Merge pull request #7352 from github/esbena/atm-endpoint-polish

ATM Endpoint filtering improvements
2026-05-04 05:05:12 +02:00 · 2021-12-14 08:19:23 +00:00
parent 81dedfe22f 1949a4e59a
commit 1c79d1f985
7 changed files with 149 additions and 4 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll
@@ -157,6 +157,9 @@ predicate isOtherModeledArgument(DataFlow::Node n, FilteringReason reason) {
  any(LodashUnderscore::Member m).getACall().getAnArgument() = n and
  reason instanceof LodashUnderscoreArgumentReason
  or
+  any(JQuery::MethodCall m).getAnArgument() = n and
+  reason instanceof JQueryArgumentReason
+  or
  exists(ClientRequest r |
    r.getAnArgument() = n or n = r.getUrl() or n = r.getHost() or n = r.getADataNode()
  ) and
@@ -197,12 +200,23 @@ predicate isOtherModeledArgument(DataFlow::Node n, FilteringReason reason) {
    or
    call instanceof FileSystemAccess and reason instanceof FileSystemAccessReason
    or
-    call instanceof DatabaseAccess and reason instanceof DatabaseAccessReason
+    // TODO database accesses are less well defined than database query sinks, so this may cover unmodeled sinks on existing database models
+    [
+      call, call.getAMethodCall()
+    /* command pattern where the query is built, and then exec'ed later */ ] instanceof
+      DatabaseAccess and
+    reason instanceof DatabaseAccessReason
    or
    call = DOM::domValueRef() and reason instanceof DOMReason
    or
    call.getCalleeName() = "next" and
    exists(DataFlow::FunctionNode f | call = f.getLastParameter().getACall()) and
    reason instanceof NextFunctionCallReason
+    or
+    call = DataFlow::globalVarRef("dojo").getAPropertyRead("require").getACall() and
+    reason instanceof DojoRequireReason
  )
+  or
+  (exists(Base64::Decode d | n = d.getInput()) or exists(Base64::Encode d | n = d.getInput())) and
+  reason instanceof Base64ManipulationReason
 }
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FilteringReasons.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FilteringReasons.qll
@@ -29,7 +29,10 @@ newtype TFilteringReason =
  TArgumentToArrayReason() or
  TArgumentToBuiltinGlobalVarRefReason() or
  TConstantReceiverReason() or
-  TBuiltinCallNameReason()
+  TBuiltinCallNameReason() or
+  TBase64ManipulationReason() or
+  TJQueryArgumentReason() or
+  TDojoRequireReason()

 /** A reason why a particular endpoint was filtered out by the endpoint filters. */
 abstract class FilteringReason extends TFilteringReason {
@@ -194,3 +197,21 @@ class BuiltinCallNameReason extends NotASinkReason, TBuiltinCallNameReason {

  override int getEncoding() { result = 27 }
 }
+
+class Base64ManipulationReason extends NotASinkReason, TBase64ManipulationReason {
+  override string getDescription() { result = "Base64Manipulation" }
+
+  override int getEncoding() { result = 28 }
+}
+
+class JQueryArgumentReason extends NotASinkReason, TJQueryArgumentReason {
+  override string getDescription() { result = "JQueryArgument" }
+
+  override int getEncoding() { result = 29 }
+}
+
+class DojoRequireReason extends NotASinkReason, TDojoRequireReason {
+  override string getDescription() { result = "DojoRequire" }
+
+  override int getEncoding() { result = 30 }
+}