Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d324e55

Browse files
asgerfasgerf
committed
JS: Port DeepObjectResourceExhaustion
1 parent 30f1fbc commit d324e55

3 files changed

Lines changed: 41 additions & 10 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,41 @@ import DeepObjectResourceExhaustionCustomizations::DeepObjectResourceExhaustion
1111
* A taint tracking configuration for reasoning about DoS attacks due to inefficient handling
1212
* of user-controlled objects.
1313
*/
14-
class Configuration extends TaintTracking::Configuration {
14+
module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
15+
class FlowState = DataFlow::FlowLabel;
16+
17+
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
18+
source.(Source).getAFlowLabel() = label
19+
}
20+
21+
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
22+
sink instanceof Sink and label = TaintedObject::label()
23+
}
24+
25+
predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
26+
node = TaintedObject::SanitizerGuard::getABarrierNode(label)
27+
}
28+
29+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
30+
31+
predicate isAdditionalFlowStep(
32+
DataFlow::Node src, DataFlow::FlowLabel inlbl, DataFlow::Node trg, DataFlow::FlowLabel outlbl
33+
) {
34+
TaintedObject::step(src, trg, inlbl, outlbl)
35+
}
36+
}
37+
38+
/**
39+
* Taint tracking for reasoning about DoS attacks due to inefficient handling
40+
* of user-controlled objects.
41+
*/
42+
module DeepObjectResourceExhaustionFlow =
43+
TaintTracking::GlobalWithState<DeepObjectResourceExhaustionConfig>;
44+
45+
/**
46+
* DEPRECATED. Use the `DeepObjectResourceExhaustionFlow` module instead.
47+
*/
48+
deprecated class Configuration extends TaintTracking::Configuration {
1549
Configuration() { this = "DeepObjectResourceExhaustion" }
1650

1751
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {

javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,14 +11,13 @@
1111
*/
1212

1313
import javascript
14-
import DataFlow::PathGraph
1514
import semmle.javascript.security.dataflow.DeepObjectResourceExhaustionQuery
15+
import DataFlow::DeduplicatePathGraph<DeepObjectResourceExhaustionFlow::PathNode, DeepObjectResourceExhaustionFlow::PathGraph>
1616

17-
from
18-
Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node link,
19-
string reason
17+
from PathNode source, PathNode sink, DataFlow::Node link, string reason
2018
where
21-
cfg.hasFlowPath(source, sink) and
19+
DeepObjectResourceExhaustionFlow::flowPath(source.getAnOriginalPathNode(),
20+
sink.getAnOriginalPathNode()) and
2221
sink.getNode().(Sink).hasReason(link, reason)
2322
select sink, source, sink, "Denial of service caused by processing $@ with $@.", source.getNode(),
2423
"user input", link, reason

javascript/ql/test/query-tests/Security/CWE-400/DeepObjectResourceExhaustion/DeepObjectResourceExhaustion.expected

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,6 @@
11
nodes
2-
| tst.js:9:29:9:36 | req.body |
3-
| tst.js:9:29:9:36 | req.body |
4-
| tst.js:9:29:9:36 | req.body |
2+
| tst.js:9:29:9:36 | req.body | semmle.label | req.body |
53
edges
6-
| tst.js:9:29:9:36 | req.body | tst.js:9:29:9:36 | req.body |
4+
subpaths
75
#select
86
| tst.js:9:29:9:36 | req.body | tst.js:9:29:9:36 | req.body | tst.js:9:29:9:36 | req.body | Denial of service caused by processing $@ with $@. | tst.js:9:29:9:36 | req.body | user input | tst.js:4:21:4:35 | allErrors: true | allErrors: true |

0 commit comments

Comments
 (0)