hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Create the sink ClassificationReasons

Browse Source 
Write the reasons that indicate that an endpoint is a sink for each sink type.

Also fix import error.
This commit is contained in:
tiferet
2022-10-28 14:40:43 -07:00
parent 649c3af98a
commit 08bbe596a2
2 changed files with 114 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/AdaptiveThreatModeling.qll
View File

@@ -4,7 +4,7 @@
* Provides information about the results of boosted queries for use in adaptive threat modeling (ATM). * Provides information about the results of boosted queries for use in adaptive threat modeling (ATM).
*/ */
private import javascript::DataFlow as DataFlow private import javascript::DataFlow
import ATMConfig import ATMConfig
private import BaseScoring private import BaseScoring
private import EndpointScoring as EndpointScoring private import EndpointScoring as EndpointScoring

113
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ClassificationReasons.qll Normal file
View File

@@ -0,0 +1,113 @@
/**
* For internal use only.
*
* Defines a set of characteristics that a particular endpoint might have. This set of characteristics is used to make
* decisions about whether to include the endpoint in the training set and with what label, as well as whether to score
* the endpoint at inference time.
*/
import experimental.adaptivethreatmodeling.EndpointTypes
import semmle.javascript.security.dataflow.SqlInjectionCustomizations
private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
private import semmle.javascript.security.dataflow.TaintedPathCustomizations
abstract class ClassificationReason extends string {
// The name of the reason, which should describe some characteristic of the endpoint that is meaningful for
// determining whether it's a sink and if so of which type
bindingset[this]
ClassificationReason() { any() }
// Indicators with confidence at or above this threshold are considered to be high-confidence indicators.
float getHighConfidenceThreshold() { result = 0.8 }
// Indicators with confidence at or above this threshold are considered to be medium-confidence indicators.
float getMediumConfidenceThreshold() { result = 0.5 }
// The logic to identify which endpoints have this reason.
abstract predicate getEndpoints(DataFlow::Node n);
// This predicate describes what the reason tells us about an endpoint.
//
// Params:
// endpointClass: Class 0 is the negative class. Each positive int corresponds to a single sink type.
// isPositiveIndicator: Does this reason indicate this endpoint _is_ a member of the class, or that it _isn't_ a
// member of the class?
// confidence: A number in [0, 1], which tells us how strong an indicator this reason is for the endpoint belonging /
// not belonging to the given class.
abstract predicate getImplications(
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
);
}
/*
* Endpoints that were identified as "DomBasedXssSink" by the standard Javascript library are XSS sinks with maximal
* confidence.
*/
class DomBasedXssSinkReason extends ClassificationReason {
DomBasedXssSinkReason() { this = "DomBasedXssSink" }
override predicate getEndpoints(DataFlow::Node n) { n instanceof DomBasedXss::Sink }
override predicate getImplications(
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
) {
endpointClass instanceof XssSinkType and isPositiveIndicator = true and confidence = 1.0
}
}
/*
* Endpoints that were identified as "TaintedPathSink" by the standard Javascript library are path injection sinks with
* maximal confidence.
*/
class TaintedPathSinkReason extends ClassificationReason {
TaintedPathSinkReason() { this = "TaintedPathSink" }
override predicate getEndpoints(DataFlow::Node n) { n instanceof TaintedPath::Sink }
override predicate getImplications(
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
) {
endpointClass instanceof TaintedPathSinkType and isPositiveIndicator = true and confidence = 1.0
}
}
/*
* Endpoints that were identified as "SqlInjectionSink" by the standard Javascript library are SQL injection sinks with
* maximal confidence.
*/
class SqlInjectionSinkReason extends ClassificationReason {
SqlInjectionSinkReason() { this = "SqlInjectionSink" }
override predicate getEndpoints(DataFlow::Node n) { n instanceof SqlInjection::Sink }
override predicate getImplications(
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
) {
endpointClass instanceof SqlInjectionSinkType and
isPositiveIndicator = true and
confidence = 1.0
}
}
/*
* Endpoints that were identified as "NosqlInjectionSink" by the standard Javascript library are NoSQL injection sinks
* with maximal confidence.
*/
class NosqlInjectionSinkReason extends ClassificationReason {
NosqlInjectionSinkReason() { this = "NosqlInjectionSink" }
override predicate getEndpoints(DataFlow::Node n) { n instanceof NosqlInjection::Sink }
override predicate getImplications(
EndpointType endpointClass, boolean isPositiveIndicator, float confidence
) {
endpointClass instanceof NosqlInjectionSinkType and
isPositiveIndicator = true and
confidence = 1.0
}
}