hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 03:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add kludge to setValueTaintStep to get the sanitizer to work

Browse Source 
To be refined...
This commit is contained in:
Michael Hohn
2023-12-08 17:23:17 -08:00
committed by =Michael Hohn
parent aaa2d94df8
commit d1b8c6842d
1 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
session/session1.ql
View File

@@ -40,11 +40,36 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
// Trying data flow, this would be: // Trying data flow, this would be:
// succ = gr.flow().getASuccessor+() and // succ = gr.flow().getASuccessor+() and
// //
// Using control flow: // Using control flow
// 1. without sanitizer
gr.getASuccessor+() = postgr and gr.getASuccessor+() = postgr and
succ.asExpr() = postgr succ.asExpr() = postgr
) )
or
exists(DotExpr stw_do, MethodCallExpr stw_mc, VarAccess stw_va,
DotExpr sv_do, MethodCallExpr sv_mc, VarAccess sv_va |
// A safeToWrite ...
stw_do.getPropertyName() = "safeToWrite" and
stw_mc.getReceiver() = stw_do.getBase() and
stw_va = stw_mc.getReceiver() and
// ... followed by a setValue
sv_do.getPropertyName() = "setValue" and
sv_mc.getReceiver() = sv_do.getBase() and
sv_va = sv_mc.getReceiver() and
//
stw_mc.getASuccessor+() = sv_va and
// The setValue taints the safeToWrite. This is going up the CFG, which is
// backwards.
// It's a lie to get the sanitizer to work.
pred.asExpr() = sv_va and
succ.asExpr() = stw_va
)
}
predicate tsTest1(DataFlow::Node pred, DataFlow::Node succ) {
setValueTaintStep(pred, succ)
and
pred.asExpr().getLocation().getFile().getBaseName().matches("%sample%1%")
} }
// Def-Use special handling. Not needed here, but a good example of recursive predicates. // Def-Use special handling. Not needed here, but a good example of recursive predicates.