JS: Port HostHeaderPoisoningInEmailGeneration

asgerf · asgerf · commit 8715c1b324d0 · 2023-10-13T13:15:05.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
@@ -6,9 +6,28 @@
 import javascript
 
 /**
- * A taint tracking configuration for host header poisoning in email generation.
+ * A taint tracking configuration for host header poisoning.
  */
-class Configuration extends TaintTracking::Configuration {
+module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    exists(Http::RequestHeaderAccess input | node = input |
+      input.getKind() = "header" and
+      input.getAHeaderName() = "host"
+    )
+  }
+
+  predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }
+}
+
+/**
+ * Taint tracking configuration host header poisoning.
+ */
+module HostHeaderPoisoningFlow = TaintTracking::Global<HostHeaderPoisoningConfig>;
+
+/**
+ * DEPRECATED. Use the `HostHeaderPoisoningFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "TaintedHostHeader" }
 
   override predicate isSource(DataFlow::Node node) {
diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
@@ -13,9 +13,9 @@
 
 import javascript
 import semmle.javascript.security.dataflow.HostHeaderPoisoningInEmailGenerationQuery
-import DataFlow::PathGraph
+import HostHeaderPoisoningFlow::PathGraph
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from HostHeaderPoisoningFlow::PathNode source, HostHeaderPoisoningFlow::PathNode sink
+where HostHeaderPoisoningFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the $@.",
   source.getNode(), "HTTP host header"
diff --git a/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected b/javascript/ql/test/query-tests/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.expected
@@ -1,21 +1,12 @@
-nodes
-| tst.js:17:11:17:113 | `Hi, lo ... token}` |
-| tst.js:17:11:17:113 | `Hi, lo ... token}` |
-| tst.js:17:84:17:91 | req.host |
-| tst.js:17:84:17:91 | req.host |
-| tst.js:18:11:18:127 | `Hi, lo ... reset.` |
-| tst.js:18:11:18:127 | `Hi, lo ... reset.` |
-| tst.js:18:78:18:85 | req.host |
-| tst.js:18:78:18:85 | req.host |
 edges
 | tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` |
-| tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` |
-| tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` |
-| tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` |
-| tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` |
-| tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` |
-| tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` |
 | tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` |
+nodes
+| tst.js:17:11:17:113 | `Hi, lo ... token}` | semmle.label | `Hi, lo ... token}` |
+| tst.js:17:84:17:91 | req.host | semmle.label | req.host |
+| tst.js:18:11:18:127 | `Hi, lo ... reset.` | semmle.label | `Hi, lo ... reset.` |
+| tst.js:18:78:18:85 | req.host | semmle.label | req.host |
+subpaths
 #select
 | tst.js:17:11:17:113 | `Hi, lo ... token}` | tst.js:17:84:17:91 | req.host | tst.js:17:11:17:113 | `Hi, lo ... token}` | Links in this email can be hijacked by poisoning the $@. | tst.js:17:84:17:91 | req.host | HTTP host header |
 | tst.js:18:11:18:127 | `Hi, lo ... reset.` | tst.js:18:78:18:85 | req.host | tst.js:18:11:18:127 | `Hi, lo ... reset.` | Links in this email can be hijacked by poisoning the $@. | tst.js:18:78:18:85 | req.host | HTTP host header |
