From 9565629463eee780c643b6e8b52c392bf9c2f476 Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Fri, 1 Dec 2023 13:42:37 -0800 Subject: [PATCH] Number tests and update test queries and expected values --- js-sqli.code-workspace | 3 +- ...UltimateSource.ql => 01-UltimateSource.ql} | 0 .../{UltimateSink.ql => 02-UltimateSink.ql} | 8 ++-- ...tifyFlowSink.ql => 03-IdentifyFlowSink.ql} | 8 ++-- ...ySqlInjection.ql => 04-AnySqlInjection.ql} | 0 ...ection.ql => 05-RestrictedSqlInjection.ql} | 0 ...T.ql => 06-RestrictedSqlInjectionViaTT.ql} | 0 .../{DefUseSample.ql => 07-DefUseSample.ql} | 6 +-- ...te.ql => 08-PreGuardRecursivePredicate.ql} | 18 --------- ...afeToWrite.ql => 09-GuardedSafeToWrite.ql} | 27 ------------- tests/AnySqlInjection/AnySqlInjection.qlref | 2 +- tests/DefUseSample/DefUseSample.expected | 1 - tests/DefUseSample/DefUseSample.qlref | 2 +- .../GuardedSafeToWrite.expected | 3 -- .../GuardedSafeToWrite.qlref | 2 +- .../IdentifyFlowSink.expected | 38 ------------------- tests/IdentifyFlowSink/IdentifyFlowSink.qlref | 2 +- .../PreGuardRecursivePredicate.expected | 2 - .../PreGuardRecursivePredicate.qlref | 2 +- .../RestrictedSqlInjection.qlref | 2 +- .../RestrictedSqlInjectionViaTT.qlref | 2 +- tests/UltimateSink/UltimateSink.expected | 1 - tests/UltimateSink/UltimateSink.qlref | 2 +- tests/UltimateSource/UltimateSource.qlref | 2 +- 24 files changed, 22 insertions(+), 111 deletions(-) rename solutions/{UltimateSource.ql => 01-UltimateSource.ql} (100%) rename solutions/{UltimateSink.ql => 02-UltimateSink.ql} (84%) rename solutions/{IdentifyFlowSink.ql => 03-IdentifyFlowSink.ql} (77%) rename solutions/{AnySqlInjection.ql => 04-AnySqlInjection.ql} (100%) rename solutions/{RestrictedSqlInjection.ql => 05-RestrictedSqlInjection.ql} (100%) rename solutions/{RestrictedSqlInjectionViaTT.ql => 06-RestrictedSqlInjectionViaTT.ql} (100%) rename solutions/{DefUseSample.ql => 07-DefUseSample.ql} (96%) rename solutions/{PreGuardRecursivePredicate.ql => 08-PreGuardRecursivePredicate.ql} (88%) rename solutions/{GuardedSafeToWrite.ql => 09-GuardedSafeToWrite.ql} (87%) diff --git a/js-sqli.code-workspace b/js-sqli.code-workspace index 162d985..0bb8bc6 100644 --- a/js-sqli.code-workspace +++ b/js-sqli.code-workspace @@ -5,6 +5,7 @@ } ], "settings": { - "git.ignoreLimitWarning": true + "git.ignoreLimitWarning": true, + "sarif-viewer.connectToGithubCodeScanning": "off" } } diff --git a/solutions/UltimateSource.ql b/solutions/01-UltimateSource.ql similarity index 100% rename from solutions/UltimateSource.ql rename to solutions/01-UltimateSource.ql diff --git a/solutions/UltimateSink.ql b/solutions/02-UltimateSink.ql similarity index 84% rename from solutions/UltimateSink.ql rename to solutions/02-UltimateSink.ql index 176edee..b375c27 100644 --- a/solutions/UltimateSink.ql +++ b/solutions/02-UltimateSink.ql @@ -11,10 +11,10 @@ predicate uSource(MethodCallExpr sbts) { // Ultimate sink // ---------------- // db.exec(query); -predicate uSink(MethodCallExpr dbe) { - // sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString" - dbe.getMethodName().matches("%exec%") -} +// predicate uSink(MethodCallExpr dbe) { +// // sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString" +// dbe.getMethodName().matches("%exec%") +// } // Intermediate flow sink diff --git a/solutions/IdentifyFlowSink.ql b/solutions/03-IdentifyFlowSink.ql similarity index 77% rename from solutions/IdentifyFlowSink.ql rename to solutions/03-IdentifyFlowSink.ql index e9ad544..d9f4c71 100644 --- a/solutions/IdentifyFlowSink.ql +++ b/solutions/03-IdentifyFlowSink.ql @@ -8,12 +8,12 @@ import DataFlow::PathGraph // Ultimate source // ---------------- // var line = stdinBuffer.toString(); -predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") } +// predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") } // Ultimate sink // ---------------- // db.exec(query); -predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") } +// predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") } // Flow sink origin // ------------------------ @@ -29,7 +29,7 @@ class FlowSinkOrigin extends DataFlow::FlowLabel { class IdentifyFlowSink extends DataFlow::Configuration { IdentifyFlowSink() { this = "IdentifyFlowSink" } - override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) { + override predicate isSource(DataFlow::Node nd) { // const db = new sqlite3.Database( exists(NewExpr newdb | newdb.getCalleeName() = "Database" and @@ -37,7 +37,7 @@ class IdentifyFlowSink extends DataFlow::Configuration { ) } - override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) { + override predicate isSink(DataFlow::Node nd) { // db.exec(query); exists(Expr db, MethodCallExpr exec | exec.getMethodName() = "exec" and diff --git a/solutions/AnySqlInjection.ql b/solutions/04-AnySqlInjection.ql similarity index 100% rename from solutions/AnySqlInjection.ql rename to solutions/04-AnySqlInjection.ql diff --git a/solutions/RestrictedSqlInjection.ql b/solutions/05-RestrictedSqlInjection.ql similarity index 100% rename from solutions/RestrictedSqlInjection.ql rename to solutions/05-RestrictedSqlInjection.ql diff --git a/solutions/RestrictedSqlInjectionViaTT.ql b/solutions/06-RestrictedSqlInjectionViaTT.ql similarity index 100% rename from solutions/RestrictedSqlInjectionViaTT.ql rename to solutions/06-RestrictedSqlInjectionViaTT.ql diff --git a/solutions/DefUseSample.ql b/solutions/07-DefUseSample.ql similarity index 96% rename from solutions/DefUseSample.ql rename to solutions/07-DefUseSample.ql index 0c97167..892754c 100644 --- a/solutions/DefUseSample.ql +++ b/solutions/07-DefUseSample.ql @@ -50,9 +50,9 @@ DotExpr updateExpression() { result.getPropertyName() = "update" } VarRef recordUpdate() { result = updateExpression().getBase() } // var ua = new GR('status'); //: source 2 -class GR extends NewExpr { - GR() { this.getCalleeName() = "GR" } -} +// class GR extends NewExpr { +// GR() { this.getCalleeName() = "GR" } +// } class FromRequestToGrUpdate extends TaintTracking::Configuration { FromRequestToGrUpdate() { this = "FromRequestToGrUpdate" } diff --git a/solutions/PreGuardRecursivePredicate.ql b/solutions/08-PreGuardRecursivePredicate.ql similarity index 88% rename from solutions/PreGuardRecursivePredicate.ql rename to solutions/08-PreGuardRecursivePredicate.ql index 235055d..fde78da 100644 --- a/solutions/PreGuardRecursivePredicate.ql +++ b/solutions/08-PreGuardRecursivePredicate.ql @@ -53,24 +53,6 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) { ) } -predicate foo(VarAccess gr, VarAccess postgr) { - exists(DotExpr temp, MethodCallExpr mce | - temp.getPropertyName() = "setValue" and - mce.getReceiver() = temp.getBase() and - gr = mce.getReceiver() and - gr.getASuccessor+() = postgr - ) -} - -predicate foo1(Expr gr, Expr postgr) { - exists(DotExpr temp, MethodCallExpr mce | - temp.getPropertyName() = "setValue" and - mce.getReceiver() = temp.getBase() and - gr = mce.getReceiver() and - recursiveSuccessor(gr, postgr) - ) -} - // Def-Use special handling: // Include sanitizer check when flagging successive object member calls in taint step predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) { diff --git a/solutions/GuardedSafeToWrite.ql b/solutions/09-GuardedSafeToWrite.ql similarity index 87% rename from solutions/GuardedSafeToWrite.ql rename to solutions/09-GuardedSafeToWrite.ql index 3c4a052..02be83e 100644 --- a/solutions/GuardedSafeToWrite.ql +++ b/solutions/09-GuardedSafeToWrite.ql @@ -72,33 +72,6 @@ predicate sanitizerCheckedSuccessor(ControlFlowNode gr, ControlFlowNode postgr) // recursion we need to be able to traverse expressions. } -predicate foo(VarAccess gr, VarAccess postgr) { - exists(DotExpr temp, MethodCallExpr mce | - temp.getPropertyName() = "setValue" and - mce.getReceiver() = temp.getBase() and - gr = mce.getReceiver() and - gr.getASuccessor+() = postgr - ) -} - -predicate foo1(Expr gr, Expr postgr) { - exists(DotExpr temp, MethodCallExpr mce | - temp.getPropertyName() = "setValue" and - mce.getReceiver() = temp.getBase() and - gr = mce.getReceiver() and - recursiveSuccessor(gr, postgr) - ) -} - -predicate foo2(Expr gr, Expr postgr) { - exists(DotExpr temp, MethodCallExpr mce | - temp.getPropertyName() = "setValue" and - mce.getReceiver() = temp.getBase() and - gr = mce.getReceiver() and - sanitizerCheckedSuccessor(gr, postgr) - ) -} - predicate inSafeToWrite(ControlFlowNode p) { exists( // DotExpr temp, MethodCallExpr mce, diff --git a/tests/AnySqlInjection/AnySqlInjection.qlref b/tests/AnySqlInjection/AnySqlInjection.qlref index ba680c8..9883df9 100644 --- a/tests/AnySqlInjection/AnySqlInjection.qlref +++ b/tests/AnySqlInjection/AnySqlInjection.qlref @@ -1 +1 @@ -AnySqlInjection.ql +04-AnySqlInjection.ql diff --git a/tests/DefUseSample/DefUseSample.expected b/tests/DefUseSample/DefUseSample.expected index 1acd7c2..e7e0c2c 100644 --- a/tests/DefUseSample/DefUseSample.expected +++ b/tests/DefUseSample/DefUseSample.expected @@ -1,4 +1,3 @@ -WARNING: Unused class GR (/Users/hohn/local/codeql-javascript-multiflow/solutions/DefUseSample.ql:53,7-9) nodes | sample-utility-0.js:5:6:5:39 | value | | sample-utility-0.js:5:14:5:39 | this.ge ... value') | diff --git a/tests/DefUseSample/DefUseSample.qlref b/tests/DefUseSample/DefUseSample.qlref index 4f6df9c..588d1fd 100644 --- a/tests/DefUseSample/DefUseSample.qlref +++ b/tests/DefUseSample/DefUseSample.qlref @@ -1 +1 @@ -DefUseSample.ql +07-DefUseSample.ql diff --git a/tests/GuardedSafeToWrite/GuardedSafeToWrite.expected b/tests/GuardedSafeToWrite/GuardedSafeToWrite.expected index e9660f6..0ab59d9 100644 --- a/tests/GuardedSafeToWrite/GuardedSafeToWrite.expected +++ b/tests/GuardedSafeToWrite/GuardedSafeToWrite.expected @@ -1,6 +1,3 @@ -WARNING: Unused predicate foo (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:75,11-14) -WARNING: Unused predicate foo1 (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:84,11-15) -WARNING: Unused predicate foo2 (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:93,11-15) nodes | sample-utility-0.js:5:13:5:46 | value | | sample-utility-0.js:5:21:5:46 | this.ge ... value') | diff --git a/tests/GuardedSafeToWrite/GuardedSafeToWrite.qlref b/tests/GuardedSafeToWrite/GuardedSafeToWrite.qlref index 615ea1b..d19a2ff 100644 --- a/tests/GuardedSafeToWrite/GuardedSafeToWrite.qlref +++ b/tests/GuardedSafeToWrite/GuardedSafeToWrite.qlref @@ -1 +1 @@ -GuardedSafeToWrite.ql +09-GuardedSafeToWrite.ql diff --git a/tests/IdentifyFlowSink/IdentifyFlowSink.expected b/tests/IdentifyFlowSink/IdentifyFlowSink.expected index 8b09988..910807f 100644 --- a/tests/IdentifyFlowSink/IdentifyFlowSink.expected +++ b/tests/IdentifyFlowSink/IdentifyFlowSink.expected @@ -1,61 +1,23 @@ -WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:16,11-16) -WARNING: Unused predicate uSource (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:11,11-18) -WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:32,70-73) -WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:40,68-71) nodes | add-user.js:16:11:26:10 | db | -| add-user.js:16:11:26:10 | db | -| add-user.js:16:11:26:10 | db | -| add-user.js:16:16:26:10 | new sql ... }) | -| add-user.js:16:16:26:10 | new sql ... }) | | add-user.js:16:16:26:10 | new sql ... }) | | add-user.js:16:16:26:10 | new sql ... }) | | add-user.js:28:12:28:13 | db | -| add-user.js:28:12:28:13 | db | -| add-user.js:28:12:28:13 | db | -| add-user.js:31:21:31:22 | db | -| add-user.js:31:21:31:22 | db | | add-user.js:31:21:31:22 | db | | add-user.js:35:5:35:6 | db | | add-user.js:35:5:35:6 | db | -| add-user.js:35:5:35:6 | db | -| add-user.js:35:5:35:6 | db | -| add-user.js:43:9:43:25 | db | -| add-user.js:43:9:43:25 | db | | add-user.js:43:9:43:25 | db | | add-user.js:43:14:43:25 | connect_db() | -| add-user.js:43:14:43:25 | connect_db() | -| add-user.js:43:14:43:25 | connect_db() | -| add-user.js:44:16:44:17 | db | -| add-user.js:44:16:44:17 | db | | add-user.js:44:16:44:17 | db | edges | add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db | -| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db | -| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db | -| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | -| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | -| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | -| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | | add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() | -| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() | -| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() | -| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | -| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | -| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | -| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | | add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | | add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | | add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db | -| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db | -| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db | | add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db | -| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db | -| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db | -| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db | -| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db | | add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db | #select | add-user.js:35:5:35:6 | db | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:35:5:35:6 | db | Database originating $@ | add-user.js:16:16:26:10 | new sql ... }) | here | diff --git a/tests/IdentifyFlowSink/IdentifyFlowSink.qlref b/tests/IdentifyFlowSink/IdentifyFlowSink.qlref index 2d2be1d..b8e8b79 100644 --- a/tests/IdentifyFlowSink/IdentifyFlowSink.qlref +++ b/tests/IdentifyFlowSink/IdentifyFlowSink.qlref @@ -1 +1 @@ -IdentifyFlowSink.ql +03-IdentifyFlowSink.ql diff --git a/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.expected b/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.expected index a26c709..6b31e96 100644 --- a/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.expected +++ b/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.expected @@ -1,5 +1,3 @@ -WARNING: Unused predicate foo (/Users/hohn/local/codeql-javascript-multiflow/solutions/PreGuardRecursivePredicate.ql:56,11-14) -WARNING: Unused predicate foo1 (/Users/hohn/local/codeql-javascript-multiflow/solutions/PreGuardRecursivePredicate.ql:65,11-15) nodes | sample-utility-0.js:5:13:5:46 | value | | sample-utility-0.js:5:21:5:46 | this.ge ... value') | diff --git a/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.qlref b/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.qlref index cd96ff0..7841127 100644 --- a/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.qlref +++ b/tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.qlref @@ -1 +1 @@ -PreGuardRecursivePredicate.ql +08-PreGuardRecursivePredicate.ql diff --git a/tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref b/tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref index 03d95e9..76dcd39 100644 --- a/tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref +++ b/tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref @@ -1 +1 @@ -RestrictedSqlInjection.ql +05-RestrictedSqlInjection.ql diff --git a/tests/RestrictedSqlInjectionViaTT/RestrictedSqlInjectionViaTT.qlref b/tests/RestrictedSqlInjectionViaTT/RestrictedSqlInjectionViaTT.qlref index aaab83e..5540fa4 100644 --- a/tests/RestrictedSqlInjectionViaTT/RestrictedSqlInjectionViaTT.qlref +++ b/tests/RestrictedSqlInjectionViaTT/RestrictedSqlInjectionViaTT.qlref @@ -1 +1 @@ -RestrictedSqlInjectionViaTT.ql +06-RestrictedSqlInjectionViaTT.ql diff --git a/tests/UltimateSink/UltimateSink.expected b/tests/UltimateSink/UltimateSink.expected index 0915bb4..796dcac 100644 --- a/tests/UltimateSink/UltimateSink.expected +++ b/tests/UltimateSink/UltimateSink.expected @@ -1,2 +1 @@ -WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/UltimateSink.ql:14,11-16) | add-user.js:4:16:4:37 | stdinBu ... tring() | diff --git a/tests/UltimateSink/UltimateSink.qlref b/tests/UltimateSink/UltimateSink.qlref index 6b030de..22811e8 100644 --- a/tests/UltimateSink/UltimateSink.qlref +++ b/tests/UltimateSink/UltimateSink.qlref @@ -1 +1 @@ -UltimateSink.ql +02-UltimateSink.ql diff --git a/tests/UltimateSource/UltimateSource.qlref b/tests/UltimateSource/UltimateSource.qlref index 3a57be9..9b8fbf7 100644 --- a/tests/UltimateSource/UltimateSource.qlref +++ b/tests/UltimateSource/UltimateSource.qlref @@ -1 +1 @@ -UltimateSource.ql +01-UltimateSource.ql