Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5d27cd9

Browse files
asgerfasgerf
committed
JS: Move Source def into customizations lib
1 parent d916118 commit 5d27cd9

4 files changed

Lines changed: 51 additions & 24 deletions

File tree

javascript/ql/src/semmle/javascript/security/TaintedObject.qll

Lines changed: 5 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -16,22 +16,16 @@
1616
import javascript
1717
private import semmle.javascript.dataflow.InferredTypes
1818

19+
/** Provides classes and predicates for reasoning about deeply tainted objects. */
1920
module TaintedObject {
2021
private import DataFlow
22+
import TaintedObjectCustomizations::TaintedObject
2123

22-
private class TaintedObjectLabel extends FlowLabel {
23-
TaintedObjectLabel() { this = "tainted-object" }
24+
// Materialize flow labels
25+
private class ConcreteTaintedObjectLabel extends TaintedObjectLabel {
26+
ConcreteTaintedObjectLabel() { this = this }
2427
}
2528

26-
/**
27-
* Gets the flow label representing a deeply tainted object.
28-
*
29-
* A "tainted object" is an array or object whose property values are all assumed to be tainted as well.
30-
*
31-
* Note that the presence of the this label generally implies the presence of the `taint` label as well.
32-
*/
33-
FlowLabel label() { result instanceof TaintedObjectLabel }
34-
3529
/**
3630
* Holds for the flows steps that are relevant for tracking user-controlled JSON objects.
3731
*/
@@ -79,11 +73,6 @@ module TaintedObject {
7973
*/
8074
predicate isSource(Node source, FlowLabel label) { source instanceof Source and label = label() }
8175

82-
/**
83-
* A source of a user-controlled deep object.
84-
*/
85-
abstract class Source extends DataFlow::Node { }
86-
8776
/** Request input accesses as a JSON source. */
8877
private class RequestInputAsSource extends Source {
8978
RequestInputAsSource() { this.(HTTP::RequestInputAccess).isUserControlledObject() }

javascript/ql/src/semmle/javascript/security/TaintedObjectCustomizations.qll

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/**
2+
* Provides access to the "tainted object" flow label defined in `TaintedObject.qll`, without
3+
* materializing that flow label.
4+
*/
5+
6+
import javascript
7+
8+
/** Provides classes and predicates for reasoning about deeply tainted objects. */
9+
module TaintedObject {
10+
/** A flow label representing a deeply tainted object. */
11+
abstract class TaintedObjectLabel extends DataFlow::FlowLabel {
12+
TaintedObjectLabel() { this = "tainted-object" }
13+
}
14+
15+
/**
16+
* Gets the flow label representing a deeply tainted object.
17+
*
18+
* A "tainted object" is an array or object whose property values are all assumed to be tainted as well.
19+
*
20+
* Note that the presence of the this label generally implies the presence of the `taint` label as well.
21+
*/
22+
DataFlow::FlowLabel label() { result instanceof TaintedObjectLabel }
23+
24+
/**
25+
* A source of a user-controlled deep object.
26+
*/
27+
abstract class Source extends DataFlow::Node { }
28+
}

javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustion.qll

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -21,13 +21,7 @@ module DeepObjectResourceExhaustion {
2121
Configuration() { this = "DeepObjectResourceExhaustion" }
2222

2323
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
24-
source instanceof Source and label = TaintedObject::label()
25-
or
26-
// We currently can't expose the TaintedObject label in the Customizations library
27-
// so just add its default sources here.
28-
source instanceof TaintedObject::Source and label = TaintedObject::label()
29-
or
30-
source instanceof RemoteFlowSource and label.isTaint()
24+
source.(Source).getAFlowLabel() = label
3125
}
3226

3327
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {

javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionCustomizations.qll

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44
*/
55

66
import javascript
7+
private import semmle.javascript.security.TaintedObjectCustomizations
78

89
/**
910
* Provides sources, sinks and sanitizers for reasoning about
@@ -13,7 +14,22 @@ module DeepObjectResourceExhaustion {
1314
/**
1415
* A data flow source for slow input validation.
1516
*/
16-
abstract class Source extends DataFlow::Node { }
17+
abstract class Source extends DataFlow::Node {
18+
/** Gets a flow label to associate with this source. */
19+
DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
20+
}
21+
22+
private class TaintedObjectSourceAsSource extends Source {
23+
TaintedObjectSourceAsSource() { this instanceof TaintedObject::Source }
24+
25+
override DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
26+
}
27+
28+
private class RemoteFlowSourceAsSource extends Source {
29+
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
30+
31+
override DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
32+
}
1733

1834
/**
1935
* A data flow sink for slow input validation.

0 commit comments

Comments
 (0)