JS: Port CleartextStorage

asgerf · asgerf · commit 40d68cb4dc9b · 2023-10-13T13:15:04.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll
@@ -19,7 +19,20 @@ import CleartextStorageCustomizations::CleartextStorage
  * added either by extending the relevant class, or by subclassing this configuration itself,
  * and amending the sources and sinks.
  */
-class Configuration extends TaintTracking::Configuration {
+module ClearTextStorageConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;
+
+/**
+ * DEPRECATED. Use the `ClearTextStorageFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "ClearTextStorage" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -15,9 +15,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CleartextStorageQuery
-import DataFlow::PathGraph
+import ClearTextStorageFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from ClearTextStorageFlow::PathNode source, ClearTextStorageFlow::PathNode sink
+where ClearTextStorageFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "This stores sensitive data returned by $@ as clear text.",
   source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextStorage.expected
@@ -1,57 +1,26 @@
-nodes
-| CleartextStorage2.js:5:7:5:58 | pw |
-| CleartextStorage2.js:5:12:5:58 | url.par ... assword |
-| CleartextStorage2.js:5:12:5:58 | url.par ... assword |
-| CleartextStorage2.js:7:19:7:34 | 'password=' + pw |
-| CleartextStorage2.js:7:19:7:34 | 'password=' + pw |
-| CleartextStorage2.js:7:33:7:34 | pw |
-| CleartextStorage.js:5:7:5:40 | pw |
-| CleartextStorage.js:5:12:5:40 | req.par ... sword") |
-| CleartextStorage.js:5:12:5:40 | req.par ... sword") |
-| CleartextStorage.js:7:26:7:27 | pw |
-| CleartextStorage.js:7:26:7:27 | pw |
-| tst-angularjs.js:3:32:3:45 | data1.password |
-| tst-angularjs.js:3:32:3:45 | data1.password |
-| tst-angularjs.js:3:32:3:45 | data1.password |
-| tst-angularjs.js:4:33:4:46 | data2.password |
-| tst-angularjs.js:4:33:4:46 | data2.password |
-| tst-angularjs.js:4:33:4:46 | data2.password |
-| tst-angularjs.js:5:27:5:40 | data3.password |
-| tst-angularjs.js:5:27:5:40 | data3.password |
-| tst-angularjs.js:5:27:5:40 | data3.password |
-| tst-angularjs.js:6:33:6:46 | data4.password |
-| tst-angularjs.js:6:33:6:46 | data4.password |
-| tst-angularjs.js:6:33:6:46 | data4.password |
-| tst-webstorage.js:1:18:1:30 | data.password |
-| tst-webstorage.js:1:18:1:30 | data.password |
-| tst-webstorage.js:1:18:1:30 | data.password |
-| tst-webstorage.js:2:27:2:39 | data.password |
-| tst-webstorage.js:2:27:2:39 | data.password |
-| tst-webstorage.js:2:27:2:39 | data.password |
-| tst-webstorage.js:3:20:3:32 | data.password |
-| tst-webstorage.js:3:20:3:32 | data.password |
-| tst-webstorage.js:3:20:3:32 | data.password |
-| tst-webstorage.js:4:29:4:41 | data.password |
-| tst-webstorage.js:4:29:4:41 | data.password |
-| tst-webstorage.js:4:29:4:41 | data.password |
 edges
 | CleartextStorage2.js:5:7:5:58 | pw | CleartextStorage2.js:7:33:7:34 | pw |
 | CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:5:7:5:58 | pw |
-| CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:5:7:5:58 | pw |
-| CleartextStorage2.js:7:33:7:34 | pw | CleartextStorage2.js:7:19:7:34 | 'password=' + pw |
 | CleartextStorage2.js:7:33:7:34 | pw | CleartextStorage2.js:7:19:7:34 | 'password=' + pw |
 | CleartextStorage.js:5:7:5:40 | pw | CleartextStorage.js:7:26:7:27 | pw |
-| CleartextStorage.js:5:7:5:40 | pw | CleartextStorage.js:7:26:7:27 | pw |
-| CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:5:7:5:40 | pw |
 | CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:5:7:5:40 | pw |
-| tst-angularjs.js:3:32:3:45 | data1.password | tst-angularjs.js:3:32:3:45 | data1.password |
-| tst-angularjs.js:4:33:4:46 | data2.password | tst-angularjs.js:4:33:4:46 | data2.password |
-| tst-angularjs.js:5:27:5:40 | data3.password | tst-angularjs.js:5:27:5:40 | data3.password |
-| tst-angularjs.js:6:33:6:46 | data4.password | tst-angularjs.js:6:33:6:46 | data4.password |
-| tst-webstorage.js:1:18:1:30 | data.password | tst-webstorage.js:1:18:1:30 | data.password |
-| tst-webstorage.js:2:27:2:39 | data.password | tst-webstorage.js:2:27:2:39 | data.password |
-| tst-webstorage.js:3:20:3:32 | data.password | tst-webstorage.js:3:20:3:32 | data.password |
-| tst-webstorage.js:4:29:4:41 | data.password | tst-webstorage.js:4:29:4:41 | data.password |
+nodes
+| CleartextStorage2.js:5:7:5:58 | pw | semmle.label | pw |
+| CleartextStorage2.js:5:12:5:58 | url.par ... assword | semmle.label | url.par ... assword |
+| CleartextStorage2.js:7:19:7:34 | 'password=' + pw | semmle.label | 'password=' + pw |
+| CleartextStorage2.js:7:33:7:34 | pw | semmle.label | pw |
+| CleartextStorage.js:5:7:5:40 | pw | semmle.label | pw |
+| CleartextStorage.js:5:12:5:40 | req.par ... sword") | semmle.label | req.par ... sword") |
+| CleartextStorage.js:7:26:7:27 | pw | semmle.label | pw |
+| tst-angularjs.js:3:32:3:45 | data1.password | semmle.label | data1.password |
+| tst-angularjs.js:4:33:4:46 | data2.password | semmle.label | data2.password |
+| tst-angularjs.js:5:27:5:40 | data3.password | semmle.label | data3.password |
+| tst-angularjs.js:6:33:6:46 | data4.password | semmle.label | data4.password |
+| tst-webstorage.js:1:18:1:30 | data.password | semmle.label | data.password |
+| tst-webstorage.js:2:27:2:39 | data.password | semmle.label | data.password |
+| tst-webstorage.js:3:20:3:32 | data.password | semmle.label | data.password |
+| tst-webstorage.js:4:29:4:41 | data.password | semmle.label | data.password |
+subpaths
 #select
 | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | CleartextStorage2.js:5:12:5:58 | url.par ... assword | CleartextStorage2.js:7:19:7:34 | 'password=' + pw | This stores sensitive data returned by $@ as clear text. | CleartextStorage2.js:5:12:5:58 | url.par ... assword | an access to current_password |
 | CleartextStorage.js:7:26:7:27 | pw | CleartextStorage.js:5:12:5:40 | req.par ... sword") | CleartextStorage.js:7:26:7:27 | pw | This stores sensitive data returned by $@ as clear text. | CleartextStorage.js:5:12:5:40 | req.par ... sword") | a call to param |
