Merge remote-tracking branch 'upstream/master' into mergeback-20181112

2026-04-28 10:15:14 +02:00 · 2018-11-12 13:24:27 +01:00
parent 47fda72b91 dd6fd400aa
commit 1500237009
38 changed files with 700 additions and 54 deletions
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -2,6 +2,7 @@
 * Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML.
 */

+import semmle.javascript.Aliases
 import semmle.javascript.AMD
 import semmle.javascript.AST
 import semmle.javascript.BasicBlocks
--- a/javascript/ql/src/semmle/javascript/Aliases.qll
+++ b/javascript/ql/src/semmle/javascript/Aliases.qll
@@ -0,0 +1,37 @@
+/**
+ * Provides aliases for commonly used classes that have different names
+ * in the QL libraries for other languages.
+ */
+
+import javascript
+
+class AndBitwiseExpr = BitAndExpr;
+class AndLogicalExpr = LogAndExpr;
+class ArrayAccess = IndexExpr;
+class AssignOp = CompoundAssignExpr;
+class Block = BlockStmt;
+class BoolLiteral = BooleanLiteral;
+class CaseStmt = Case;
+class ComparisonOperation = Comparison;
+class DoStmt = DoWhileStmt;
+class EqualityOperation = EqualityTest;
+class FieldAccess = DotExpr;
+class InstanceOfExpr = InstanceofExpr;
+class LabelStmt = LabeledStmt;
+class LogicalAndExpr = LogAndExpr;
+class LogicalNotExpr = LogNotExpr;
+class LogicalOrExpr = LogOrExpr;
+class Loop = LoopStmt;
+class MultilineComment = BlockComment;
+class OrBitwiseExpr = BitOrExpr;
+class OrLogicalExpr = LogOrExpr;
+class ParenthesisExpr = ParExpr;
+class ParenthesizedExpr = ParExpr;
+class RelationalOperation = RelationalComparison;
+class RemExpr = ModExpr;
+class SingleLineComment = LineComment;
+class SuperAccess = SuperExpr;
+class SwitchCase = Case;
+class ThisAccess = ThisExpr;
+class VariableAccess = VarAccess;
+class XorBitwiseExpr = XOrExpr;
--- a/javascript/ql/src/semmle/javascript/security/dataflow/StackTraceExposure.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/StackTraceExposure.qll
@@ -23,22 +23,32 @@ module StackTraceExposure {
      src instanceof Source
    }

+    override predicate isSanitizer(DataFlow::Node nd) {
+      super.isSanitizer(nd)
+      or
+      // read of a property other than `stack`
+      nd.(DataFlow::PropRead).getPropertyName() != "stack"
+      or
+      // `toString` does not include the stack trace
+      nd.(DataFlow::MethodCallNode).getMethodName() = "toString"
+      or
+      nd = StringConcatenation::getAnOperand(_)
+    }
+
    override predicate isSink(DataFlow::Node snk) {
      snk instanceof Sink
    }
  }

+
  /**
   * A read of the `stack` property of an exception, viewed as a data flow
   * sink for stack trace exposure vulnerabilities.
   */
-  class DefaultSource extends Source, DataFlow::ValueNode {
+  class DefaultSource extends Source, DataFlow::Node {
    DefaultSource() {
-      // any read of the `stack` property of an exception is a source
-      exists (Parameter exc |
-        exc = any(TryStmt try).getACatchClause().getAParameter() and
-        this = DataFlow::parameterNode(exc).getAPropertyRead("stack")
-      )
+      // any exception is a source
+      this = DataFlow::parameterNode(any(TryStmt try).getACatchClause().getAParameter())
    }
  }