Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b00e447

Browse files
owen-mcowen-mc
committed
Make CorsMisconfiguration use new API
1 parent 9b19cde commit b00e447

1 file changed

Lines changed: 20 additions & 18 deletions

File tree

go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql

Lines changed: 20 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -55,24 +55,26 @@ class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
5555
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
5656
* flows to a HeaderWrite that writes an `Access-Control-Allow-Origin` header's value.
5757
*/
58-
class FlowsUntrustedToAllowOriginHeader extends TaintTracking::Configuration {
59-
FlowsUntrustedToAllowOriginHeader() { this = "from-untrusted-to-allow-origin-header-value" }
58+
module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
59+
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
6060

61-
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
62-
63-
predicate isSinkHW(DataFlow::Node sink, AllowOriginHeaderWrite hw) { sink = hw.getValue() }
61+
additional predicate isSinkHW(DataFlow::Node sink, AllowOriginHeaderWrite hw) {
62+
sink = hw.getValue()
63+
}
6464

65-
override predicate isSanitizer(DataFlow::Node node) {
65+
predicate isBarrier(DataFlow::Node node) {
6666
exists(ControlFlow::ConditionGuardNode cgn |
6767
cgn.ensures(any(AllowedFlag f).getAFlag().getANode(), _)
6868
|
6969
cgn.dominates(node.getBasicBlock())
7070
)
7171
}
7272

73-
override predicate isSink(DataFlow::Node sink) { this.isSinkHW(sink, _) }
73+
predicate isSink(DataFlow::Node sink) { isSinkHW(sink, _) }
7474
}
7575

76+
module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
77+
7678
/**
7779
* Holds if the provided `allowOriginHW` HeaderWrite's parent ResponseWriter
7880
* also has another HeaderWrite that sets a `Access-Control-Allow-Credentials`
@@ -92,9 +94,9 @@ predicate allowCredentialsIsSetToTrue(AllowOriginHeaderWrite allowOriginHW) {
9294
* The `message` parameter is populated with the warning message to be returned by the query.
9395
*/
9496
predicate flowsFromUntrustedToAllowOrigin(AllowOriginHeaderWrite allowOriginHW, string message) {
95-
exists(FlowsUntrustedToAllowOriginHeader cfg, DataFlow::Node sink |
96-
cfg.hasFlowTo(sink) and
97-
cfg.isSinkHW(sink, allowOriginHW)
97+
exists(DataFlow::Node sink |
98+
UntrustedToAllowOriginHeaderFlow::flowTo(sink) and
99+
UntrustedToAllowOriginHeaderConfig::isSinkHW(sink, allowOriginHW)
98100
|
99101
message =
100102
headerAllowOrigin() + " header is set to a user-defined value, and " +
@@ -124,14 +126,12 @@ class MapRead extends DataFlow::ElementReadNode {
124126
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
125127
* flows somewhere.
126128
*/
127-
class FlowsFromUntrusted extends TaintTracking::Configuration {
128-
FlowsFromUntrusted() { this = "from-untrusted" }
129+
module FromUntrustedConfig implements DataFlow::ConfigSig {
130+
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
129131

130-
override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
132+
predicate isSink(DataFlow::Node sink) { isSinkCgn(sink, _) }
131133

132-
override predicate isSink(DataFlow::Node sink) { this.isSinkCgn(sink, _) }
133-
134-
predicate isSinkCgn(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn) {
134+
additional predicate isSinkCgn(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn) {
135135
exists(IfStmt ifs |
136136
exists(Expr operand |
137137
operand = ifs.getCond().getAChildExpr*() and
@@ -165,12 +165,14 @@ class FlowsFromUntrusted extends TaintTracking::Configuration {
165165
}
166166
}
167167

168+
module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;
169+
168170
/**
169171
* Holds if the provided `allowOriginHW` is also destination of a `UntrustedFlowSource`.
170172
*/
171173
predicate flowsToGuardedByCheckOnUntrusted(AllowOriginHeaderWrite allowOriginHW) {
172-
exists(FlowsFromUntrusted cfg, DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |
173-
cfg.hasFlowTo(sink) and cfg.isSinkCgn(sink, cgn)
174+
exists(DataFlow::Node sink, ControlFlow::ConditionGuardNode cgn |
175+
FromUntrustedFlow::flowTo(sink) and FromUntrustedConfig::isSinkCgn(sink, cgn)
174176
|
175177
cgn.dominates(allowOriginHW.getBasicBlock())
176178
)

0 commit comments

Comments
 (0)