JS: Move React steps into React library

asgerf · asgerf · commit e847043307af · 2021-03-17T13:29:16.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -582,49 +582,6 @@ module TaintTracking {
     }
   }
 
-  /**
-   * A taint propagating data flow edge for assignments of the form `c1.state.p = v`,
-   * where `c1` is an instance of React component `C`; in this case, we consider
-   * taint to flow from `v` to any read of `c2.state.p`, where `c2`
-   * also is an instance of `C`.
-   */
-  private class ReactComponentStateTaintStep extends SharedTaintStep {
-    override predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(ReactComponent c, DataFlow::PropRead prn, DataFlow::PropWrite pwn |
-        (
-          c.getACandidateStateSource().flowsTo(pwn.getBase()) or
-          c.getADirectStateAccess().flowsTo(pwn.getBase())
-        ) and
-        (
-          c.getAPreviousStateSource().flowsTo(prn.getBase()) or
-          c.getADirectStateAccess().flowsTo(prn.getBase())
-        )
-      |
-        prn.getPropertyName() = pwn.getPropertyName() and
-        succ = prn and
-        pred = pwn.getRhs()
-      )
-    }
-  }
-
-  /**
-   * A taint propagating data flow edge for assignments of the form `c1.props.p = v`,
-   * where `c1` is an instance of React component `C`; in this case, we consider
-   * taint to flow from `v` to any read of `c2.props.p`, where `c2`
-   * also is an instance of `C`.
-   */
-  private class ReactComponentPropsTaintStep extends SharedTaintStep {
-    override predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(ReactComponent c, string name, DataFlow::PropRead prn |
-        prn = c.getAPropRead(name) or
-        prn = c.getAPreviousPropsSource().getAPropertyRead(name)
-      |
-        pred = c.getACandidatePropsValue(name) and
-        succ = prn
-      )
-    }
-  }
-
   /**
    * A taint propagating data flow edge arising from string concatenations.
    *
diff --git a/javascript/ql/src/semmle/javascript/frameworks/React.qll b/javascript/ql/src/semmle/javascript/frameworks/React.qll
@@ -795,3 +795,46 @@ private class HigherOrderComponentStep extends PreCallGraphStep {
     )
   }
 }
+
+/**
+ * A taint propagating data flow edge for assignments of the form `c1.state.p = v`,
+ * where `c1` is an instance of React component `C`; in this case, we consider
+ * taint to flow from `v` to any read of `c2.state.p`, where `c2`
+ * also is an instance of `C`.
+ */
+private class StateTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ReactComponent c, DataFlow::PropRead prn, DataFlow::PropWrite pwn |
+      (
+        c.getACandidateStateSource().flowsTo(pwn.getBase()) or
+        c.getADirectStateAccess().flowsTo(pwn.getBase())
+      ) and
+      (
+        c.getAPreviousStateSource().flowsTo(prn.getBase()) or
+        c.getADirectStateAccess().flowsTo(prn.getBase())
+      )
+    |
+      prn.getPropertyName() = pwn.getPropertyName() and
+      succ = prn and
+      pred = pwn.getRhs()
+    )
+  }
+}
+
+/**
+ * A taint propagating data flow edge for assignments of the form `c1.props.p = v`,
+ * where `c1` is an instance of React component `C`; in this case, we consider
+ * taint to flow from `v` to any read of `c2.props.p`, where `c2`
+ * also is an instance of `C`.
+ */
+private class PropsTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ReactComponent c, string name, DataFlow::PropRead prn |
+      prn = c.getAPropRead(name) or
+      prn = c.getAPreviousPropsSource().getAPropertyRead(name)
+    |
+      pred = c.getACandidatePropsValue(name) and
+      succ = prn
+    )
+  }
+}
