use the Query.qll pattern

erik-krogh · erik-krogh · commit 688b2b689801 · 2022-04-12T15:52:52.000+02:00
diff --git a/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql b/javascript/ql/src/Security/CWE-770/ResourceExhaustion.ql
@@ -12,7 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-import experimental.semmle.javascript.security.dataflow.ResourceExhaustion::ResourceExhaustion
+import experimental.semmle.javascript.security.dataflow.ResourceExhaustionQuery
 
 from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
 where dataflow.hasFlowPath(source, sink)
diff --git a/javascript/ql/src/experimental/semmle/javascript/security/dataflow/ResourceExhaustion.qll b/javascript/ql/src/experimental/semmle/javascript/security/dataflow/ResourceExhaustion.qll
diff --git a/javascript/ql/src/experimental/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll b/javascript/ql/src/experimental/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
@@ -0,0 +1,72 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * resource exhaustion vulnerabilities (CWE-770).
+ *
+ * Note, for performance reasons: only import this file if
+ * `ResourceExhaustion::Configuration` is needed, otherwise
+ * `ResourceExhaustionCustomizations` should be imported instead.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations
+import ResourceExhaustionCustomizations::ResourceExhaustion
+
+/**
+ * A data flow configuration for resource exhaustion vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "ResourceExhaustion" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
+    isNumericFlowStep(src, dst)
+    or
+    // reuse most existing taint steps
+    isRestrictedAdditionalTaintStep(src, dst)
+  }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof LoopBoundInjection::LengthCheckSanitizerGuard or
+    guard instanceof UpperBoundsCheckSanitizerGuard
+  }
+}
+
+predicate isRestrictedAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
+  TaintTracking::sharedTaintStep(src, dst) and
+  not dst.asExpr() instanceof AddExpr and
+  not dst.(DataFlow::MethodCallNode).calls(src, "toString")
+}
+
+/**
+ * Holds if data may flow from `src` to `dst` as a number.
+ */
+predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) {
+  // steps that introduce or preserve a number
+  dst.(DataFlow::PropRead).accesses(src, ["length", "size"])
+  or
+  exists(DataFlow::CallNode c |
+    c = dst and
+    src = c.getAnArgument()
+  |
+    c = DataFlow::globalVarRef("Math").getAMemberCall(_) or
+    c = DataFlow::globalVarRef(["Number", "parseInt", "parseFloat"]).getACall()
+  )
+  or
+  exists(Expr dstExpr, Expr srcExpr |
+    dstExpr = dst.asExpr() and
+    srcExpr = src.asExpr()
+  |
+    dstExpr.(BinaryExpr).getAnOperand() = srcExpr and
+    not dstExpr instanceof AddExpr
+    or
+    dstExpr.(PlusExpr).getOperand() = srcExpr
+  )
+}
