Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d5af008

Browse files
author
Max Schaefer
committed
JavaScript: Adjust ConditionalBypass query.
1 parent 11d6259 commit d5af008

1 file changed

Lines changed: 13 additions & 12 deletions

File tree

javascript/ql/src/Security/CWE-807/ConditionalBypass.ql

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -67,18 +67,19 @@ class SensitiveActionGuardComparisonOperand extends Sink {
6767
* If flow from `source` taints `sink`, then an attacker can
6868
* control if `action` should be executed or not.
6969
*/
70-
predicate isTaintedGuardForSensitiveAction(Sink sink, DataFlow::Node source, SensitiveAction action) {
71-
action = sink.getAction() and
70+
predicate isTaintedGuardForSensitiveAction(DataFlow::PathNode sink, DataFlow::PathNode source, SensitiveAction action) {
71+
action = sink.getNode().(Sink).getAction() and
7272
// exclude the intermediary sink
73-
not sink instanceof SensitiveActionGuardComparisonOperand and
73+
not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and
7474
exists (Configuration cfg |
7575
// ordinary taint tracking to a guard
76-
cfg.hasFlow(source, sink) or
76+
cfg.hasPathFlow(source, sink) or
7777
// taint tracking to both operands of a guard comparison
78-
exists (SensitiveActionGuardComparison cmp, DataFlow::Node lSource, DataFlow::Node rSource |
79-
sink = cmp.getGuard() and
80-
cfg.hasFlow(lSource, DataFlow::valueNode(cmp.getLeftOperand())) and
81-
cfg.hasFlow(rSource, DataFlow::valueNode(cmp.getRightOperand())) |
78+
exists (SensitiveActionGuardComparison cmp, DataFlow::PathNode lSource, DataFlow::PathNode rSource,
79+
DataFlow::PathNode lSink, DataFlow::PathNode rSink |
80+
sink.getNode() = cmp.getGuard() and
81+
cfg.hasPathFlow(lSource, lSink) and lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and
82+
cfg.hasPathFlow(rSource, rSink) and rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand()) |
8283
source = lSource or
8384
source = rSource
8485
)
@@ -90,10 +91,10 @@ predicate isTaintedGuardForSensitiveAction(Sink sink, DataFlow::Node source, Sen
9091
*
9192
* Example: `if (e) return; action(x)`.
9293
*/
93-
predicate isEarlyAbortGuard(Sink e, SensitiveAction action) {
94+
predicate isEarlyAbortGuard(DataFlow::PathNode e, SensitiveAction action) {
9495
exists (IfStmt guard |
9596
// `e` is in the condition of an if-statement ...
96-
e.asExpr().getParentExpr*() = guard.getCondition() and
97+
e.getNode().(Sink).asExpr().getParentExpr*() = guard.getCondition() and
9798
// ... where the then-branch always throws or returns
9899
exists (Stmt abort |
99100
abort instanceof ThrowStmt or
@@ -108,9 +109,9 @@ predicate isEarlyAbortGuard(Sink e, SensitiveAction action) {
108109
)
109110
}
110111

111-
from DataFlow::Node source, DataFlow::Node sink, SensitiveAction action
112+
from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveAction action
112113
where isTaintedGuardForSensitiveAction(sink, source, action) and
113114
not isEarlyAbortGuard(sink, action)
114-
select sink, "This condition guards a sensitive $@, but $@ controls it.",
115+
select sink.getNode(), "This condition guards a sensitive $@, but $@ controls it.",
115116
action, "action",
116117
source, "a user-provided value"

0 commit comments

Comments
 (0)