hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 20:03:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

minor cleanup

Browse Source
This commit is contained in:
Michael Hohn
2023-11-28 16:47:52 -08:00
committed by =Michael Hohn
parent 8cdb8ef0dd
commit 60ee4295b2
1 changed files with 7 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
session/session1.ql
View File

@@ -10,12 +10,13 @@ import javascript
import DataFlow::PathGraph import DataFlow::PathGraph
// Flow to consider: // Flow to consider:
//
// var value = this.getParameter('value'); //: source 1 // var value = this.getParameter('value'); //: source 1
// var ua = new GR('status'); //: source 2 // var ua = new GR('status'); //: source 2
// ua.setValue('status',value); //: taint step // ua.setValue('status',value); //: taint step
// ua.update(); //: sink (if from source 2) // ua.update(); //: sink (if from source 2)
// var value = this.getParameter('value'); //: source 1
// var value = this.getParameter('value'); //: source 1
class ParameterSource extends CallExpr { class ParameterSource extends CallExpr {
ParameterSource() { ParameterSource() {
exists(Expr inst | exists(Expr inst |
@@ -27,11 +28,12 @@ class ParameterSource extends CallExpr {
// ua.setValue('status',value); //: taint step // ua.setValue('status',value); //: taint step
predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) { predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(DotExpr temp, MethodCallExpr mce, VarAccess gr, VarAccess postgr| exists(DotExpr temp, MethodCallExpr mce, VarAccess gr, VarAccess postgr |
temp.getPropertyName() = "setValue" and temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and gr = mce.getReceiver() and
pred.asExpr() = mce.getArgument(1) and pred.asExpr() = mce.getArgument(1) and
//
// Taint all accesses after setValue call. // Taint all accesses after setValue call.
// Trying data flow, this would be: // Trying data flow, this would be:
// succ = gr.flow().getASuccessor+() and // succ = gr.flow().getASuccessor+() and
@@ -40,14 +42,6 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
gr.getASuccessor+() = postgr and gr.getASuccessor+() = postgr and
succ.asExpr() = postgr succ.asExpr() = postgr
) )
}
VarRef methodCalled(string name) {
exists(DotExpr temp |
temp.getPropertyName() = name and
result = temp.getBase()
)
} }
// ua.update(); //: sink (if from source 2) // ua.update(); //: sink (if from source 2)
@@ -82,4 +76,5 @@ class FromRequestToGrUpdate extends TaintTracking::Configuration {
from FromRequestToGrUpdate dataflow, DataFlow::PathNode source, DataFlow::PathNode sink from FromRequestToGrUpdate dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
where dataflow.hasFlowPath(source, sink) where dataflow.hasFlowPath(source, sink)
select sink, source, sink, "Data flow from $@ to $@.", source, source.toString(), sink, sink.toString() select sink, source, sink, "Data flow from $@ to $@.", source, source.toString(), sink,
sink.toString()