hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 20:03:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add flow config from 'new db()' to 'db.exec()'

Browse Source
This commit is contained in:
Michael Hohn
2023-11-26 14:06:44 -08:00
committed by =Michael Hohn
parent 247b71294a
commit 18b8c9e98c
6 changed files with 196 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cruft/snapshot-query
View File

@@ -27,6 +27,7 @@ git add tests/$qname/$qname.qlref
# snapshot the session # snapshot the session
cp add-user.js tests/$qname/ cp add-user.js tests/$qname/
git add tests/$qname/add-user.js
cp session/session.ql solutions/$qname.ql cp session/session.ql solutions/$qname.ql
git add solutions/$qname.ql git add solutions/$qname.ql

55
session/session.ql
View File

@@ -1,43 +1,52 @@
/**
* @kind path-problem
*/
import javascript import javascript
import DataFlow::PathGraph
// Ultimate source // Ultimate source
// ---------------- // ----------------
// var line = stdinBuffer.toString(); // var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) { predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
sbts.getMethodName().matches("%toString%")
}
// Ultimate sink // Ultimate sink
// ---------------- // ----------------
// db.exec(query); // db.exec(query);
predicate uSink(MethodCallExpr dbe) { predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
dbe.getMethodName().matches("%exec%")
}
// Flow sink origin
// Intermediate flow sink
// ------------------------ // ------------------------
// Connect // Connect
// const db = new sqlite3.Database( // const db = new sqlite3.Database(
// to its use // to its use
// db.exec(query); // db.exec(query);
// //
// class IntermediateSink extends DataFlow::Configuration { class FlowSinkOrigin extends DataFlow::FlowLabel {
// IntermediateSink() { this = "IntermediateSink" } FlowSinkOrigin() { this = "FlowSinkOrigin" }
}
// override predicate isSource(DataFlow::Node nd) { class IdentifyFlowSink extends DataFlow::Configuration {
// exists(JsonParserCall jpc | nd = jpc.getOutput()) IdentifyFlowSink() { this = "IdentifyFlowSink" }
// }
// override predicate isSink(DataFlow::Node nd) { exists(DataFlow::PropRef pr | nd = pr.getBase()) } override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
// } // const db = new sqlite3.Database(
exists(NewExpr newdb |
newdb.getCalleeName() = "Database" and
nd.asExpr() = newdb
)
}
// from IntermediateSink cfg, DataFlow::Node source, DataFlow::Node sink override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
// where cfg.hasFlow(source, sink) // db.exec(query);
// select sink, "Property access on JSON value originating $@.", source, "here" exists(Expr db, MethodCallExpr exec |
exec.getMethodName() = "exec" and
db = exec.getReceiver() and
nd.asExpr() = db
)
}
}
from MethodCallExpr sbts from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where uSource(sbts) where cfg.hasFlowPath(source, sink)
select sbts select sink, source, sink, "Database originating $@", source, "here"

52
solutions/IdentifyFlowSink.ql Normal file
View File

@@ -0,0 +1,52 @@
/**
* @kind path-problem
*/
import javascript
import DataFlow::PathGraph
// Ultimate source
// ----------------
// var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// Flow sink origin
// ------------------------
// Connect
// const db = new sqlite3.Database(
// to its use
// db.exec(query);
//
class FlowSinkOrigin extends DataFlow::FlowLabel {
FlowSinkOrigin() { this = "FlowSinkOrigin" }
}
class IdentifyFlowSink extends DataFlow::Configuration {
IdentifyFlowSink() { this = "IdentifyFlowSink" }
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
// const db = new sqlite3.Database(
exists(NewExpr newdb |
newdb.getCalleeName() = "Database" and
nd.asExpr() = newdb
)
}
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
// db.exec(query);
exists(Expr db, MethodCallExpr exec |
exec.getMethodName() = "exec" and
db = exec.getReceiver() and
nd.asExpr() = db
)
}
}
from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Database originating $@", source, "here"

61
tests/IdentifyFlowSink/IdentifyFlowSink.expected Normal file
View File

@@ -0,0 +1,61 @@
WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:16,11-16)
WARNING: Unused predicate uSource (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:11,11-18)
WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:32,70-73)
WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:40,68-71)
nodes
| add-user.js:16:11:26:10 | db |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:28:12:28:13 | db |
| add-user.js:28:12:28:13 | db |
| add-user.js:28:12:28:13 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:16:44:17 | db |
edges
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
#select
| add-user.js:35:5:35:6 | db | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:35:5:35:6 | db | Database originating $@ | add-user.js:16:16:26:10 | new sql ... }) | here |

1
tests/IdentifyFlowSink/IdentifyFlowSink.qlref Normal file
View File

@@ -0,0 +1 @@
IdentifyFlowSink.ql

47
tests/IdentifyFlowSink/add-user.js Normal file
View File

@@ -0,0 +1,47 @@
function get_user_info() {
var fs = require("fs");
var stdinBuffer = fs.readFileSync(process.stdin.fd);
var line = stdinBuffer.toString();
console.log(line);
line = line.replace(/(\r\n|\n|\r)/gm, "");
return line
}
function get_new_id() {
return Math.floor(Math.random() * 12345);
}
function connect_db() {
const sqlite3 = require('sqlite3').verbose();
const db = new sqlite3.Database(
'users.sqlite',
sqlite3.OPEN_READWRITE | sqlite3.OPEN_FULLMUTEX,
err => {
if (err){
console.log(err);
throw err;
} else {
console.log('DB opened');
}
});
return db;
}
function write_info(db, id, info) {
db.serialize();
const query = `INSERT INTO users VALUES (${id}, "${info}")`;
console.log(query);
db.exec(query);
db.close();
}
let add_user = () => {
console.log("Running add-user");
var info = get_user_info();
var id = get_new_id();
var db = connect_db();
write_info(db, id, info);
}
add_user()