|
1 | 1 | /** |
2 | | - * Provides a flow label for reasoning about URLs with a tainted query and fragment part, |
| 2 | + * Provides a flow state for reasoning about URLs with a tainted query and fragment part, |
3 | 3 | * which we collectively refer to as the "suffix" of the URL. |
4 | 4 | */ |
5 | 5 |
|
6 | 6 | import javascript |
7 | 7 | private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPrivate |
8 | 8 |
|
9 | 9 | /** |
10 | | - * Provides a flow label for reasoning about URLs with a tainted query and fragment part, |
| 10 | + * Provides a flow state for reasoning about URLs with a tainted query and fragment part, |
11 | 11 | * which we collectively refer to as the "suffix" of the URL. |
12 | 12 | */ |
13 | 13 | module TaintedUrlSuffix { |
14 | 14 | private import DataFlow |
15 | 15 |
|
| 16 | + private newtype TFlowState = |
| 17 | + TTaint() or |
| 18 | + TTaintedUrlSuffix() |
| 19 | + |
| 20 | + /** |
| 21 | + * A flow state with two values, `taint` and `tainted-url-suffix`. |
| 22 | + * |
| 23 | + * The `tainted-url-suffix` state represents a URL with a tainted query and fragment part, |
| 24 | + * which we collectively refer to as the "suffix" of the URL. |
| 25 | + * |
| 26 | + * The `taint` state corresponds to ordinary taint. |
| 27 | + */ |
| 28 | + class FlowState extends TFlowState { |
| 29 | + /** |
| 30 | + * Holds if this represents a value that is considered entirely tainted. |
| 31 | + */ |
| 32 | + predicate isTaint() { this = TTaint() } |
| 33 | + |
| 34 | + /** |
| 35 | + * Holds if this represents a URL whose fragment and/or query parts are considered tainted. |
| 36 | + */ |
| 37 | + predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() } |
| 38 | + |
| 39 | + /** Gets a string representation of this flow state. */ |
| 40 | + string toString() { |
| 41 | + this.isTaint() and result = "taint" |
| 42 | + or |
| 43 | + this.isTaintedUrlSuffix() and result = "tainted-url-suffix" |
| 44 | + } |
| 45 | + |
| 46 | + /** DEPRECATED. Gets the corresponding flow label. */ |
| 47 | + deprecated DataFlow::FlowLabel toFlowLabel() { |
| 48 | + this.isTaint() and result.isTaint() |
| 49 | + or |
| 50 | + this.isTaintedUrlSuffix() and result instanceof TaintedUrlSuffixLabel |
| 51 | + } |
| 52 | + } |
| 53 | + |
| 54 | + /** Convenience predicates for working with flow states. */ |
| 55 | + module FlowState { |
| 56 | + /** Gets the `taint` flow state. */ |
| 57 | + FlowState taint() { result.isTaint() } |
| 58 | + |
| 59 | + /** Gets the `tainted-url-suffix` flow state. */ |
| 60 | + FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() } |
| 61 | + } |
| 62 | + |
16 | 63 | /** |
17 | 64 | * The flow label representing a URL with a tainted query and fragment part. |
18 | 65 | * |
|
0 commit comments