From 1b7088abde8a3660a11177d6a3c31a51c2fbf2df Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Wed, 22 Dec 2021 12:11:02 -0800 Subject: [PATCH] JS: Tweak performance of CorsOriginHeaderWithAssociatedCredentialHeader On databases with a large number of Exprs, it can be better to start with the set of route handlers, then find their response headers, then find the expression values set in those headers. --- .../CorsMisconfigurationForCredentialsCustomizations.qll | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll index 867494fc0a3..37b1830018e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll @@ -50,8 +50,12 @@ module CorsMisconfigurationForCredentials { | routeHandler.getAResponseHeader(_) = origin and routeHandler.getAResponseHeader(_) = credentials and - origin.definesExplicitly("access-control-allow-origin", this.asExpr()) and - credentials.definesExplicitly("access-control-allow-credentials", credentialsValue) + // Performance optimisation: start with the set of all route handlers + // rather than the set of all exprs. + pragma[only_bind_into](origin) + .definesExplicitly("access-control-allow-origin", this.asExpr()) and + pragma[only_bind_into](credentials) + .definesExplicitly("access-control-allow-credentials", credentialsValue) | credentialsValue.mayHaveBooleanValue(true) or credentialsValue.mayHaveStringValue("true")