mirror of
https://github.com/github/codeql.git
synced 2025-12-21 11:16:30 +01:00
Create the sink ClassificationReasons
Write the reasons that indicate that an endpoint is a sink for each sink type. Also fix import error.
This commit is contained in:
tiferet
@@ -4,7 +4,7 @@
|
||||
* Provides information about the results of boosted queries for use in adaptive threat modeling (ATM).
|
||||
*/
|
||||
|
||||
private import javascript::DataFlow as DataFlow
|
||||
private import javascript::DataFlow
|
||||
import ATMConfig
|
||||
private import BaseScoring
|
||||
private import EndpointScoring as EndpointScoring
|
||||
|
||||
@@ -0,0 +1,113 @@
|
||||
/**
|
||||
* For internal use only.
|
||||
*
|
||||
* Defines a set of characteristics that a particular endpoint might have. This set of characteristics is used to make
|
||||
* decisions about whether to include the endpoint in the training set and with what label, as well as whether to score
|
||||
* the endpoint at inference time.
|
||||
*/
|
||||
|
||||
import experimental.adaptivethreatmodeling.EndpointTypes
|
||||
import semmle.javascript.security.dataflow.SqlInjectionCustomizations
|
||||
private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
|
||||
private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
|
||||
private import semmle.javascript.security.dataflow.TaintedPathCustomizations
|
||||
|
||||
abstract class ClassificationReason extends string {
|
||||
// The name of the reason, which should describe some characteristic of the endpoint that is meaningful for
|
||||
// determining whether it's a sink and if so of which type
|
||||
bindingset[this]
|
||||
ClassificationReason() { any() }
|
||||
|
||||
// Indicators with confidence at or above this threshold are considered to be high-confidence indicators.
|
||||
float getHighConfidenceThreshold() { result = 0.8 }
|
||||
|
||||
// Indicators with confidence at or above this threshold are considered to be medium-confidence indicators.
|
||||
float getMediumConfidenceThreshold() { result = 0.5 }
|
||||
|
||||
// The logic to identify which endpoints have this reason.
|
||||
abstract predicate getEndpoints(DataFlow::Node n);
|
||||
|
||||
// This predicate describes what the reason tells us about an endpoint.
|
||||
//
|
||||
// Params:
|
||||
// endpointClass: Class 0 is the negative class. Each positive int corresponds to a single sink type.
|
||||
// isPositiveIndicator: Does this reason indicate this endpoint _is_ a member of the class, or that it _isn't_ a
|
||||
// member of the class?
|
||||
// confidence: A number in [0, 1], which tells us how strong an indicator this reason is for the endpoint belonging /
|
||||
// not belonging to the given class.
|
||||
abstract predicate getImplications(
|
||||
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
|
||||
);
|
||||
}
|
||||
|
||||
/*
|
||||
* Endpoints that were identified as "DomBasedXssSink" by the standard Javascript library are XSS sinks with maximal
|
||||
* confidence.
|
||||
*/
|
||||
|
||||
class DomBasedXssSinkReason extends ClassificationReason {
|
||||
DomBasedXssSinkReason() { this = "DomBasedXssSink" }
|
||||
|
||||
override predicate getEndpoints(DataFlow::Node n) { n instanceof DomBasedXss::Sink }
|
||||
|
||||
override predicate getImplications(
|
||||
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
|
||||
) {
|
||||
endpointClass instanceof XssSinkType and isPositiveIndicator = true and confidence = 1.0
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Endpoints that were identified as "TaintedPathSink" by the standard Javascript library are path injection sinks with
|
||||
* maximal confidence.
|
||||
*/
|
||||
|
||||
class TaintedPathSinkReason extends ClassificationReason {
|
||||
TaintedPathSinkReason() { this = "TaintedPathSink" }
|
||||
|
||||
override predicate getEndpoints(DataFlow::Node n) { n instanceof TaintedPath::Sink }
|
||||
|
||||
override predicate getImplications(
|
||||
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
|
||||
) {
|
||||
endpointClass instanceof TaintedPathSinkType and isPositiveIndicator = true and confidence = 1.0
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Endpoints that were identified as "SqlInjectionSink" by the standard Javascript library are SQL injection sinks with
|
||||
* maximal confidence.
|
||||
*/
|
||||
|
||||
class SqlInjectionSinkReason extends ClassificationReason {
|
||||
SqlInjectionSinkReason() { this = "SqlInjectionSink" }
|
||||
|
||||
override predicate getEndpoints(DataFlow::Node n) { n instanceof SqlInjection::Sink }
|
||||
|
||||
override predicate getImplications(
|
||||
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
|
||||
) {
|
||||
endpointClass instanceof SqlInjectionSinkType and
|
||||
isPositiveIndicator = true and
|
||||
confidence = 1.0
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Endpoints that were identified as "NosqlInjectionSink" by the standard Javascript library are NoSQL injection sinks
|
||||
* with maximal confidence.
|
||||
*/
|
||||
|
||||
class NosqlInjectionSinkReason extends ClassificationReason {
|
||||
NosqlInjectionSinkReason() { this = "NosqlInjectionSink" }
|
||||
|
||||
override predicate getEndpoints(DataFlow::Node n) { n instanceof NosqlInjection::Sink }
|
||||
|
||||
override predicate getImplications(
|
||||
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
|
||||
) {
|
||||
endpointClass instanceof NosqlInjectionSinkType and
|
||||
isPositiveIndicator = true and
|
||||
confidence = 1.0
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user