11/**
2- * Provides a taint-tracking configuration for reasoning about code injection.
2+ * Provides a taint-tracking configuration for reasoning about code
3+ * injection vulnerabilities.
4+ *
5+ * Note, for performance reasons: only import this file if
6+ * `CodeInjection::Configuration` is needed, otherwise
7+ * `CodeInjectionCustomizations` should be imported instead.
38 */
49
510import javascript
6- import semmle.javascript.security.dataflow.RemoteFlowSources
711
812module CodeInjection {
9- /**
10- * A data flow source for code injection vulnerabilities.
11- */
12- abstract class Source extends DataFlow:: Node { }
13-
14- /**
15- * A data flow sink for code injection vulnerabilities.
16- */
17- abstract class Sink extends DataFlow:: Node { }
18-
19- /**
20- * A sanitizer for code injection vulnerabilities.
21- */
22- abstract class Sanitizer extends DataFlow:: Node { }
13+ import CodeInjectionCustomizations:: CodeInjection
2314
2415 /**
2516 * A taint-tracking configuration for reasoning about code injection vulnerabilities.
@@ -42,84 +33,4 @@ module CodeInjection {
4233 src = trg .( HtmlSanitizerCall ) .getInput ( )
4334 }
4435 }
45-
46- /** A source of remote user input, considered as a flow source for code injection. */
47- class RemoteFlowSourceAsSource extends Source {
48- RemoteFlowSourceAsSource ( ) { this instanceof RemoteFlowSource }
49- }
50-
51- /**
52- * An access to a property that may hold (parts of) the document URL.
53- */
54- class LocationSource extends Source {
55- LocationSource ( ) { this = DOM:: locationSource ( ) }
56- }
57-
58- /**
59- * An expression which may be interpreted as an AngularJS expression.
60- */
61- class AngularJSExpressionSink extends Sink , DataFlow:: ValueNode {
62- AngularJSExpressionSink ( ) {
63- any ( AngularJS:: AngularJSCall call ) .interpretsArgumentAsCode ( this .asExpr ( ) )
64- }
65- }
66-
67- /**
68- * An expression which may be evaluated as JavaScript in NodeJS using the
69- * `vm` module.
70- */
71- class NodeJSVmSink extends Sink , DataFlow:: ValueNode {
72- NodeJSVmSink ( ) { exists ( NodeJSLib:: VmModuleMethodCall call | this = call .getACodeArgument ( ) ) }
73- }
74-
75- /**
76- * An expression which may be evaluated as JavaScript.
77- */
78- class EvalJavaScriptSink extends Sink , DataFlow:: ValueNode {
79- EvalJavaScriptSink ( ) {
80- exists ( DataFlow:: InvokeNode c , int index |
81- exists ( string callName | c = DataFlow:: globalVarRef ( callName ) .getAnInvocation ( ) |
82- callName = "eval" and index = 0
83- or
84- callName = "Function"
85- or
86- callName = "execScript" and index = 0
87- or
88- callName = "executeJavaScript" and index = 0
89- or
90- callName = "execCommand" and index = 0
91- or
92- callName = "setTimeout" and index = 0
93- or
94- callName = "setInterval" and index = 0
95- or
96- callName = "setImmediate" and index = 0
97- )
98- or
99- exists ( DataFlow:: GlobalVarRefNode wasm , string methodName |
100- wasm .getName ( ) = "WebAssembly" and c = wasm .getAMemberCall ( methodName )
101- |
102- methodName = "compile" or
103- methodName = "compileStreaming"
104- )
105- |
106- this = c .getArgument ( index )
107- )
108- }
109- }
110-
111- /**
112- * An expression which is injected as JavaScript into a React Native `WebView`.
113- */
114- class WebViewInjectedJavaScriptSink extends Sink {
115- WebViewInjectedJavaScriptSink ( ) {
116- exists ( ReactNative:: WebViewElement webView |
117- // `injectedJavaScript` property of React Native `WebView`
118- this = webView .getAPropertyWrite ( "injectedJavaScript" ) .getRhs ( )
119- or
120- // argument to `injectJavascript` method of React Native `WebView`
121- this = webView .getAMethodCall ( "injectJavaScript" ) .getArgument ( 0 )
122- )
123- }
124- }
12536}
0 commit comments