Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b9bd052

Browse files
committed
JS: Port RemotePropertyInjection
1 parent dcc73a7 commit b9bd052

3 files changed

Lines changed: 46 additions & 29 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,26 @@ import RemotePropertyInjectionCustomizations::RemotePropertyInjection
1414
/**
1515
* A taint-tracking configuration for reasoning about remote property injection.
1616
*/
17-
class Configuration extends TaintTracking::Configuration {
17+
module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
18+
predicate isSource(DataFlow::Node source) { source instanceof Source }
19+
20+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
21+
22+
predicate isBarrier(DataFlow::Node node) {
23+
node instanceof Sanitizer or
24+
node = StringConcatenation::getRoot(any(ConstantString str).flow())
25+
}
26+
}
27+
28+
/**
29+
* Taint-tracking for reasoning about remote property injection.
30+
*/
31+
module RemotePropertyInjectionFlow = TaintTracking::Global<RemotePropertyInjectionConfig>;
32+
33+
/**
34+
* DEPRECATED. Use the `RemotePropertyInjectionFlow` module instead.
35+
*/
36+
deprecated class Configuration extends TaintTracking::Configuration {
1837
Configuration() { this = "RemotePropertyInjection" }
1938

2039
override predicate isSource(DataFlow::Node source) { source instanceof Source }

javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@
1414

1515
import javascript
1616
import semmle.javascript.security.dataflow.RemotePropertyInjectionQuery
17-
import DataFlow::PathGraph
17+
import RemotePropertyInjectionFlow::PathGraph
1818

19-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
20-
where cfg.hasFlowPath(source, sink)
19+
from RemotePropertyInjectionFlow::PathNode source, RemotePropertyInjectionFlow::PathNode sink
20+
where RemotePropertyInjectionFlow::flowPath(source, sink)
2121
select sink.getNode(), source, sink, sink.getNode().(Sink).getMessage() + " depends on a $@.",
2222
source.getNode(), "user-provided value"

javascript/ql/test/query-tests/Security/CWE-400/RemovePropertyInjection/RemotePropertyInjection.expected

Lines changed: 23 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,37 +1,35 @@
1-
nodes
2-
| tst.js:8:6:8:52 | prop |
3-
| tst.js:8:13:8:52 | myCoolL ... rolled) |
4-
| tst.js:8:28:8:51 | req.que ... trolled |
5-
| tst.js:8:28:8:51 | req.que ... trolled |
6-
| tst.js:9:8:9:11 | prop |
7-
| tst.js:9:8:9:11 | prop |
8-
| tst.js:13:15:13:18 | prop |
9-
| tst.js:13:15:13:18 | prop |
10-
| tst.js:14:31:14:34 | prop |
11-
| tst.js:14:31:14:34 | prop |
12-
| tst.js:16:10:16:13 | prop |
13-
| tst.js:16:10:16:13 | prop |
14-
| tstNonExpr.js:5:7:5:23 | userVal |
15-
| tstNonExpr.js:5:17:5:23 | req.url |
16-
| tstNonExpr.js:5:17:5:23 | req.url |
17-
| tstNonExpr.js:8:17:8:23 | userVal |
18-
| tstNonExpr.js:8:17:8:23 | userVal |
191
edges
202
| tst.js:8:6:8:52 | prop | tst.js:9:8:9:11 | prop |
21-
| tst.js:8:6:8:52 | prop | tst.js:9:8:9:11 | prop |
22-
| tst.js:8:6:8:52 | prop | tst.js:13:15:13:18 | prop |
233
| tst.js:8:6:8:52 | prop | tst.js:13:15:13:18 | prop |
244
| tst.js:8:6:8:52 | prop | tst.js:14:31:14:34 | prop |
25-
| tst.js:8:6:8:52 | prop | tst.js:14:31:14:34 | prop |
26-
| tst.js:8:6:8:52 | prop | tst.js:16:10:16:13 | prop |
275
| tst.js:8:6:8:52 | prop | tst.js:16:10:16:13 | prop |
286
| tst.js:8:13:8:52 | myCoolL ... rolled) | tst.js:8:6:8:52 | prop |
297
| tst.js:8:28:8:51 | req.que ... trolled | tst.js:8:13:8:52 | myCoolL ... rolled) |
30-
| tst.js:8:28:8:51 | req.que ... trolled | tst.js:8:13:8:52 | myCoolL ... rolled) |
31-
| tstNonExpr.js:5:7:5:23 | userVal | tstNonExpr.js:8:17:8:23 | userVal |
8+
| tst.js:8:28:8:51 | req.que ... trolled | tst.js:21:25:21:25 | x |
9+
| tst.js:21:25:21:25 | x | tst.js:22:15:22:15 | x |
10+
| tst.js:22:6:22:15 | result | tst.js:23:9:23:14 | result |
11+
| tst.js:22:15:22:15 | x | tst.js:22:6:22:15 | result |
12+
| tst.js:23:9:23:14 | result | tst.js:23:9:23:42 | result. ... length) |
3213
| tstNonExpr.js:5:7:5:23 | userVal | tstNonExpr.js:8:17:8:23 | userVal |
3314
| tstNonExpr.js:5:17:5:23 | req.url | tstNonExpr.js:5:7:5:23 | userVal |
34-
| tstNonExpr.js:5:17:5:23 | req.url | tstNonExpr.js:5:7:5:23 | userVal |
15+
nodes
16+
| tst.js:8:6:8:52 | prop | semmle.label | prop |
17+
| tst.js:8:13:8:52 | myCoolL ... rolled) | semmle.label | myCoolL ... rolled) |
18+
| tst.js:8:28:8:51 | req.que ... trolled | semmle.label | req.que ... trolled |
19+
| tst.js:9:8:9:11 | prop | semmle.label | prop |
20+
| tst.js:13:15:13:18 | prop | semmle.label | prop |
21+
| tst.js:14:31:14:34 | prop | semmle.label | prop |
22+
| tst.js:16:10:16:13 | prop | semmle.label | prop |
23+
| tst.js:21:25:21:25 | x | semmle.label | x |
24+
| tst.js:22:6:22:15 | result | semmle.label | result |
25+
| tst.js:22:15:22:15 | x | semmle.label | x |
26+
| tst.js:23:9:23:14 | result | semmle.label | result |
27+
| tst.js:23:9:23:42 | result. ... length) | semmle.label | result. ... length) |
28+
| tstNonExpr.js:5:7:5:23 | userVal | semmle.label | userVal |
29+
| tstNonExpr.js:5:17:5:23 | req.url | semmle.label | req.url |
30+
| tstNonExpr.js:8:17:8:23 | userVal | semmle.label | userVal |
31+
subpaths
32+
| tst.js:8:28:8:51 | req.que ... trolled | tst.js:21:25:21:25 | x | tst.js:23:9:23:42 | result. ... length) | tst.js:8:13:8:52 | myCoolL ... rolled) |
3533
#select
3634
| tst.js:9:8:9:11 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:9:8:9:11 | prop | A property name to write to depends on a $@. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |
3735
| tst.js:13:15:13:18 | prop | tst.js:8:28:8:51 | req.que ... trolled | tst.js:13:15:13:18 | prop | A property name to write to depends on a $@. | tst.js:8:28:8:51 | req.que ... trolled | user-provided value |

0 commit comments

Comments
 (0)