JS: Port PostMessageStar

asgerf · asgerf · commit 2400af4bc3ed · 2023-10-13T13:15:05.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PostMessageStarQuery.qll
@@ -11,7 +11,7 @@ import javascript
 import PostMessageStarCustomizations::PostMessageStar
 
 // Materialize flow labels
-private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
+deprecated private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
   ConcretePartiallyTaintedObject() { this = this }
 }
 
@@ -26,7 +26,27 @@ private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
  * Additional sources or sinks can be added either by extending the relevant class, or by subclassing
  * this configuration itself, and amending the sources and sinks.
  */
-class Configuration extends TaintTracking::Configuration {
+module PostMessageStarConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet contents) {
+    isSink(node) and contents = DataFlow::ContentSet::anyProperty()
+  }
+}
+
+/**
+ * A taint tracking configuration for cross-window communication with unrestricted origin.
+ */
+module PostMessageStarFlow = TaintTracking::Global<PostMessageStarConfig>;
+
+/**
+ * DEPRECATED. Use the `PostMessageStarFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "PostMessageStar" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
diff --git a/javascript/ql/src/Security/CWE-201/PostMessageStar.ql b/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
@@ -15,9 +15,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.PostMessageStarQuery
-import DataFlow::PathGraph
+import PostMessageStarFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from PostMessageStarFlow::PathNode source, PostMessageStarFlow::PathNode sink
+where PostMessageStarFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "$@ is sent to another window without origin restriction.",
   source.getNode(), "Sensitive data"
diff --git a/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.expected b/javascript/ql/test/query-tests/Security/CWE-201/PostMessageStar.expected
@@ -1,34 +1,22 @@
-nodes
-| PostMessageStar2.js:1:27:1:34 | password |
-| PostMessageStar2.js:1:27:1:34 | password |
-| PostMessageStar2.js:1:27:1:34 | password |
-| PostMessageStar2.js:4:7:4:15 | data |
-| PostMessageStar2.js:4:14:4:15 | {} |
-| PostMessageStar2.js:5:14:5:21 | password |
-| PostMessageStar2.js:5:14:5:21 | password |
-| PostMessageStar2.js:8:29:8:32 | data |
-| PostMessageStar2.js:8:29:8:32 | data |
-| PostMessageStar2.js:9:29:9:36 | data.foo |
-| PostMessageStar2.js:9:29:9:36 | data.foo |
-| PostMessageStar2.js:13:27:13:33 | authKey |
-| PostMessageStar2.js:13:27:13:33 | authKey |
-| PostMessageStar2.js:13:27:13:33 | authKey |
-| PostMessageStar.js:1:27:1:34 | userName |
-| PostMessageStar.js:1:27:1:34 | userName |
-| PostMessageStar.js:1:27:1:34 | userName |
 edges
-| PostMessageStar2.js:1:27:1:34 | password | PostMessageStar2.js:1:27:1:34 | password |
-| PostMessageStar2.js:4:7:4:15 | data | PostMessageStar2.js:8:29:8:32 | data |
-| PostMessageStar2.js:4:7:4:15 | data | PostMessageStar2.js:8:29:8:32 | data |
-| PostMessageStar2.js:4:14:4:15 | {} | PostMessageStar2.js:4:7:4:15 | data |
-| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:4:14:4:15 | {} |
-| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:4:14:4:15 | {} |
-| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo |
-| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo |
-| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo |
-| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:9:29:9:36 | data.foo |
-| PostMessageStar2.js:13:27:13:33 | authKey | PostMessageStar2.js:13:27:13:33 | authKey |
-| PostMessageStar.js:1:27:1:34 | userName | PostMessageStar.js:1:27:1:34 | userName |
+| PostMessageStar2.js:4:7:4:15 | data [foo] | PostMessageStar2.js:8:29:8:32 | data [foo] |
+| PostMessageStar2.js:4:7:4:15 | data [foo] | PostMessageStar2.js:9:29:9:32 | data [foo] |
+| PostMessageStar2.js:5:3:5:6 | [post update] data [foo] | PostMessageStar2.js:4:7:4:15 | data [foo] |
+| PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:5:3:5:6 | [post update] data [foo] |
+| PostMessageStar2.js:8:29:8:32 | data [foo] | PostMessageStar2.js:8:29:8:32 | data |
+| PostMessageStar2.js:9:29:9:32 | data [foo] | PostMessageStar2.js:9:29:9:36 | data.foo |
+nodes
+| PostMessageStar2.js:1:27:1:34 | password | semmle.label | password |
+| PostMessageStar2.js:4:7:4:15 | data [foo] | semmle.label | data [foo] |
+| PostMessageStar2.js:5:3:5:6 | [post update] data [foo] | semmle.label | [post update] data [foo] |
+| PostMessageStar2.js:5:14:5:21 | password | semmle.label | password |
+| PostMessageStar2.js:8:29:8:32 | data | semmle.label | data |
+| PostMessageStar2.js:8:29:8:32 | data [foo] | semmle.label | data [foo] |
+| PostMessageStar2.js:9:29:9:32 | data [foo] | semmle.label | data [foo] |
+| PostMessageStar2.js:9:29:9:36 | data.foo | semmle.label | data.foo |
+| PostMessageStar2.js:13:27:13:33 | authKey | semmle.label | authKey |
+| PostMessageStar.js:1:27:1:34 | userName | semmle.label | userName |
+subpaths
 #select
 | PostMessageStar2.js:1:27:1:34 | password | PostMessageStar2.js:1:27:1:34 | password | PostMessageStar2.js:1:27:1:34 | password | $@ is sent to another window without origin restriction. | PostMessageStar2.js:1:27:1:34 | password | Sensitive data |
 | PostMessageStar2.js:8:29:8:32 | data | PostMessageStar2.js:5:14:5:21 | password | PostMessageStar2.js:8:29:8:32 | data | $@ is sent to another window without origin restriction. | PostMessageStar2.js:5:14:5:21 | password | Sensitive data |
