mirror of
https://github.com/hohn/codeql-javascript-multiflow.git
synced 2025-12-16 20:03:04 +01:00
53 lines
1.4 KiB
Plaintext
53 lines
1.4 KiB
Plaintext
/**
|
|
* @kind path-problem
|
|
*/
|
|
|
|
import javascript
|
|
import DataFlow::PathGraph
|
|
|
|
// Ultimate source
|
|
// ----------------
|
|
// var line = stdinBuffer.toString();
|
|
predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
|
|
|
|
// Ultimate sink
|
|
// ----------------
|
|
// db.exec(query);
|
|
predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
|
|
|
|
// Flow sink origin
|
|
// ------------------------
|
|
// Connect
|
|
// const db = new sqlite3.Database(
|
|
// to its use
|
|
// db.exec(query);
|
|
//
|
|
class FlowSinkOrigin extends DataFlow::FlowLabel {
|
|
FlowSinkOrigin() { this = "FlowSinkOrigin" }
|
|
}
|
|
|
|
class IdentifyFlowSink extends DataFlow::Configuration {
|
|
IdentifyFlowSink() { this = "IdentifyFlowSink" }
|
|
|
|
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
|
|
// const db = new sqlite3.Database(
|
|
exists(NewExpr newdb |
|
|
newdb.getCalleeName() = "Database" and
|
|
nd.asExpr() = newdb
|
|
)
|
|
}
|
|
|
|
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
|
|
// db.exec(query);
|
|
exists(Expr db, MethodCallExpr exec |
|
|
exec.getMethodName() = "exec" and
|
|
db = exec.getReceiver() and
|
|
nd.asExpr() = db
|
|
)
|
|
}
|
|
}
|
|
|
|
from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
|
where cfg.hasFlowPath(source, sink)
|
|
select sink, source, sink, "Database originating $@", source, "here"
|