hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 12:03:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Number tests and update test queries and expected values

Browse Source
This commit is contained in:
Michael Hohn
2023-12-01 13:42:37 -08:00
committed by =Michael Hohn
parent d4c477a0ed
commit 9565629463
24 changed files with 22 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
js-sqli.code-workspace
View File

@@ -5,6 +5,7 @@
} }
], ],
"settings": { "settings": {
"git.ignoreLimitWarning": true "git.ignoreLimitWarning": true,
"sarif-viewer.connectToGithubCodeScanning": "off"
} }
} }

0
solutions/UltimateSource.ql → solutions/01-UltimateSource.ql
View File

8
solutions/UltimateSink.ql → solutions/02-UltimateSink.ql
View File

@@ -11,10 +11,10 @@ predicate uSource(MethodCallExpr sbts) {
// Ultimate sink // Ultimate sink
// ---------------- // ----------------
// db.exec(query); // db.exec(query);
predicate uSink(MethodCallExpr dbe) { // predicate uSink(MethodCallExpr dbe) {
// sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString" // // sbts.getReceiver().(DotExpr).getPropertyNameExpr().(Identifier).getName() = "toString"
dbe.getMethodName().matches("%exec%") // dbe.getMethodName().matches("%exec%")
} // }
// Intermediate flow sink // Intermediate flow sink

8
solutions/IdentifyFlowSink.ql → solutions/03-IdentifyFlowSink.ql
View File

@@ -8,12 +8,12 @@ import DataFlow::PathGraph
// Ultimate source // Ultimate source
// ---------------- // ----------------
// var line = stdinBuffer.toString(); // var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") } // predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
// Ultimate sink // Ultimate sink
// ---------------- // ----------------
// db.exec(query); // db.exec(query);
predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") } // predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
// Flow sink origin // Flow sink origin
// ------------------------ // ------------------------
@@ -29,7 +29,7 @@ class FlowSinkOrigin extends DataFlow::FlowLabel {
class IdentifyFlowSink extends DataFlow::Configuration { class IdentifyFlowSink extends DataFlow::Configuration {
IdentifyFlowSink() { this = "IdentifyFlowSink" } IdentifyFlowSink() { this = "IdentifyFlowSink" }
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) { override predicate isSource(DataFlow::Node nd) {
// const db = new sqlite3.Database( // const db = new sqlite3.Database(
exists(NewExpr newdb | exists(NewExpr newdb |
newdb.getCalleeName() = "Database" and newdb.getCalleeName() = "Database" and
@@ -37,7 +37,7 @@ class IdentifyFlowSink extends DataFlow::Configuration {
) )
} }
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) { override predicate isSink(DataFlow::Node nd) {
// db.exec(query); // db.exec(query);
exists(Expr db, MethodCallExpr exec | exists(Expr db, MethodCallExpr exec |
exec.getMethodName() = "exec" and exec.getMethodName() = "exec" and

0
solutions/AnySqlInjection.ql → solutions/04-AnySqlInjection.ql
View File

0
solutions/RestrictedSqlInjection.ql → solutions/05-RestrictedSqlInjection.ql
View File

0
solutions/RestrictedSqlInjectionViaTT.ql → solutions/06-RestrictedSqlInjectionViaTT.ql
View File

6
solutions/DefUseSample.ql → solutions/07-DefUseSample.ql
View File

@@ -50,9 +50,9 @@ DotExpr updateExpression() { result.getPropertyName() = "update" }
VarRef recordUpdate() { result = updateExpression().getBase() } VarRef recordUpdate() { result = updateExpression().getBase() }
// var ua = new GR('status'); //: source 2 // var ua = new GR('status'); //: source 2
class GR extends NewExpr { // class GR extends NewExpr {
GR() { this.getCalleeName() = "GR" } // GR() { this.getCalleeName() = "GR" }
} // }
class FromRequestToGrUpdate extends TaintTracking::Configuration { class FromRequestToGrUpdate extends TaintTracking::Configuration {
FromRequestToGrUpdate() { this = "FromRequestToGrUpdate" } FromRequestToGrUpdate() { this = "FromRequestToGrUpdate" }

18
solutions/PreGuardRecursivePredicate.ql → solutions/08-PreGuardRecursivePredicate.ql
View File

@@ -53,24 +53,6 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
) )
} }
predicate foo(VarAccess gr, VarAccess postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
gr.getASuccessor+() = postgr
)
}
predicate foo1(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
recursiveSuccessor(gr, postgr)
)
}
// Def-Use special handling: // Def-Use special handling:
// Include sanitizer check when flagging successive object member calls in taint step // Include sanitizer check when flagging successive object member calls in taint step
predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) { predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) {

27
solutions/GuardedSafeToWrite.ql → solutions/09-GuardedSafeToWrite.ql
View File

@@ -72,33 +72,6 @@ predicate sanitizerCheckedSuccessor(ControlFlowNode gr, ControlFlowNode postgr)
// recursion we need to be able to traverse expressions. // recursion we need to be able to traverse expressions.
} }
predicate foo(VarAccess gr, VarAccess postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
gr.getASuccessor+() = postgr
)
}
predicate foo1(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
recursiveSuccessor(gr, postgr)
)
}
predicate foo2(Expr gr, Expr postgr) {
exists(DotExpr temp, MethodCallExpr mce |
temp.getPropertyName() = "setValue" and
mce.getReceiver() = temp.getBase() and
gr = mce.getReceiver() and
sanitizerCheckedSuccessor(gr, postgr)
)
}
predicate inSafeToWrite(ControlFlowNode p) { predicate inSafeToWrite(ControlFlowNode p) {
exists( exists(
// DotExpr temp, MethodCallExpr mce, // DotExpr temp, MethodCallExpr mce,

2
tests/AnySqlInjection/AnySqlInjection.qlref
View File

@@ -1 +1 @@
AnySqlInjection.ql 04-AnySqlInjection.ql

1
tests/DefUseSample/DefUseSample.expected
View File

@@ -1,4 +1,3 @@
WARNING: Unused class GR (/Users/hohn/local/codeql-javascript-multiflow/solutions/DefUseSample.ql:53,7-9)
nodes nodes
| sample-utility-0.js:5:6:5:39 | value | | sample-utility-0.js:5:6:5:39 | value |
| sample-utility-0.js:5:14:5:39 | this.ge ... value') | | sample-utility-0.js:5:14:5:39 | this.ge ... value') |

2
tests/DefUseSample/DefUseSample.qlref
View File

@@ -1 +1 @@
DefUseSample.ql 07-DefUseSample.ql

3
tests/GuardedSafeToWrite/GuardedSafeToWrite.expected
View File

@@ -1,6 +1,3 @@
WARNING: Unused predicate foo (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:75,11-14)
WARNING: Unused predicate foo1 (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:84,11-15)
WARNING: Unused predicate foo2 (/Users/hohn/local/codeql-javascript-multiflow/solutions/GuardedSafeToWrite.ql:93,11-15)
nodes nodes
| sample-utility-0.js:5:13:5:46 | value | | sample-utility-0.js:5:13:5:46 | value |
| sample-utility-0.js:5:21:5:46 | this.ge ... value') | | sample-utility-0.js:5:21:5:46 | this.ge ... value') |

2
tests/GuardedSafeToWrite/GuardedSafeToWrite.qlref
View File

@@ -1 +1 @@
GuardedSafeToWrite.ql 09-GuardedSafeToWrite.ql

38
tests/IdentifyFlowSink/IdentifyFlowSink.expected
View File

@@ -1,61 +1,23 @@
WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:16,11-16)
WARNING: Unused predicate uSource (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:11,11-18)
WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:32,70-73)
WARNING: Unused variable lbl (/Users/hohn/local/codeql-javascript-multiflow/solutions/IdentifyFlowSink.ql:40,68-71)
nodes nodes
| add-user.js:16:11:26:10 | db | | add-user.js:16:11:26:10 | db |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) | | add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) | | add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:28:12:28:13 | db | | add-user.js:28:12:28:13 | db |
| add-user.js:28:12:28:13 | db |
| add-user.js:28:12:28:13 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:21:31:22 | db | | add-user.js:31:21:31:22 | db |
| add-user.js:35:5:35:6 | db | | add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db | | add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:9:43:25 | db | | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:16:44:17 | db | | add-user.js:44:16:44:17 | db |
edges edges
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db | | add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db | | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() | | add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | | add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db | | add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db | | add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db | | add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db | | add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
#select #select
| add-user.js:35:5:35:6 | db | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:35:5:35:6 | db | Database originating $@ | add-user.js:16:16:26:10 | new sql ... }) | here | | add-user.js:35:5:35:6 | db | add-user.js:16:16:26:10 | new sql ... }) | add-user.js:35:5:35:6 | db | Database originating $@ | add-user.js:16:16:26:10 | new sql ... }) | here |

2
tests/IdentifyFlowSink/IdentifyFlowSink.qlref
View File

@@ -1 +1 @@
IdentifyFlowSink.ql 03-IdentifyFlowSink.ql

2
tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.expected
View File

@@ -1,5 +1,3 @@
WARNING: Unused predicate foo (/Users/hohn/local/codeql-javascript-multiflow/solutions/PreGuardRecursivePredicate.ql:56,11-14)
WARNING: Unused predicate foo1 (/Users/hohn/local/codeql-javascript-multiflow/solutions/PreGuardRecursivePredicate.ql:65,11-15)
nodes nodes
| sample-utility-0.js:5:13:5:46 | value | | sample-utility-0.js:5:13:5:46 | value |
| sample-utility-0.js:5:21:5:46 | this.ge ... value') | | sample-utility-0.js:5:21:5:46 | this.ge ... value') |

2
tests/PreGuardRecursivePredicate/PreGuardRecursivePredicate.qlref
View File

@@ -1 +1 @@
PreGuardRecursivePredicate.ql 08-PreGuardRecursivePredicate.ql

2
tests/RestrictedSqlInjection/RestrictedSqlInjection.qlref
View File

@@ -1 +1 @@
RestrictedSqlInjection.ql 05-RestrictedSqlInjection.ql

2
tests/RestrictedSqlInjectionViaTT/RestrictedSqlInjectionViaTT.qlref
View File

@@ -1 +1 @@
RestrictedSqlInjectionViaTT.ql 06-RestrictedSqlInjectionViaTT.ql

1
tests/UltimateSink/UltimateSink.expected
View File

@@ -1,2 +1 @@
WARNING: Unused predicate uSink (/Users/hohn/local/codeql-javascript-multiflow/solutions/UltimateSink.ql:14,11-16)
| add-user.js:4:16:4:37 | stdinBu ... tring() | | add-user.js:4:16:4:37 | stdinBu ... tring() |

2
tests/UltimateSink/UltimateSink.qlref
View File

@@ -1 +1 @@
UltimateSink.ql 02-UltimateSink.ql

2
tests/UltimateSource/UltimateSource.qlref
View File

@@ -1 +1 @@
UltimateSource.ql 01-UltimateSource.ql