hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Created guide on customizing these queries, and referenced it in the query help

Browse Source
This commit is contained in:
aegilops
2024-07-12 12:49:09 +01:00
parent 040f948e65
commit 00d91dc6ba
2 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
javascript/ql/src/Security/CWE-830/CUSTOMIZING.md Normal file
View File

@@ -0,0 +1,43 @@
# Functionaility from untrusted source/domain - customizations
You can extend the behavior of the `js/functionality-from-untrusted-source` and `js/functionality-from-untrusted-domain` queries using [CodeQL data extensions](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
This allows you to require Subresource Integrity (SRI) checks on specific content delivery network (CDN) hostnames, and add additional domains to warn on, respectively.
For example, this YAML model can be used inside a CodeQL model pack to alert on uses of `example.com` in imported functionality, extending the `js/functionality-from-untrusted-domain` query:
```yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: untrustedDomain
data:
- ["example.com"]
```
To add new hostnames that always require SRI checking, this YAML model can be used to require SRI on `cdn.example.com`, extending the `js/functionality-from-untrusted-source` query:
```yaml
extensions:
- addsTo:
pack: codeql/javascript-all
extensible: isCdnDomainWithCheckingRequired
data:
- ["cdn.example.com"]
```
A suitable [model pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack) might be:
```yaml
name: my-org/javascript-untrusted-functionality-model-pack
version: 1.0.0
extensionTargets:
codeql/java-all: '*'
dataExtensions:
- models/**/*.yml
```
## References
- [Customizing library models for javascript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/)
- [Creating and working with CodeQL packs](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack)

4
javascript/ql/src/Security/CWE-830/FunctionalityFromUntrustedDomain.qhelp
View File

@@ -32,6 +32,10 @@
<p>
Even when <code>https</code> is used, an untrustworthy operator might deliver malware.
</p>
<p>
See the `CUSTOMIZING.md` file in the source code for this query for information on how to extend the list of untrusted domains used by this query.
</p>
</overview>
<recommendation>