Split out "compromised" functionality

javascript/ql/lib/semmle/javascript/security/FunctionalityFromUntrustedSource.qll

@@ -42,11 +42,19 @@ module StaticCreation {
           "code\\.jquery\\.com", //
           "cdnjs\\.cloudflare\\.com", //
           "cdnjs\\.com", //
-          "cdn\\.polyfill\\.io", // compromised
-          "polyfill\\.io", // compromised
         ] + "/.*\\.js$")
   }
 
+  /** Holds if `url` refers to a compromised CDN, that should not be trusted. */
+  bindingset[url]
+  predicate isCompromisedCdn(string url) {
+    url.regexpMatch("(?i)^https?://" +
+        [
+          "cdn\\.polyfill\\.io", // See https://sansec.io/research/polyfill-supply-chain-attack for details
+          "polyfill\\.io",       // "
+        ] + "/.*$")
+  }
+
   /** A script element that refers to untrusted content. */
   class ScriptElementWithUntrustedContent extends AddsUntrustedUrl instanceof HTML::ScriptElement {
     ScriptElementWithUntrustedContent() {
@@ -59,6 +67,19 @@ module StaticCreation {
     override string getProblem() { result = "Script loaded using unencrypted connection." }
   }
 
+  /** A script element that refers to compromised content. */
+  class CdnFromCompromisedSource extends AddsUntrustedUrl, HTML::ScriptElement {
+    CdnFromCompromisedSource() {
+      isCompromisedCdn(this.getSourcePath())
+    }
+
+    override string getUrl() { result = this.getSourcePath() }
+
+    override string getProblem() {
+      result = "Script loaded from compromised content delivery network."
+    }
+  }
+
   /** A script element that refers to untrusted content. */
   class CdnScriptElementWithUntrustedContent extends AddsUntrustedUrl, HTML::ScriptElement {
     CdnScriptElementWithUntrustedContent() {