hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 12:03:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Number tests and update test queries and expected values

Browse Source
This commit is contained in:
Michael Hohn
2023-12-01 13:42:37 -08:00
committed by =Michael Hohn
parent d4c477a0ed
commit 9565629463
24 changed files with 22 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
solutions/UltimateSource.ql → solutions/01-UltimateSource.ql
View File

8
solutions/UltimateSink.ql → solutions/02-UltimateSink.ql
View File

@@ -11,10 +11,10 @@ predicate uSource(MethodCallExpr sbts) {
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) {
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
dbe.getMethodName().matches("%exec%")
}
// predicate uSink(MethodCallExpr dbe) {
// // sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
// dbe.getMethodName().matches("%exec%")
// }
// Intermediate flow sink

8
solutions/IdentifyFlowSink.ql → solutions/03-IdentifyFlowSink.ql
View File

@@ -8,12 +8,12 @@ import DataFlow::PathGraph
// Ultimate source
// ----------------
// var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// Flow sink origin
// ------------------------
@@ -29,7 +29,7 @@ class FlowSinkOrigin extends DataFlow::FlowLabel {
class IdentifyFlowSink extends DataFlow::Configuration {
IdentifyFlowSink() { this = "IdentifyFlowSink" }
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
override predicate isSource(DataFlow::Node nd) {
// const db = new sqlite3.Database(
exists(NewExpr newdb |
newdb.getCalleeName() = "Database" and
@@ -37,7 +37,7 @@ class IdentifyFlowSink extends DataFlow::Configuration {
)
}
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
override predicate isSink(DataFlow::Node nd) {
// db.exec(query);
exists(Expr db, MethodCallExpr exec |
exec.getMethodName() = "exec" and

0
solutions/AnySqlInjection.ql → solutions/04-AnySqlInjection.ql
View File

0
solutions/RestrictedSqlInjection.ql → solutions/05-RestrictedSqlInjection.ql
View File

0
solutions/RestrictedSqlInjectionViaTT.ql → solutions/06-RestrictedSqlInjectionViaTT.ql
View File

6
solutions/DefUseSample.ql → solutions/07-DefUseSample.ql
View File

@@ -50,9 +50,9 @@ DotExpr updateExpression() { result.getPropertyName() = "update" }
VarRef recordUpdate() { result = updateExpression().getBase() }
// var ua = new GR('status'); //: source 2
class GR extends NewExpr {
GR() { this.getCalleeName() = "GR" }
}
// class GR extends NewExpr {
// GR() { this.getCalleeName() = "GR" }
// }
class FromRequestToGrUpdate extends TaintTracking::Configuration {
FromRequestToGrUpdate() { this = "FromRequestToGrUpdate" }

18
solutions/PreGuardRecursivePredicate.ql → solutions/08-PreGuardRecursivePredicate.ql
View File

@@ -53,24 +53,6 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
)
}
predicate foo(VarAccess gr, VarAccess postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
gr.getASuccessor+() = postgr
)
}
predicate foo1(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
recursiveSuccessor(gr, postgr)
)
}
// Def-Use special handling:
// Include sanitizer check when flagging successive object member calls in taint step
predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) {

27
solutions/GuardedSafeToWrite.ql → solutions/09-GuardedSafeToWrite.ql
View File

@@ -72,33 +72,6 @@ predicate sanitizerCheckedSuccessor(ControlFlowNode gr, ControlFlowNode postgr)
// recursion we need to be able to traverse expressions.
}
predicate foo(VarAccess gr, VarAccess postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
gr.getASuccessor+() = postgr
)
}
predicate foo1(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
recursiveSuccessor(gr, postgr)
)
}
predicate foo2(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
sanitizerCheckedSuccessor(gr, postgr)
)
}
predicate inSafeToWrite(ControlFlowNode p) {
exists(
// DotExpr temp, MethodCallExpr mce,