Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 48c0949

Browse files
author
Max Schaefer
authored
Merge pull request #1036 from asger-semmle/hide-implicit-ssa-defs
JS: Omit uninteresting nodes from path explanations
2 parents 420b14b + 50a77ea commit 48c0949

14 files changed

Lines changed: 117 additions & 48 deletions

File tree

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

Lines changed: 35 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -881,14 +881,29 @@ class PathNode extends TPathNode {
881881
/** Gets the summary of the path underlying this path node. */
882882
PathSummary getPathSummary() { result = summary }
883883

884-
/** Gets a successor node of this path node. */
885-
PathNode getASuccessor() {
884+
/**
885+
* Gets a successor node of this path node, including hidden nodes.
886+
*/
887+
private PathNode getASuccessorInternal() {
886888
exists(DataFlow::Node succ, PathSummary newSummary |
887889
flowStep(nd, id(cfg), succ, newSummary) and
888890
result = MkPathNode(succ, id(cfg), summary.append(newSummary))
889891
)
890892
}
891893

894+
/**
895+
* Gets a successor of this path node, if it is a hidden node.
896+
*/
897+
private PathNode getAHiddenSuccessor() {
898+
isHidden() and
899+
result = getASuccessorInternal()
900+
}
901+
902+
/** Gets a successor node of this path node. */
903+
PathNode getASuccessor() {
904+
result = getASuccessorInternal().getAHiddenSuccessor*()
905+
}
906+
892907
/** Gets a textual representation of this path node. */
893908
string toString() { result = nd.toString() }
894909

@@ -904,6 +919,19 @@ class PathNode extends TPathNode {
904919
) {
905920
nd.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
906921
}
922+
923+
/**
924+
* Holds if this node is hidden from paths in path explanation queries, except
925+
* in cases where it is the source or sink.
926+
*/
927+
predicate isHidden() {
928+
// Skip phi, refinement, and capture nodes
929+
nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition() instanceof SsaImplicitDefinition
930+
or
931+
// Skip to the top of big left-leaning string concatenation trees.
932+
nd = any(AddExpr add).flow() and
933+
nd = any(AddExpr add).getAnOperand().flow()
934+
}
907935
}
908936

909937
/**
@@ -925,7 +953,11 @@ class SinkPathNode extends PathNode {
925953
*/
926954
module PathGraph {
927955
/** Holds if `nd` is a node in the graph of data flow path explanations. */
928-
query predicate nodes(PathNode nd) { any() }
956+
query predicate nodes(PathNode nd) {
957+
not nd.isHidden() or
958+
nd instanceof SourcePathNode or
959+
nd instanceof SinkPathNode
960+
}
929961

930962
/** Holds if `pred` → `succ` is an edge in the graph of data flow path explanations. */
931963
query predicate edges(PathNode pred, PathNode succ) { pred.getASuccessor() = succ }

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected

Lines changed: 36 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,6 @@ nodes
1717
| TaintedPath.js:19:33:19:36 | path |
1818
| TaintedPath.js:23:33:23:36 | path |
1919
| TaintedPath.js:27:33:27:36 | path |
20-
| TaintedPath.js:30:7:30:24 | path |
21-
| TaintedPath.js:34:3:34:3 | path |
22-
| TaintedPath.js:34:7:34:24 | path |
23-
| TaintedPath.js:34:29:34:46 | path |
24-
| TaintedPath.js:38:3:38:3 | path |
25-
| TaintedPath.js:38:7:38:24 | path |
26-
| TaintedPath.js:38:29:38:46 | path |
27-
| TaintedPath.js:39:5:39:5 | path |
2820
| TaintedPath.js:39:31:39:34 | path |
2921
| TaintedPath.js:45:3:45:44 | path |
3022
| TaintedPath.js:45:10:45:33 | url.par ... , true) |
@@ -112,18 +104,54 @@ edges
112104
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
113105
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
114106
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
107+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
108+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
109+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
110+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
111+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
112+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
113+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
114+
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
115115
| TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query |
116116
| TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
117117
| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
118118
| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) |
119119
| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
120120
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
121+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
122+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
123+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
124+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
125+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
126+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
127+
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
121128
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
129+
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
130+
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
131+
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
132+
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
133+
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
134+
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
122135
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
136+
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
137+
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
138+
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
139+
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
140+
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
123141
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
142+
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
143+
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
144+
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
145+
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
124146
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
147+
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
148+
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
149+
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
125150
| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
151+
| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
152+
| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
126153
| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
154+
| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
127155
| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
128156
| TaintedPath.js:45:3:45:44 | path | TaintedPath.js:47:49:47:52 | path |
129157
| TaintedPath.js:45:3:45:44 | path | TaintedPath.js:49:48:49:51 | path |

javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,14 +11,12 @@ nodes
1111
| child_process-test.js:21:14:21:16 | cmd |
1212
| child_process-test.js:22:18:22:20 | cmd |
1313
| child_process-test.js:23:13:23:15 | cmd |
14-
| child_process-test.js:25:13:25:23 | "foo" + cmd |
1514
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
1615
| child_process-test.js:25:21:25:23 | cmd |
1716
| child_process-test.js:36:7:36:20 | sh |
1817
| child_process-test.js:36:12:36:20 | 'cmd.exe' |
1918
| child_process-test.js:38:7:38:20 | sh |
2019
| child_process-test.js:38:12:38:20 | '/bin/sh' |
21-
| child_process-test.js:39:5:39:5 | sh |
2220
| child_process-test.js:39:14:39:15 | sh |
2321
| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
2422
| child_process-test.js:39:26:39:28 | cmd |
@@ -39,7 +37,6 @@ nodes
3937
| child_process-test.js:56:12:56:14 | cmd |
4038
| child_process-test.js:56:17:56:20 | args |
4139
| execSeries.js:3:20:3:22 | arr |
42-
| execSeries.js:5:4:5:3 | arr |
4340
| execSeries.js:6:14:6:16 | arr |
4441
| execSeries.js:6:14:6:21 | arr[i++] |
4542
| execSeries.js:13:19:13:26 | commands |
@@ -71,9 +68,12 @@ edges
7168
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
7269
| child_process-test.js:25:13:25:23 | "foo" + cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
7370
| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:23 | "foo" + cmd |
71+
| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
7472
| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:5:39:5 | sh |
73+
| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh |
7574
| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
7675
| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:5:39:5 | sh |
76+
| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh |
7777
| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
7878
| child_process-test.js:39:5:39:5 | sh | child_process-test.js:39:14:39:15 | sh |
7979
| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
@@ -86,6 +86,7 @@ edges
8686
| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
8787
| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
8888
| execSeries.js:3:20:3:22 | arr | execSeries.js:5:4:5:3 | arr |
89+
| execSeries.js:3:20:3:22 | arr | execSeries.js:6:14:6:16 | arr |
8990
| execSeries.js:5:4:5:3 | arr | execSeries.js:6:14:6:16 | arr |
9091
| execSeries.js:6:14:6:16 | arr | execSeries.js:6:14:6:21 | arr[i++] |
9192
| execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,7 @@ nodes
33
| ReflectedXss.js:8:33:8:45 | req.params.id |
44
| etherpad.js:9:5:9:53 | response |
55
| etherpad.js:9:16:9:30 | req.query.jsonp |
6-
| etherpad.js:9:16:9:36 | req.que ... p + "(" |
7-
| etherpad.js:9:16:9:47 | req.que ... esponse |
86
| etherpad.js:9:16:9:53 | req.que ... e + ")" |
9-
| etherpad.js:11:3:11:3 | response |
107
| etherpad.js:11:12:11:19 | response |
118
| formatting.js:4:9:4:29 | evil |
129
| formatting.js:4:16:4:29 | req.query.evil |
@@ -45,8 +42,12 @@ nodes
4542
edges
4643
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
4744
| etherpad.js:9:5:9:53 | response | etherpad.js:11:3:11:3 | response |
45+
| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response |
4846
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:36 | req.que ... p + "(" |
47+
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:47 | req.que ... esponse |
48+
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
4949
| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:47 | req.que ... esponse |
50+
| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:53 | req.que ... e + ")" |
5051
| etherpad.js:9:16:9:47 | req.que ... esponse | etherpad.js:9:16:9:53 | req.que ... e + ")" |
5152
| etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
5253
| etherpad.js:11:3:11:3 | response | etherpad.js:11:12:11:19 | response |

javascript/ql/test/query-tests/Security/CWE-079/Xss.expected

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ nodes
66
| jquery.js:2:17:2:33 | document.location |
77
| jquery.js:2:17:2:40 | documen ... .search |
88
| jquery.js:4:5:4:11 | tainted |
9-
| jquery.js:7:5:7:26 | "<div i ... tainted |
109
| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
1110
| jquery.js:7:20:7:26 | tainted |
1211
| jquery.js:8:18:8:34 | "XSS: " + tainted |
@@ -54,12 +53,10 @@ nodes
5453
| tst.js:2:16:2:32 | document.location |
5554
| tst.js:2:16:2:39 | documen ... .search |
5655
| tst.js:5:18:5:23 | target |
57-
| tst.js:8:18:8:114 | "<OPTIO ... t=")+8) |
5856
| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
5957
| tst.js:8:37:8:53 | document.location |
6058
| tst.js:8:37:8:58 | documen ... on.href |
6159
| tst.js:8:37:8:114 | documen ... t=")+8) |
62-
| tst.js:12:5:12:33 | '<div s ... target |
6360
| tst.js:12:5:12:42 | '<div s ... 'px">' |
6461
| tst.js:12:28:12:33 | target |
6562
| tst.js:19:25:19:41 | document.location |
@@ -100,7 +97,6 @@ nodes
10097
| tst.js:73:3:73:19 | document.location |
10198
| tst.js:73:3:73:26 | documen ... .search |
10299
| tst.js:73:46:73:46 | x |
103-
| tst.js:74:7:74:7 | x |
104100
| tst.js:76:20:76:20 | x |
105101
| tst.js:80:49:80:65 | document.location |
106102
| tst.js:80:49:80:72 | documen ... .search |
@@ -147,9 +143,7 @@ nodes
147143
| tst.js:194:19:194:42 | documen ... .search |
148144
| tst.js:196:67:196:73 | tainted |
149145
| tst.js:197:67:197:73 | tainted |
150-
| tst.js:200:20:200:19 | tainted |
151146
| tst.js:201:35:201:41 | tainted |
152-
| tst.js:203:27:203:26 | tainted |
153147
| tst.js:203:46:203:52 | tainted |
154148
| tst.js:204:38:204:44 | tainted |
155149
| tst.js:205:35:205:41 | tainted |
@@ -196,6 +190,7 @@ edges
196190
| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
197191
| jquery.js:7:5:7:26 | "<div i ... tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
198192
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:26 | "<div i ... tainted |
193+
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
199194
| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
200195
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
201196
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
@@ -232,8 +227,10 @@ edges
232227
| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
233228
| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
234229
| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:114 | "<OPTIO ... t=")+8) |
230+
| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
235231
| tst.js:12:5:12:33 | '<div s ... target | tst.js:12:5:12:42 | '<div s ... 'px">' |
236232
| tst.js:12:28:12:33 | target | tst.js:12:5:12:33 | '<div s ... target |
233+
| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ... 'px">' |
237234
| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
238235
| tst.js:23:42:23:47 | target | tst.js:23:42:23:60 | target.substring(1) |
239236
| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
@@ -263,6 +260,7 @@ edges
263260
| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
264261
| tst.js:73:3:73:26 | documen ... .search | tst.js:73:1:73:27 | [,docum ... search] |
265262
| tst.js:73:46:73:46 | x | tst.js:74:7:74:7 | x |
263+
| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x |
266264
| tst.js:74:7:74:7 | x | tst.js:76:20:76:20 | x |
267265
| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
268266
| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
@@ -294,7 +292,11 @@ edges
294292
| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
295293
| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
296294
| tst.js:194:9:194:42 | tainted | tst.js:200:20:200:19 | tainted |
295+
| tst.js:194:9:194:42 | tainted | tst.js:201:35:201:41 | tainted |
297296
| tst.js:194:9:194:42 | tainted | tst.js:203:27:203:26 | tainted |
297+
| tst.js:194:9:194:42 | tainted | tst.js:203:46:203:52 | tainted |
298+
| tst.js:194:9:194:42 | tainted | tst.js:204:38:204:44 | tainted |
299+
| tst.js:194:9:194:42 | tainted | tst.js:205:35:205:41 | tainted |
298300
| tst.js:194:9:194:42 | tainted | tst.js:233:35:233:41 | tainted |
299301
| tst.js:194:9:194:42 | tainted | tst.js:235:20:235:26 | tainted |
300302
| tst.js:194:9:194:42 | tainted | tst.js:237:23:237:29 | tainted |

0 commit comments

Comments
 (0)