Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 30f1fbc

Browse files
asgerfasgerf
committed
JS: Port CorsMisconfigurationForCredentials
1 parent f14303a commit 30f1fbc

3 files changed

Lines changed: 32 additions & 26 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,26 @@ import CorsMisconfigurationForCredentialsCustomizations::CorsMisconfigurationFor
1414
/**
1515
* A data flow configuration for CORS misconfiguration for credentials transfer.
1616
*/
17-
class Configuration extends TaintTracking::Configuration {
17+
module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
18+
predicate isSource(DataFlow::Node source) { source instanceof Source }
19+
20+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
21+
22+
predicate isBarrier(DataFlow::Node node) {
23+
node instanceof Sanitizer or
24+
node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
25+
}
26+
}
27+
28+
/**
29+
* Data flow for CORS misconfiguration for credentials transfer.
30+
*/
31+
module CorsMisconfigurationFlow = TaintTracking::Global<CorsMisconfigurationConfig>;
32+
33+
/**
34+
* DEPRECATED. Use the `CorsMisconfigurationFlow` module instead.
35+
*/
36+
deprecated class Configuration extends TaintTracking::Configuration {
1837
Configuration() { this = "CorsMisconfigurationForCredentials" }
1938

2039
override predicate isSource(DataFlow::Node source) { source instanceof Source }

javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,10 @@
1414

1515
import javascript
1616
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsQuery
17-
import DataFlow::PathGraph
17+
import CorsMisconfigurationFlow::PathGraph
1818

19-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
20-
where cfg.hasFlowPath(source, sink)
19+
from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink
20+
where CorsMisconfigurationFlow::flowPath(source, sink)
2121
select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.",
2222
sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(),
2323
"misconfigured CORS header value"

javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected

Lines changed: 9 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,15 @@
1-
nodes
2-
| tst.js:12:9:12:54 | origin |
3-
| tst.js:12:18:12:41 | url.par ... , true) |
4-
| tst.js:12:18:12:47 | url.par ... ).query |
5-
| tst.js:12:18:12:54 | url.par ... .origin |
6-
| tst.js:12:28:12:34 | req.url |
7-
| tst.js:12:28:12:34 | req.url |
8-
| tst.js:13:50:13:55 | origin |
9-
| tst.js:13:50:13:55 | origin |
10-
| tst.js:18:50:18:53 | null |
11-
| tst.js:18:50:18:53 | null |
12-
| tst.js:18:50:18:53 | null |
13-
| tst.js:23:50:23:55 | "null" |
14-
| tst.js:23:50:23:55 | "null" |
15-
| tst.js:23:50:23:55 | "null" |
161
edges
172
| tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin |
18-
| tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin |
19-
| tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:18:12:47 | url.par ... ).query |
20-
| tst.js:12:18:12:47 | url.par ... ).query | tst.js:12:18:12:54 | url.par ... .origin |
21-
| tst.js:12:18:12:54 | url.par ... .origin | tst.js:12:9:12:54 | origin |
3+
| tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:9:12:54 | origin |
224
| tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) |
23-
| tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) |
24-
| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null |
25-
| tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" |
5+
nodes
6+
| tst.js:12:9:12:54 | origin | semmle.label | origin |
7+
| tst.js:12:18:12:41 | url.par ... , true) | semmle.label | url.par ... , true) |
8+
| tst.js:12:28:12:34 | req.url | semmle.label | req.url |
9+
| tst.js:13:50:13:55 | origin | semmle.label | origin |
10+
| tst.js:18:50:18:53 | null | semmle.label | null |
11+
| tst.js:23:50:23:55 | "null" | semmle.label | "null" |
12+
subpaths
2613
#select
2714
| tst.js:13:50:13:55 | origin | tst.js:12:28:12:34 | req.url | tst.js:13:50:13:55 | origin | $@ leak vulnerability due to a $@. | tst.js:14:5:14:59 | res.set ... , true) | Credential | tst.js:12:28:12:34 | req.url | misconfigured CORS header value |
2815
| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | $@ leak vulnerability due to a $@. | tst.js:19:5:19:59 | res.set ... , true) | Credential | tst.js:18:50:18:53 | null | misconfigured CORS header value |

0 commit comments

Comments
 (0)