JS: Move FlowState definition into CommonFlowState

Needed for migrating the XSS query
2026-04-26 09:15:12 +02:00 · 2024-12-11 11:03:59 +01:00
parent 3cf14d8506
commit 114d4a141a
4 changed files with 64 additions and 54 deletions
--- a/javascript/ql/lib/semmle/javascript/security/CommonFlowState.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CommonFlowState.qll
@@ -0,0 +1,61 @@
+/**
+ * Contains a class with flow states that are used by multiple queries.
+ */
+
+private import javascript
+private import TaintedUrlSuffixCustomizations
+
+private newtype TFlowState =
+  TTaint() or
+  TTaintedUrlSuffix() or
+
+/**
+ * A flow state indicating which part of a value is tainted.
+ */
+class FlowState extends TFlowState {
+  /**
+   * Holds if this represents a value that is considered entirely tainted, except the first character
+   * might not be user-controlled.
+   */
+  predicate isTaint() { this = TTaint() }
+
+  /**
+   * Holds if this represents a URL whose fragment and/or query parts are considered tainted.
+   */
+  predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() }
+
+  /** Gets a string representation of this flow state. */
+  string toString() {
+    this.isTaint() and result = "taint"
+    or
+    this.isTaintedUrlSuffix() and result = "tainted-url-suffix"
+    or
+    this.isTaintedPrefix() and result = "tainted-prefix"
+  }
+
+  /** DEPRECATED. Gets the corresponding flow label. */
+  deprecated DataFlow::FlowLabel toFlowLabel() {
+    this.isTaint() and result.isTaint()
+    or
+    this.isTaintedUrlSuffix() and result = TaintedUrlSuffix::label()
+    or
+    this.isTaintedPrefix() and result = "PrefixString"
+  }
+}
+
+/** Convenience predicates for working with common flow states. */
+module FlowState {
+  /**
+   * Gets the flow state representing a value that is considered entirely tainted, except the first character
+   * might not be user-controlled.
+   */
+  FlowState taint() { result.isTaint() }
+
+  /**
+   * Gets the flow state representing a URL whose fragment and/or query parts are considered tainted.
+   */
+  FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() }
+
+  /** DEPRECATED. Gets the flow state corresponding to `label`. */
+  deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
+}
--- a/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
@@ -12,56 +12,7 @@ private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPr
 */
 module TaintedUrlSuffix {
  private import DataFlow
-
-  private newtype TFlowState =
-    TTaint() or
-    TTaintedUrlSuffix()
-
-  /**
-   * A flow state with two values, `taint` and `tainted-url-suffix`.
-   *
-   * The `tainted-url-suffix` state represents a URL with a tainted query and fragment part,
-   * which we collectively refer to as the "suffix" of the URL.
-   *
-   * The `taint` state corresponds to ordinary taint.
-   */
-  class FlowState extends TFlowState {
-    /**
-     * Holds if this represents a value that is considered entirely tainted.
-     */
-    predicate isTaint() { this = TTaint() }
-
-    /**
-     * Holds if this represents a URL whose fragment and/or query parts are considered tainted.
-     */
-    predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() }
-
-    /** Gets a string representation of this flow state. */
-    string toString() {
-      this.isTaint() and result = "taint"
-      or
-      this.isTaintedUrlSuffix() and result = "tainted-url-suffix"
-    }
-
-    /** DEPRECATED. Gets the corresponding flow label. */
-    deprecated DataFlow::FlowLabel toFlowLabel() {
-      this.isTaint() and result.isTaint()
-      or
-      this.isTaintedUrlSuffix() and result instanceof TaintedUrlSuffixLabel
-    }
-  }
-
-  /** Convenience predicates for working with flow states. */
-  module FlowState {
-    /** Gets the `taint` flow state. */
-    FlowState taint() { result.isTaint() }
-
-    /** Gets the `tainted-url-suffix` flow state. */
-    FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() }
-
-    /** DEPRECATED. Gets the flow state correpsonding to `label`. */
-    deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
-  }
+  import CommonFlowState

  /**
   * The flow label representing a URL with a tainted query and fragment part.
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -8,9 +8,7 @@ import javascript
 private import semmle.javascript.security.TaintedUrlSuffixCustomizations

 module ClientSideUrlRedirect {
-  class FlowState = TaintedUrlSuffix::FlowState;
-
-  module FlowState = TaintedUrlSuffix::FlowState;
+  import semmle.javascript.security.CommonFlowState

  /**
   * A data flow source for unvalidated URL redirect vulnerabilities.
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
@@ -21,7 +21,7 @@ deprecated private class ConcreteDocumentUrl extends DocumentUrl {
 * A taint-tracking configuration for reasoning about unvalidated URL redirections.
 */
 module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
-  class FlowState = TaintedUrlSuffix::FlowState;
+  import semmle.javascript.security.CommonFlowState

  predicate isSource(DataFlow::Node source, FlowState state) {
    source.(Source).getAFlowState() = state