Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b221662

Browse files
asgerfasgerf
committed
JS: Port RequestForgery
1 parent d7b4e0c commit b221662

3 files changed

Lines changed: 103 additions & 168 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll

Lines changed: 32 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,23 +12,48 @@ import UrlConcatenation
1212
import RequestForgeryCustomizations::RequestForgery
1313

1414
/**
15-
* A taint tracking configuration for request forgery.
15+
* A taint tracking configuration for server-side request forgery.
1616
*/
17-
class Configuration extends TaintTracking::Configuration {
17+
module RequestForgeryConfig implements DataFlow::ConfigSig {
18+
predicate isSource(DataFlow::Node source) { source.(Source).isServerSide() }
19+
20+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
21+
22+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
23+
24+
predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
25+
26+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
27+
isAdditionalRequestForgeryStep(pred, succ)
28+
}
29+
}
30+
31+
/**
32+
* Taint tracking for server-side request forgery.
33+
*/
34+
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
35+
36+
/**
37+
* DEPRECATED. Use the `RequestForgeryFlow` module instead.
38+
*/
39+
deprecated class Configuration extends TaintTracking::Configuration {
1840
Configuration() { this = "RequestForgery" }
1941

20-
override predicate isSource(DataFlow::Node source) { source.(Source).isServerSide() }
42+
override predicate isSource(DataFlow::Node source) { RequestForgeryConfig::isSource(source) }
2143

22-
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
44+
override predicate isSink(DataFlow::Node sink) { RequestForgeryConfig::isSink(sink) }
2345

2446
override predicate isSanitizer(DataFlow::Node node) {
25-
super.isSanitizer(node) or
47+
super.isSanitizer(node)
48+
or
2649
node instanceof Sanitizer
2750
}
2851

29-
override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
52+
override predicate isSanitizerOut(DataFlow::Node node) {
53+
RequestForgeryConfig::isBarrierOut(node)
54+
}
3055

3156
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
32-
isAdditionalRequestForgeryStep(pred, succ)
57+
RequestForgeryConfig::isAdditionalFlowStep(pred, succ)
3358
}
3459
}

javascript/ql/src/Security/CWE-918/RequestForgery.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,11 @@
1212

1313
import javascript
1414
import semmle.javascript.security.dataflow.RequestForgeryQuery
15-
import DataFlow::PathGraph
15+
import RequestForgeryFlow::PathGraph
1616

17-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
17+
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink, DataFlow::Node request
1818
where
19-
cfg.hasFlowPath(source, sink) and
19+
RequestForgeryFlow::flowPath(source, sink) and
2020
request = sink.getNode().(Sink).getARequest()
2121
select request, source, sink, "The $@ of this request depends on a $@.", sink.getNode(),
2222
sink.getNode().(Sink).getKind(), source, "user-provided value"

0 commit comments

Comments
 (0)