hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 12:03:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add ultimate sink predicate

Browse Source
This commit is contained in:
Michael Hohn
2023-11-26 13:22:58 -08:00
committed by =Michael Hohn
parent 5b294a18c8
commit 529f61a1cc
6 changed files with 98 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.org
View File

@@ -60,7 +60,6 @@
#+END_SRC #+END_SRC
5. (recommended for browsing) Install the codeql standard library matching the 5. (recommended for browsing) Install the codeql standard library matching the
binary version. This is not needed to write or run queries anymore, but the binary version. This is not needed to write or run queries anymore, but the
library has many examples and searching it is much easier after extracting library has many examples and searching it is much easier after extracting

5
session/session.ql
View File

@@ -11,6 +11,11 @@ predicate uSource(MethodCallExpr sbts) {
// Ultimate sink // Ultimate sink
// ---------------- // ----------------
// db.exec(query); // db.exec(query);
predicate uSink(MethodCallExpr dbe) {
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
dbe.getMethodName().matches("%exec%")
}
// Intermediate flow sink // Intermediate flow sink
// ------------------------ // ------------------------

43
solutions/UltimateSink.ql Normal file
View File

@@ -0,0 +1,43 @@
import javascript
// Ultimate source
// ----------------
// var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) {
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
sbts.getMethodName().matches("%toString%")
}
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) {
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
dbe.getMethodName().matches("%exec%")
}
// Intermediate flow sink
// ------------------------
// Connect
// const db = new sqlite3.Database(
// to its use
// db.exec(query);
//
// class IntermediateSink extends DataFlow::Configuration {
// IntermediateSink() { this = "IntermediateSink" }
// override predicate isSource(DataFlow::Node nd) {
// exists(JsonParserCall jpc | nd = jpc.getOutput())
// }
// override predicate isSink(DataFlow::Node nd) { exists(DataFlow::PropRef pr | nd = pr.getBase()) }
// }
// from IntermediateSink cfg, DataFlow::Node source, DataFlow::Node sink
// where cfg.hasFlow(source, sink)
// select sink, "Property access on JSON value originating $@.", source, "here"
from MethodCallExpr sbts
where uSource(sbts)
select sbts

2
tests/UltimateSink/UltimateSink.expected Normal file
View File

@@ -0,0 +1,2 @@
WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/UltimateSink.ql:14,11-16)
| add-user.js:4:16:4:37 | stdinBu ... tring() |

1
tests/UltimateSink/UltimateSink.qlref Normal file
View File

@@ -0,0 +1 @@
UltimateSink.ql

47
tests/UltimateSink/add-user.js Normal file
View File

@@ -0,0 +1,47 @@
function get_user_info() {
var fs = require("fs");
var stdinBuffer = fs.readFileSync(process.stdin.fd);
var line = stdinBuffer.toString();
console.log(line);
line = line.replace(/(\r\n|\n|\r)/gm, "");
return line
}
function get_new_id() {
return Math.floor(Math.random() * 12345);
}
function connect_db() {
const sqlite3 = require('sqlite3').verbose();
const db = new sqlite3.Database(
'users.sqlite',
sqlite3.OPEN_READWRITE | sqlite3.OPEN_FULLMUTEX,
err => {
if (err){
console.log(err);
throw err;
} else {
console.log('DB opened');
}
});
return db;
}
function write_info(db, id, info) {
db.serialize();
const query = `INSERT INTO users VALUES (${id}, "${info}")`;
console.log(query);
db.exec(query);
db.close();
}
let add_user = () => {
console.log("Running add-user");
var info = get_user_info();
var id = get_new_id();
var db = connect_db();
write_info(db, id, info);
}
add_user()