From 1bc71c068fc756de63873fe6569c8f15a33c1f01 Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 29 Nov 2023 15:21:59 -0800 Subject: [PATCH] Include second type-tracker based dataflow check --- session/session1.ql | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/session/session1.ql b/session/session1.ql index 0c97167..32d599c 100644 --- a/session/session1.ql +++ b/session/session1.ql @@ -8,6 +8,7 @@ import javascript // XX: debug flow query // import semmle.javascript.explore.ForwardDataFlow import DataFlow::PathGraph +import DataFlow as DF // Flow to consider: // @@ -15,7 +16,7 @@ import DataFlow::PathGraph // var ua = new GR('status'); //: source 2 // ua.setValue('status',value); //: taint step // ua.update(); //: sink (if from source 2) - +// // var value = this.getParameter('value'); //: source 1 class ParameterSource extends CallExpr { ParameterSource() { @@ -44,6 +45,16 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) { ) } +// source 2 to sink flow +DF::SourceNode grType(DF::TypeTracker t) { + t.start() and + exists(GR gr | result.asExpr() = gr) + or + exists(DF::TypeTracker t2 | result = grType(t2).track(t2, t)) +} + +DF::SourceNode grType() { result = grType(DF::TypeTracker::end()) } + // ua.update(); //: sink (if from source 2) DotExpr updateExpression() { result.getPropertyName() = "update" } @@ -54,6 +65,7 @@ class GR extends NewExpr { GR() { this.getCalleeName() = "GR" } } +// The global flow configuration class FromRequestToGrUpdate extends TaintTracking::Configuration { FromRequestToGrUpdate() { this = "FromRequestToGrUpdate" } @@ -69,7 +81,9 @@ class FromRequestToGrUpdate extends TaintTracking::Configuration { exists(VarRef grUpdate | sink.asExpr() = recordUpdate() and grUpdate = sink.asExpr() and - grUpdate.getName() = "ua" + grUpdate.getName() = "ua" and + // It's only a sink if it connects to source 2 + grUpdate.flow().getALocalSource() = grType() ) } }