121
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
2222
*/
2323
module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
24-
class FlowState = TaintedUrlSuffix::FlowState;
24+
import semmle.javascript.security.CommonFlowState
2525

2626
predicate isSource(DataFlow::Node source, FlowState state) {
2727
source.(Source).getAFlowState() = state

0 commit comments

Comments
 (0)