JavaScript: Select source and sink in all path queries.

Max Schaefer · Max Schaefer · commit e365b722eea3 · 2018-11-14T09:16:40.000Z
diff --git a/javascript/ql/src/Security/CWE-022/TaintedPath.ql b/javascript/ql/src/Security/CWE-022/TaintedPath.ql
@@ -20,4 +20,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "This path depends on $@.", source, "a user-provided value"
+select sink.getNode(), source, sink, "This path depends on $@.", source, "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.ql b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
@@ -22,4 +22,4 @@ where cfg.hasPathFlow(source, sink) and
         cfg.isSinkWithHighlight(sink.getNode(), highlight)
       else
         highlight = sink.getNode()
-select highlight, "This command depends on $@.", source, "a user-provided value"
+select highlight, source, sink, "This command depends on $@.", source, "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Cross-site scripting vulnerability due to $@.",
+select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
        source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Stored cross-site scripting vulnerability due to $@.",
+select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.",
        source, "stored value"
diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
+select sink.getNode(), source, sink, sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
        source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.ql b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
@@ -19,4 +19,4 @@ from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode
 where (cfg instanceof SqlInjection::Configuration or
        cfg instanceof NosqlInjection::Configuration) and
       cfg.hasPathFlow(source, sink)
-select sink.getNode(), "This query depends on $@.", source, "a user-provided value"
+select sink.getNode(), source, sink, "This query depends on $@.", source, "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "$@ flows to here and is interpreted as code.", source, "User-provided value"
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.", source, "User-provided value"
diff --git a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
@@ -15,4 +15,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "$@ flows here and is used in a format string.", source, "User-provided value"
+select sink.getNode(), source, sink, "$@ flows here and is used in a format string.", source, "User-provided value"
diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
@@ -14,4 +14,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "$@ flows directly to outbound network request", source, "File data"
+select sink.getNode(), source, sink, "$@ flows directly to outbound network request", source, "File data"
diff --git a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Stack trace information from $@ may be exposed to an external user here.",
+select sink.getNode(), source, sink, "Stack trace information from $@ may be exposed to an external user here.",
        source, "here"
diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -36,4 +36,4 @@ from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink) and
       // ignore logging to the browser console (even though it is not a good practice)
       not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
-select sink.getNode(), "Sensitive data returned by $@ is logged here.", source, source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.", source, source.getNode().(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Sensitive data returned by $@ is stored here.", source, source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.", source, source.getNode().(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -17,4 +17,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink) and
       not source.asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
-select sink.getNode(), "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()
+select sink.getNode(), source, sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
@@ -16,4 +16,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Cryptographically insecure $@ in a security context.", source, "random value"
+select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.", source, "random value"
diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
@@ -17,6 +17,6 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "$@ leak vulnerability due to $@.",
+select sink.getNode(), source, sink, "$@ leak vulnerability due to $@.",
        sink.(Sink).getCredentialsHeader(), "Credential",
        source, "a misconfigured CORS header value"
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "A $@ is used as" + sink.(Sink).getMessage(),
+select sink.getNode(), source, sink, "A $@ is used as" + sink.(Sink).getMessage(),
        source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -16,4 +16,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Unsafe deserialization of $@.", source, "user input"
+select sink.getNode(), source, sink, "Unsafe deserialization of $@.", source, "user input"
diff --git a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Untrusted URL redirection due to $@.", source, "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
@@ -16,4 +16,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Untrusted URL redirection due to $@.", source, "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-611/Xxe.ql b/javascript/ql/src/Security/CWE-611/Xxe.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "A $@ is parsed as XML without guarding against external entity expansion.",
+select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against external entity expansion.",
        source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
@@ -16,4 +16,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"
+select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"
diff --git a/javascript/ql/src/Security/CWE-643/XpathInjection.ql b/javascript/ql/src/Security/CWE-643/XpathInjection.ql
@@ -16,4 +16,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "$@ flows here and is used in an XPath expression.", source, "User-provided value"
+select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.", source, "User-provided value"
diff --git a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "This regular expression is constructed from a $@.", source, "user-provided value"
+select sink.getNode(), source, sink, "This regular expression is constructed from a $@.", source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-776/XmlBomb.ql b/javascript/ql/src/Security/CWE-776/XmlBomb.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
+select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
        source, "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -23,4 +23,4 @@ where cfg.hasPathFlow(source, sink) and
         value = "The hard-coded value \"" + source.getNode().asExpr().(ConstantString).getStringValue() + "\""
       else
         value = "This hard-coded value"
-select source.getNode(), value + " is used as $@.", sink, sink.getNode().(Sink).getKind()
+select source.getNode(), source, sink, value + " is used as $@.", sink, sink.getNode().(Sink).getKind()
diff --git a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
@@ -112,6 +112,6 @@ predicate isEarlyAbortGuard(DataFlow::PathNode e, SensitiveAction action) {
 from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveAction action
 where isTaintedGuardForSensitiveAction(sink, source, action) and
       not isEarlyAbortGuard(sink, action)
-select sink.getNode(), "This condition guards a sensitive $@, but $@ controls it.",
+select sink.getNode(), source, sink, "This condition guards a sensitive $@, but $@ controls it.",
     action, "action",
     source, "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
@@ -15,4 +15,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Potential type confusion for $@.", source, "HTTP request parameter"
+select sink.getNode(), source, sink, "Potential type confusion for $@.", source, "HTTP request parameter"
diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -14,4 +14,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "$@ flows to file system", source, "Untrusted data"
+select sink.getNode(), source, sink, "$@ flows to file system", source, "Untrusted data"
diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
@@ -15,4 +15,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), "Password from $@ is hashed insecurely.", source , source.(Source).describe()
+select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.", source , source.(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
@@ -16,4 +16,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
 where cfg.hasPathFlow(source, sink) and
       request = sink.getNode().(Sink).getARequest()
-select request, "The $@ of this request depends on $@.", sink, sink.getNode().(Sink).getKind(), source, "a user-provided value"
+select request, source, sink, "The $@ of this request depends on $@.", sink, sink.getNode().(Sink).getKind(), source, "a user-provided value"
