refactor CleartextLogging to allow for reuse

erik-krogh · erik-krogh · commit 896a9b05f678 · 2020-06-09T15:03:07.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -35,23 +35,11 @@ module CleartextLogging {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
 
     override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
-      succ.(DataFlow::PropRead).getBase() = pred
+      CleartextLogging::isSanitizerEdge(pred, succ)
     }
 
     override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
-      // A taint propagating data flow edge through objects: a tainted write taints the entire object.
-      exists(DataFlow::PropWrite write |
-        write.getRhs() = src and
-        trg.(DataFlow::SourceNode).flowsTo(write.getBase())
-      )
-      or
-      // Taint through the arguments object.
-      exists(DataFlow::CallNode call, Function f |
-        src = call.getAnArgument() and
-        f = call.getACallee() and
-        not call.isImprecise() and
-        trg.asExpr() = f.getArgumentsVariable().getAnAccess()
-      )
+      CleartextLogging::isAdditionalTaintStep(src, trg)
     }
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -189,4 +189,30 @@ module CleartextLogging {
   class PartiallySensitiveMap extends DataFlow::FlowLabel {
     PartiallySensitiveMap() { this = "PartiallySensitiveMap" }
   }
+
+  /**
+   * Holds if the edge `pred` -> `succ` should be sanitized for clear-text logging of sensitive information.
+   */
+  predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+    succ.(DataFlow::PropRead).getBase() = pred
+  }
+
+  /**
+   * Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information.
+   */
+  predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
+    // A taint propagating data flow edge through objects: a tainted write taints the entire object.
+    exists(DataFlow::PropWrite write |
+      write.getRhs() = src and
+      trg.(DataFlow::SourceNode).flowsTo(write.getBase())
+    )
+    or
+    // Taint through the arguments object.
+    exists(DataFlow::CallNode call, Function f |
+      src = call.getAnArgument() and
+      f = call.getACallee() and
+      not call.isImprecise() and
+      trg.asExpr() = f.getArgumentsVariable().getAnAccess()
+    )
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -35,23 +35,11 @@ module CleartextLogging {`
`35`	`35`	`override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }`
`36`	`36`
`37`	`37`	`override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {`
`38`		`- succ.(DataFlow::PropRead).getBase() = pred`
	`38`	`+ CleartextLogging::isSanitizerEdge(pred, succ)`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {`
`42`		`- // A taint propagating data flow edge through objects: a tainted write taints the entire object.`
`43`		`- exists(DataFlow::PropWrite write \|`
`44`		`- write.getRhs() = src and`
`45`		`- trg.(DataFlow::SourceNode).flowsTo(write.getBase())`
`46`		`- )`
`47`		`- or`
`48`		`- // Taint through the arguments object.`
`49`		`- exists(DataFlow::CallNode call, Function f \|`
`50`		`- src = call.getAnArgument() and`
`51`		`- f = call.getACallee() and`
`52`		`- not call.isImprecise() and`
`53`		`- trg.asExpr() = f.getArgumentsVariable().getAnAccess()`
`54`		`- )`
	`42`	`+ CleartextLogging::isAdditionalTaintStep(src, trg)`
`55`	`43`	`}`
`56`	`44`	`}`
`57`	`45`	`}`