Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 449ec72

Browse files
asgerfasgerf
committed
JS: Port experimental queries
1 parent aa5a283 commit 449ec72

16 files changed

Lines changed: 133 additions & 194 deletions

File tree

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,11 +53,17 @@ class TaintedPathAtmConfig extends AtmConfig {
5353
*/
5454
private class BarrierGuardNodeAsSanitizerGuardNode extends TaintTracking::LabeledSanitizerGuardNode instanceof TaintedPath::BarrierGuardNode
5555
{
56-
override predicate sanitizes(boolean outcome, Expr e) {
56+
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
57+
58+
predicate blocksExpr(boolean outcome, Expr e) {
5759
this.blocks(outcome, e) or this.blocks(outcome, e, _)
5860
}
5961

60-
override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
62+
override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
63+
this.blocksExpr(outcome, e, lbl)
64+
}
65+
66+
predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
6167
this.sanitizes(outcome, e) and exists(label)
6268
}
6369
}

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,7 +59,9 @@ class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNo
5959
)
6060
}
6161

62-
override predicate sanitizes(boolean outcome, Expr e) {
62+
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
63+
64+
predicate blocksExpr(boolean outcome, Expr e) {
6365
polarity = outcome and
6466
e = operand
6567
}

javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,6 @@
1414

1515
import javascript
1616
import DataFlow
17-
import DataFlow::PathGraph
1817

1918
class PredictableResultSource extends DataFlow::Node {
2019
PredictableResultSource() {
@@ -38,14 +37,16 @@ class TokenAssignmentValueSink extends DataFlow::Node {
3837
}
3938
}
4039

41-
class TokenBuiltFromUuidConfig extends TaintTracking::Configuration {
42-
TokenBuiltFromUuidConfig() { this = "TokenBuiltFromUuidConfig" }
40+
module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
41+
predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
4342

44-
override predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
45-
46-
override predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
43+
predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
4744
}
4845

49-
from DataFlow::PathNode source, DataFlow::PathNode sink, TokenBuiltFromUuidConfig config
50-
where config.hasFlowPath(source, sink)
46+
module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;
47+
48+
import TokenBuiltFromUuidFlow::PathGraph
49+
50+
from TokenBuiltFromUuidFlow::PathNode source, TokenBuiltFromUuidFlow::PathNode sink
51+
where TokenBuiltFromUuidFlow::flowPath(source, sink)
5152
select sink.getNode(), source, sink, "Token built from $@.", source.getNode(), "predictable value"

javascript/ql/src/experimental/Security/CWE-918/SSRF.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,9 @@
1212

1313
import javascript
1414
import SSRF
15-
import DataFlow::PathGraph
15+
import SsrfFlow::PathGraph
1616

17-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
17+
from SsrfFlow::PathNode source, SsrfFlow::PathNode sink, DataFlow::Node request
1818
where
19-
cfg.hasFlowPath(source, sink) and request = sink.getNode().(RequestForgery::Sink).getARequest()
19+
SsrfFlow::flowPath(source, sink) and request = sink.getNode().(RequestForgery::Sink).getARequest()
2020
select sink, source, sink, "The URL of this request depends on a user-provided value."

javascript/ql/src/experimental/Security/CWE-918/SSRF.qll

Lines changed: 30 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -2,42 +2,48 @@ import javascript
22
import semmle.javascript.security.dataflow.RequestForgeryCustomizations
33
import semmle.javascript.security.dataflow.UrlConcatenation
44

5-
class Configuration extends TaintTracking::Configuration {
6-
Configuration() { this = "SSRF" }
7-
8-
override predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
5+
module SsrfConfig implements DataFlow::ConfigSig {
6+
predicate isSource(DataFlow::Node source) { source instanceof RequestForgery::Source }
97

10-
override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
8+
predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgery::Sink }
119

12-
override predicate isSanitizer(DataFlow::Node node) {
13-
super.isSanitizer(node) or
14-
node instanceof RequestForgery::Sanitizer
10+
predicate isBarrier(DataFlow::Node node) {
11+
node instanceof RequestForgery::Sanitizer or node = Guards::getABarrierNode()
1512
}
1613

1714
private predicate hasSanitizingSubstring(DataFlow::Node nd) {
1815
nd.getStringValue().regexpMatch(".*[?#].*")
1916
or
20-
this.hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
17+
hasSanitizingSubstring(StringConcatenation::getAnOperand(nd))
2118
or
22-
this.hasSanitizingSubstring(nd.getAPredecessor())
19+
hasSanitizingSubstring(nd.getAPredecessor())
2320
}
2421

2522
private predicate strictSanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sink) {
2623
exists(DataFlow::Node operator, int n |
2724
StringConcatenation::taintStep(source, sink, operator, n) and
28-
this.hasSanitizingSubstring(StringConcatenation::getOperand(operator, [0 .. n - 1]))
25+
hasSanitizingSubstring(StringConcatenation::getOperand(operator, [0 .. n - 1]))
2926
)
3027
}
3128

32-
override predicate isSanitizerOut(DataFlow::Node node) {
33-
this.strictSanitizingPrefixEdge(node, _)
34-
}
29+
predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) }
3530

36-
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {
31+
private predicate isBarrierGuard(DataFlow::BarrierGuardNode nd) {
3732
nd instanceof IntegerCheck or
3833
nd instanceof ValidatorCheck or
3934
nd instanceof TernaryOperatorSanitizerGuard
4035
}
36+
37+
private module Guards = DataFlow::MakeLegacyBarrierGuard<isBarrierGuard/1>;
38+
}
39+
40+
module SsrfFlow = TaintTracking::Global<SsrfConfig>;
41+
42+
/**
43+
* DEPRECATED. Use the `SsrfFlow` module instead.
44+
*/
45+
deprecated class Configuration extends TaintTracking::Configuration {
46+
Configuration() { this = "SSRF" }
4147
}
4248

4349
/**
@@ -104,7 +110,9 @@ class TernaryOperatorSanitizerGuard extends TaintTracking::SanitizerGuardNode {
104110
not this.asExpr() instanceof LogicalBinaryExpr
105111
}
106112

107-
override predicate sanitizes(boolean outcome, Expr e) {
113+
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
114+
115+
predicate blocksExpr(boolean outcome, Expr e) {
108116
not this.asExpr() instanceof LogNotExpr and
109117
originalGuard.sanitizes(outcome, e)
110118
or
@@ -126,7 +134,9 @@ class TernaryOperatorSanitizerGuard extends TaintTracking::SanitizerGuardNode {
126134
class IntegerCheck extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
127135
IntegerCheck() { this = DataFlow::globalVarRef("Number").getAMemberCall("isInteger") }
128136

129-
override predicate sanitizes(boolean outcome, Expr e) {
137+
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
138+
139+
predicate blocksExpr(boolean outcome, Expr e) {
130140
outcome = true and
131141
e = this.getArgument(0).asExpr()
132142
}
@@ -149,7 +159,9 @@ class ValidatorCheck extends TaintTracking::SanitizerGuardNode, DataFlow::CallNo
149159
)
150160
}
151161

152-
override predicate sanitizes(boolean outcome, Expr e) {
162+
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
163+
164+
predicate blocksExpr(boolean outcome, Expr e) {
153165
outcome = true and
154166
e = this.getArgument(0).asExpr()
155167
}

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-094/CodeInjection.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,10 @@
1717

1818
import javascript
1919
import semmle.javascript.security.dataflow.CodeInjectionQuery
20-
import DataFlow::PathGraph
20+
import CodeInjectionFlow::PathGraph
2121
import semmle.javascript.heuristics.AdditionalSources
2222

23-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
24-
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
23+
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
24+
where CodeInjectionFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
2525
select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
2626
source.getNode(), "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-134/TaintedFormatString.ql

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,11 @@
1313

1414
import javascript
1515
import semmle.javascript.security.dataflow.TaintedFormatStringQuery
16-
import DataFlow::PathGraph
16+
import TaintedFormatStringFlow::PathGraph
1717
import semmle.javascript.heuristics.AdditionalSources
1818

19-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
20-
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
19+
from TaintedFormatStringFlow::PathNode source, TaintedFormatStringFlow::PathNode sink
20+
where
21+
TaintedFormatStringFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
2122
select sink.getNode(), source, sink, "Format string depends on a $@.", source.getNode(),
2223
"user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,12 @@
1515

1616
import javascript
1717
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsQuery
18-
import DataFlow::PathGraph
1918
import semmle.javascript.heuristics.AdditionalSources
19+
import CorsMisconfigurationFlow::PathGraph
2020

21-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
22-
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
21+
from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink
22+
where
23+
CorsMisconfigurationFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
2324
select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.",
2425
sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(),
2526
"misconfigured CORS header value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-400/RemotePropertyInjection.ql

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,12 @@
1515

1616
import javascript
1717
import semmle.javascript.security.dataflow.RemotePropertyInjectionQuery
18-
import DataFlow::PathGraph
18+
import RemotePropertyInjectionFlow::PathGraph
1919
import semmle.javascript.heuristics.AdditionalSources
2020

21-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
22-
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
21+
from RemotePropertyInjectionFlow::PathNode source, RemotePropertyInjectionFlow::PathNode sink
22+
where
23+
RemotePropertyInjectionFlow::flowPath(source, sink) and
24+
source.getNode() instanceof HeuristicSource
2325
select sink.getNode(), source, sink, sink.getNode().(Sink).getMessage() + " depends on a $@.",
2426
source.getNode(), "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-502/UnsafeDeserialization.ql

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,10 +14,11 @@
1414

1515
import javascript
1616
import semmle.javascript.security.dataflow.UnsafeDeserializationQuery
17-
import DataFlow::PathGraph
17+
import UnsafeDeserializationFlow::PathGraph
1818
import semmle.javascript.heuristics.AdditionalSources
1919

20-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
21-
where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
20+
from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink
21+
where
22+
UnsafeDeserializationFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
2223
select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
2324
"user-provided value"

0 commit comments

Comments
 (0)