hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-15 19:53:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Number tests and update test queries and expected values

Browse Source
This commit is contained in:
Michael Hohn
2023-12-01 13:42:37 -08:00
committed by =Michael Hohn
parent d4c477a0ed
commit 9565629463
24 changed files with 22 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
js-sqli.code-workspace
View File

@@ -5,6 +5,7 @@
}
],
"settings": {
"git.ignoreLimitWarning": true
"git.ignoreLimitWarning": true,
"sarif-viewer.connectToGithubCodeScanning": "off"
}
}

0
solutions/UltimateSource.ql → solutions/01-UltimateSource.ql
View File

8
solutions/UltimateSink.ql → solutions/02-UltimateSink.ql
View File

@@ -11,10 +11,10 @@ predicate uSource(MethodCallExpr sbts) {
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) {
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
dbe.getMethodName().matches("%exec%")
}
// predicate uSink(MethodCallExpr dbe) {
// // sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
// dbe.getMethodName().matches("%exec%")
// }
// Intermediate flow sink

8
solutions/IdentifyFlowSink.ql → solutions/03-IdentifyFlowSink.ql
View File

@@ -8,12 +8,12 @@ import DataFlow::PathGraph
// Ultimate source
// ----------------
// var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// Flow sink origin
// ------------------------
@@ -29,7 +29,7 @@ class FlowSinkOrigin extends DataFlow::FlowLabel {
class IdentifyFlowSink extends DataFlow::Configuration {
IdentifyFlowSink() { this = "IdentifyFlowSink" }
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
override predicate isSource(DataFlow::Node nd) {
// const db = new sqlite3.Database(
exists(NewExpr newdb |
newdb.getCalleeName() = "Database" and
@@ -37,7 +37,7 @@ class IdentifyFlowSink extends DataFlow::Configuration {
)
}
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
override predicate isSink(DataFlow::Node nd) {
// db.exec(query);
exists(Expr db, MethodCallExpr exec |
exec.getMethodName() = "exec" and

0
solutions/AnySqlInjection.ql → solutions/04-AnySqlInjection.ql
View File

0
solutions/RestrictedSqlInjection.ql → solutions/05-RestrictedSqlInjection.ql
View File

0
solutions/RestrictedSqlInjectionViaTT.ql → solutions/06-RestrictedSqlInjectionViaTT.ql
View File

6
solutions/DefUseSample.ql → solutions/07-DefUseSample.ql
View File

@@ -50,9 +50,9 @@ DotExpr updateExpression() { result.getPropertyName() = "update" }
VarRef recordUpdate() { result = updateExpression().getBase() }
// var ua = new GR('status'); //: source 2
class GR extends NewExpr {
GR() { this.getCalleeName() = "GR" }
}
// class GR extends NewExpr {
// GR() { this.getCalleeName() = "GR" }
// }
class FromRequestToGrUpdate extends TaintTracking::Configuration {
FromRequestToGrUpdate() { this = "FromRequestToGrUpdate" }

18
solutions/PreGuardRecursivePredicate.ql → solutions/08-PreGuardRecursivePredicate.ql
View File

@@ -53,24 +53,6 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
)
}
predicate foo(VarAccess gr, VarAccess postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
gr.getASuccessor+() = postgr
)
}
predicate foo1(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
recursiveSuccessor(gr, postgr)
)
}
// Def-Use special handling:
// Include sanitizer check when flagging successive object member calls in taint step
predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) {

27
solutions/GuardedSafeToWrite.ql → solutions/09-GuardedSafeToWrite.ql
View File

@@ -72,33 +72,6 @@ predicate sanitizerCheckedSuccessor(ControlFlowNode gr, ControlFlowNode postgr)
// recursion we need to be able to traverse expressions.
}
predicate foo(VarAccess gr, VarAccess postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
gr.getASuccessor+() = postgr
)
}
predicate foo1(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
recursiveSuccessor(gr, postgr)
)
}
predicate foo2(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
sanitizerCheckedSuccessor(gr, postgr)
)
}
predicate inSafeToWrite(ControlFlowNode p) {
exists(
// DotExpr temp, MethodCallExpr mce,

2
tests/AnySqlInjection/AnySqlInjection.qlref
View File

@@ -1 +1 @@
AnySqlInjection.ql
04-AnySqlInjection.ql

1
tests/DefUseSample/DefUseSample.expected
View File

@@ -1,4 +1,3 @@
WARNING: Unused class GR (/Users/hohn/local/codeql-javascript-multiflow/solutions/DefUseSample.ql:53,7-9)
nodes
| sample-utility-0.js:5:6:5:39 | value |
| sample-utility-0.js:5:14:5:39 | this.ge ... value') |

2
tests/DefUseSample/DefUseSample.qlref
View File

@@ -1 +1 @@
DefUseSample.ql
07-DefUseSample.ql

3
tests/GuardedSafeToWrite/GuardedSafeToWrite.expected
View File

@@ -1,6 +1,3 @@
WARNING: Unused predicate foo (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:75,11-14)
WARNING: Unused predicate foo1 (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:84,11-15)
WARNING: Unused predicate foo2 (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:93,11-15)
nodes
| sample-utility-0.js:5:13:5:46 | value |
| sample-utility-0.js:5:21:5:46 | this.ge ... value') |

2
tests/GuardedSafeToWrite/GuardedSafeToWrite.qlref
View File

@@ -1 +1 @@
GuardedSafeToWrite.ql
09-GuardedSafeToWrite.ql

38
tests/IdentifyFlowSink/IdentifyFlowSink.expected
View File

@@ -1,61 +1,23 @@
WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:16,11-16)
WARNING: Unused predicate uSource (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:11,11-18)
WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:32,70-73)
WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:40,68-71)
nodes
| add-user.js:16:11:26:10 | db |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:28:12:28:13 | db |
| add-user.js:28:12:28:13 | db |
| add-user.js:28:12:28:13 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:16:44:17 | db |
edges
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
#select
| add-user.js:35:5:35:6 | db | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:35:5:35:6 | db | Database originating $@ | add-user.js:16:16:26:10 | new sql ... }) | here |

2
tests/IdentifyFlowSink/IdentifyFlowSink.qlref
View File

@@ -1 +1 @@
IdentifyFlowSink.ql
03-IdentifyFlowSink.ql

2
tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.expected
View File

@@ -1,5 +1,3 @@
WARNING: Unused predicate foo (/Users/hohn/local/codeql-javascript-multiflow/solutions/PreGuardRecursivePredicate.ql:56,11-14)
WARNING: Unused predicate foo1 (/Users/hohn/local/codeql-javascript-multiflow/solutions/PreGuardRecursivePredicate.ql:65,11-15)
nodes
| sample-utility-0.js:5:13:5:46 | value |
| sample-utility-0.js:5:21:5:46 | this.ge ... value') |

2
tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.qlref
View File

@@ -1 +1 @@
PreGuardRecursivePredicate.ql
08-PreGuardRecursivePredicate.ql

2
tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref
View File

@@ -1 +1 @@
RestrictedSqlInjection.ql
05-RestrictedSqlInjection.ql

2
tests/RestrictedSqlInjectionViaTT/RestrictedSqlInjectionViaTT.qlref
View File

@@ -1 +1 @@
RestrictedSqlInjectionViaTT.ql
06-RestrictedSqlInjectionViaTT.ql

1
tests/UltimateSink/UltimateSink.expected
View File

@@ -1,2 +1 @@
WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/UltimateSink.ql:14,11-16)
| add-user.js:4:16:4:37 | stdinBu ... tring() |

2
tests/UltimateSink/UltimateSink.qlref
View File

@@ -1 +1 @@
UltimateSink.ql
02-UltimateSink.ql

2
tests/UltimateSource/UltimateSource.qlref
View File

@@ -1 +1 @@
UltimateSource.ql
01-UltimateSource.ql