mirror of
https://github.com/github/codeql.git
synced 2026-03-23 16:06:47 +01:00
JavaScript: Move from Node to PathNode.
This commit is contained in:
Max Schaefer
@@ -18,6 +18,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "This path depends on $@.", source, "a user-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "This path depends on $@.", source, "a user-provided value"
|
||||
|
||||
@@ -16,10 +16,10 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node highlight
|
||||
where cfg.hasFlow(source, sink) and
|
||||
if cfg.isSinkWithHighlight(sink, _) then
|
||||
cfg.isSinkWithHighlight(sink, highlight)
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
if cfg.isSinkWithHighlight(sink.getNode(), _) then
|
||||
cfg.isSinkWithHighlight(sink.getNode(), highlight)
|
||||
else
|
||||
highlight = sink
|
||||
highlight = sink.getNode()
|
||||
select highlight, "This command depends on $@.", source, "a user-provided value"
|
||||
|
||||
@@ -15,7 +15,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Cross-site scripting vulnerability due to $@.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Cross-site scripting vulnerability due to $@.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -15,7 +15,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.StoredXss::StoredXss
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Stored cross-site scripting vulnerability due to $@.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Stored cross-site scripting vulnerability due to $@.",
|
||||
source, "stored value"
|
||||
|
||||
@@ -15,7 +15,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, sink.(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -15,8 +15,8 @@ import semmle.javascript.security.dataflow.SqlInjection
|
||||
import semmle.javascript.security.dataflow.NosqlInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where (cfg instanceof SqlInjection::Configuration or
|
||||
cfg instanceof NosqlInjection::Configuration) and
|
||||
cfg.hasFlow(source, sink)
|
||||
select sink, "This query depends on $@.", source, "a user-provided value"
|
||||
cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "This query depends on $@.", source, "a user-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.CodeInjection::CodeInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "$@ flows to here and is interpreted as code.", source, "User-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "$@ flows to here and is interpreted as code.", source, "User-provided value"
|
||||
|
||||
@@ -13,6 +13,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.TaintedFormatString::TaintedFormatString
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "$@ flows here and is used in a format string.", source, "User-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "$@ flows here and is used in a format string.", source, "User-provided value"
|
||||
|
||||
@@ -12,6 +12,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.FileAccessToHttp::FileAccessToHttp
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow (source, sink)
|
||||
select sink, "$@ flows directly to outbound network request", source, "File data"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "$@ flows directly to outbound network request", source, "File data"
|
||||
|
||||
@@ -15,7 +15,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.StackTraceExposure::StackTraceExposure
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Stack trace information from $@ may be exposed to an external user here.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Stack trace information from $@ may be exposed to an external user here.",
|
||||
source, "here"
|
||||
|
||||
@@ -32,8 +32,8 @@ predicate inBrowserEnvironment(TopLevel tl) {
|
||||
)
|
||||
}
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink) and
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
// ignore logging to the browser console (even though it is not a good practice)
|
||||
not inBrowserEnvironment(sink.asExpr().getTopLevel())
|
||||
select sink, "Sensitive data returned by $@ is logged here.", source, source.(Source).describe()
|
||||
not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
|
||||
select sink.getNode(), "Sensitive data returned by $@ is logged here.", source, source.getNode().(Source).describe()
|
||||
|
||||
@@ -16,6 +16,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.CleartextStorage::CleartextStorage
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Sensitive data returned by $@ is stored here.", source, source.(Source).describe()
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Sensitive data returned by $@ is stored here.", source, source.getNode().(Source).describe()
|
||||
|
||||
@@ -14,7 +14,7 @@ import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm::BrokenCryptoAl
|
||||
import semmle.javascript.security.SensitiveActions
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink) and
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
not source.asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
|
||||
select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()
|
||||
select sink.getNode(), "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()
|
||||
|
||||
@@ -14,6 +14,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.InsecureRandomness::InsecureRandomness
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Cryptographically insecure $@ in a security context.", source, "random value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Cryptographically insecure $@ in a security context.", source, "random value"
|
||||
|
||||
@@ -15,8 +15,8 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials::CorsMisconfigurationForCredentials
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "$@ leak vulnerability due to $@.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "$@ leak vulnerability due to $@.",
|
||||
sink.(Sink).getCredentialsHeader(), "Credential",
|
||||
source, "a misconfigured CORS header value"
|
||||
|
||||
@@ -16,7 +16,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.RemotePropertyInjection::RemotePropertyInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "A $@ is used as" + sink.(Sink).getMessage(),
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "A $@ is used as" + sink.(Sink).getMessage(),
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -14,6 +14,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Unsafe deserialization of $@.", source, "user input"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Unsafe deserialization of $@.", source, "user input"
|
||||
|
||||
@@ -16,6 +16,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.ClientSideUrlRedirect::ClientSideUrlRedirect
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Untrusted URL redirection due to $@.", source, "user-provided value"
|
||||
|
||||
@@ -14,6 +14,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.ServerSideUrlRedirect::ServerSideUrlRedirect
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Untrusted URL redirection due to $@.", source, "user-provided value"
|
||||
|
||||
@@ -15,7 +15,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.Xxe::Xxe
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "A $@ is parsed as XML without guarding against external entity expansion.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "A $@ is parsed as XML without guarding against external entity expansion.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -14,6 +14,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.HostHeaderPoisoningInEmailGeneration::HostHeaderPoisoningInEmailGeneration
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"
|
||||
|
||||
@@ -14,6 +14,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.XpathInjection::XpathInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "$@ flows here and is used in an XPath expression.", source, "User-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "$@ flows here and is used in an XPath expression.", source, "User-provided value"
|
||||
|
||||
@@ -16,6 +16,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.RegExpInjection::RegExpInjection
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "This regular expression is constructed from a $@.", source, "user-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "This regular expression is constructed from a $@.", source, "user-provided value"
|
||||
|
||||
@@ -15,7 +15,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.XmlBomb::XmlBomb
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -16,11 +16,11 @@ import javascript
|
||||
private import semmle.javascript.security.dataflow.HardcodedCredentials::HardcodedCredentials
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string value
|
||||
where cfg.hasFlow(source, sink) and
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
// use source value in message if it's available
|
||||
if source.asExpr() instanceof ConstantString then
|
||||
value = "The hard-coded value \"" + source.asExpr().(ConstantString).getStringValue() + "\""
|
||||
if source.getNode().asExpr() instanceof ConstantString then
|
||||
value = "The hard-coded value \"" + source.getNode().asExpr().(ConstantString).getStringValue() + "\""
|
||||
else
|
||||
value = "This hard-coded value"
|
||||
select source, value + " is used as $@.", sink, sink.(Sink).getKind()
|
||||
select source.getNode(), value + " is used as $@.", sink, sink.getNode().(Sink).getKind()
|
||||
|
||||
@@ -13,6 +13,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTampering::TypeConfusionThroughParameterTampering
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Potential type confusion for $@.", source, "HTTP request parameter"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Potential type confusion for $@.", source, "HTTP request parameter"
|
||||
|
||||
@@ -12,6 +12,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.HttpToFileAccess::HttpToFileAccess
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "$@ flows to file system", source, "Untrusted data"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "$@ flows to file system", source, "Untrusted data"
|
||||
|
||||
@@ -13,6 +13,6 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.InsufficientPasswordHash::InsufficientPasswordHash
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
||||
where cfg.hasFlow(source, sink)
|
||||
select sink, "Password from $@ is hashed insecurely.", source , source.(Source).describe()
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), "Password from $@ is hashed insecurely.", source , source.(Source).describe()
|
||||
|
||||
@@ -13,7 +13,7 @@ import javascript
|
||||
import semmle.javascript.security.dataflow.RequestForgery::RequestForgery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node request
|
||||
where cfg.hasFlow(source, sink) and
|
||||
request = sink.getARequest()
|
||||
select request, "The $@ of this request depends on $@.", sink, sink.(Sink).getKind(), source, "a user-provided value"
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
request = sink.getNode().(Sink).getARequest()
|
||||
select request, "The $@ of this request depends on $@.", sink, sink.getNode().(Sink).getKind(), source, "a user-provided value"
|
||||
|
||||
Reference in New Issue
Block a user