hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:github/codeql into labelNaming

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2022-03-28 15:30:33 +02:00
parent e79eecb640 e5f2b830f3
commit 20599d1846
35 changed files with 2025 additions and 1371 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
View File

@@ -413,10 +413,10 @@ predicate isValidNoArgumentTokenInIdentifyingAccessPath(string name) {
bindingset[name, argument]
predicate isValidTokenArgumentInIdentifyingAccessPath(string name, string argument) {
name = ["Argument", "Parameter"] and
argument.regexpMatch("(N-|-)?\\d+(\\.\\.(N-|-)?\\d+)?")
argument.regexpMatch("(N-|-)?\\d+(\\.\\.((N-|-)?\\d+)?)?")
or
name = "WithArity" and
argument.regexpMatch("\\d+(\\.\\.\\d+)?")
argument.regexpMatch("\\d+(\\.\\.(\\d+)?)?")
or
Specific::isExtraValidTokenArgumentInIdentifyingAccessPath(name, argument)
}

8
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll
View File

@@ -120,6 +120,10 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathToken token) {
// API graphs do not use store/load steps for arrays
token.getName() = ["ArrayElement", "Element"] and
result = node.getUnknownMember()
or
token.getName() = "Parameter" and
token.getAnArgument() = "this" and
result = node.getReceiver()
}
/**
@@ -129,6 +133,10 @@ bindingset[token]
API::Node getExtraSuccessorFromInvoke(API::InvokeNode node, AccessPathToken token) {
token.getName() = "Instance" and
result = node.getInstance()
or
token.getName() = "Argument" and
token.getAnArgument() = "this" and
result.getARhs() = node.(DataFlow::CallNode).getReceiver()
}
/**

128
javascript/ql/test/library-tests/frameworks/data/test.expected
View File

@@ -14,69 +14,73 @@ taintFlow
| test.js:24:43:24:50 | source() | test.js:24:8:24:51 | testlib ... urce()) |
| test.js:31:29:31:36 | source() | test.js:32:10:32:10 | y |
| test.js:37:29:37:36 | source() | test.js:38:10:38:10 | y |
| test.js:46:18:46:25 | source() | test.js:46:18:46:25 | source() |
| test.js:47:22:47:29 | source() | test.js:47:22:47:29 | source() |
| test.js:49:24:49:31 | source() | test.js:49:24:49:31 | source() |
| test.js:53:27:53:34 | source() | test.js:53:27:53:34 | source() |
| test.js:58:31:58:38 | source() | test.js:58:31:58:38 | source() |
| test.js:62:34:62:41 | source() | test.js:62:34:62:41 | source() |
| test.js:67:31:67:38 | source() | test.js:67:31:67:38 | source() |
| test.js:68:34:68:41 | source() | test.js:68:34:68:41 | source() |
| test.js:72:36:72:43 | source() | test.js:72:36:72:43 | source() |
| test.js:73:39:73:46 | source() | test.js:73:39:73:46 | source() |
| test.js:75:28:75:35 | source() | test.js:75:28:75:35 | source() |
| test.js:76:31:76:38 | source() | test.js:76:31:76:38 | source() |
| test.js:77:34:77:41 | source() | test.js:77:34:77:41 | source() |
| test.js:81:28:81:35 | source() | test.js:81:28:81:35 | source() |
| test.js:87:17:87:24 | source() | test.js:87:17:87:24 | source() |
| test.js:88:17:88:24 | source() | test.js:88:17:88:24 | source() |
| test.js:89:17:89:24 | source() | test.js:89:17:89:24 | source() |
| test.js:43:29:43:36 | source() | test.js:44:10:44:10 | y |
| test.js:47:33:47:40 | source() | test.js:49:10:49:13 | this |
| test.js:54:18:54:25 | source() | test.js:54:18:54:25 | source() |
| test.js:55:22:55:29 | source() | test.js:55:22:55:29 | source() |
| test.js:57:24:57:31 | source() | test.js:57:24:57:31 | source() |
| test.js:61:27:61:34 | source() | test.js:61:27:61:34 | source() |
| test.js:66:31:66:38 | source() | test.js:66:31:66:38 | source() |
| test.js:70:34:70:41 | source() | test.js:70:34:70:41 | source() |
| test.js:75:31:75:38 | source() | test.js:75:31:75:38 | source() |
| test.js:76:34:76:41 | source() | test.js:76:34:76:41 | source() |
| test.js:80:36:80:43 | source() | test.js:80:36:80:43 | source() |
| test.js:81:39:81:46 | source() | test.js:81:39:81:46 | source() |
| test.js:83:28:83:35 | source() | test.js:83:28:83:35 | source() |
| test.js:84:31:84:38 | source() | test.js:84:31:84:38 | source() |
| test.js:85:34:85:41 | source() | test.js:85:34:85:41 | source() |
| test.js:89:28:89:35 | source() | test.js:89:28:89:35 | source() |
| test.js:95:17:95:24 | source() | test.js:95:17:95:24 | source() |
| test.js:96:17:96:24 | source() | test.js:96:17:96:24 | source() |
| test.js:97:17:97:24 | source() | test.js:97:17:97:24 | source() |
| test.js:102:16:102:34 | testlib.getSource() | test.js:103:8:103:13 | source |
| test.js:102:16:102:34 | testlib.getSource() | test.js:104:8:104:24 | source.continue() |
isSink
| test.js:46:18:46:25 | source() | test-sink |
| test.js:47:22:47:29 | source() | test-sink |
| test.js:49:24:49:31 | source() | test-sink |
| test.js:53:27:53:34 | source() | test-sink |
| test.js:55:38:55:38 | 4 | test-sink |
| test.js:56:38:56:38 | 4 | test-sink |
| test.js:57:38:57:38 | 4 | test-sink |
| test.js:58:31:58:38 | source() | test-sink |
| test.js:60:41:60:41 | 3 | test-sink |
| test.js:61:41:61:41 | 3 | test-sink |
| test.js:62:34:62:41 | source() | test-sink |
| test.js:63:34:63:34 | 3 | test-sink |
| test.js:65:38:65:38 | 3 | test-sink |
| test.js:65:41:65:41 | 4 | test-sink |
| test.js:66:38:66:38 | 3 | test-sink |
| test.js:66:41:66:41 | 4 | test-sink |
| test.js:67:31:67:38 | source() | test-sink |
| test.js:67:41:67:41 | 4 | test-sink |
| test.js:68:31:68:31 | 3 | test-sink |
| test.js:68:34:68:41 | source() | test-sink |
| test.js:70:43:70:43 | 3 | test-sink |
| test.js:70:46:70:46 | 4 | test-sink |
| test.js:71:43:71:43 | 3 | test-sink |
| test.js:71:46:71:46 | 4 | test-sink |
| test.js:72:36:72:43 | source() | test-sink |
| test.js:72:46:72:46 | 4 | test-sink |
| test.js:73:36:73:36 | 3 | test-sink |
| test.js:73:39:73:46 | source() | test-sink |
| test.js:75:28:75:35 | source() | test-sink |
| test.js:75:38:75:38 | 2 | test-sink |
| test.js:75:41:75:41 | 3 | test-sink |
| test.js:76:28:76:28 | 1 | test-sink |
| test.js:76:31:76:38 | source() | test-sink |
| test.js:76:41:76:41 | 3 | test-sink |
| test.js:77:28:77:28 | 1 | test-sink |
| test.js:77:31:77:31 | 2 | test-sink |
| test.js:77:34:77:41 | source() | test-sink |
| test.js:78:28:78:28 | 1 | test-sink |
| test.js:78:31:78:31 | 2 | test-sink |
| test.js:78:34:78:34 | 3 | test-sink |
| test.js:81:28:81:35 | source() | test-sink |
| test.js:82:28:82:28 | 1 | test-sink |
| test.js:87:17:87:24 | source() | test-sink |
| test.js:88:17:88:24 | source() | test-sink |
| test.js:89:17:89:24 | source() | test-sink |
| test.js:54:18:54:25 | source() | test-sink |
| test.js:55:22:55:29 | source() | test-sink |
| test.js:57:24:57:31 | source() | test-sink |
| test.js:61:27:61:34 | source() | test-sink |
| test.js:63:38:63:38 | 4 | test-sink |
| test.js:64:38:64:38 | 4 | test-sink |
| test.js:65:38:65:38 | 4 | test-sink |
| test.js:66:31:66:38 | source() | test-sink |
| test.js:68:41:68:41 | 3 | test-sink |
| test.js:69:41:69:41 | 3 | test-sink |
| test.js:70:34:70:41 | source() | test-sink |
| test.js:71:34:71:34 | 3 | test-sink |
| test.js:73:38:73:38 | 3 | test-sink |
| test.js:73:41:73:41 | 4 | test-sink |
| test.js:74:38:74:38 | 3 | test-sink |
| test.js:74:41:74:41 | 4 | test-sink |
| test.js:75:31:75:38 | source() | test-sink |
| test.js:75:41:75:41 | 4 | test-sink |
| test.js:76:31:76:31 | 3 | test-sink |
| test.js:76:34:76:41 | source() | test-sink |
| test.js:78:43:78:43 | 3 | test-sink |
| test.js:78:46:78:46 | 4 | test-sink |
| test.js:79:43:79:43 | 3 | test-sink |
| test.js:79:46:79:46 | 4 | test-sink |
| test.js:80:36:80:43 | source() | test-sink |
| test.js:80:46:80:46 | 4 | test-sink |
| test.js:81:36:81:36 | 3 | test-sink |
| test.js:81:39:81:46 | source() | test-sink |
| test.js:83:28:83:35 | source() | test-sink |
| test.js:83:38:83:38 | 2 | test-sink |
| test.js:83:41:83:41 | 3 | test-sink |
| test.js:84:28:84:28 | 1 | test-sink |
| test.js:84:31:84:38 | source() | test-sink |
| test.js:84:41:84:41 | 3 | test-sink |
| test.js:85:28:85:28 | 1 | test-sink |
| test.js:85:31:85:31 | 2 | test-sink |
| test.js:85:34:85:41 | source() | test-sink |
| test.js:86:28:86:28 | 1 | test-sink |
| test.js:86:31:86:31 | 2 | test-sink |
| test.js:86:34:86:34 | 3 | test-sink |
| test.js:89:28:89:35 | source() | test-sink |
| test.js:90:28:90:28 | 1 | test-sink |
| test.js:95:17:95:24 | source() | test-sink |
| test.js:96:17:96:24 | source() | test-sink |
| test.js:97:17:97:24 | source() | test-sink |
syntaxErrors
| Member[foo |
| Member[foo] .Member[bar] |

15
javascript/ql/test/library-tests/frameworks/data/test.js
View File

@@ -40,6 +40,14 @@ function testPreserveTaint() {
testlib.taintIntoCallback(source(), undefined, undefined, y => {
sink(y); // OK - only callback 1-2 receive taint
});
testlib.taintIntoCallback(source(), function(y) {
sink(y); // NOT OK
sink(this); // OK - receiver is not tainted
});
testlib.taintIntoCallbackThis(source(), function(y) {
sink(y); // OK - only receiver is tainted
sink(this); // NOT OK
});
}
function testSinks() {
@@ -89,3 +97,10 @@ function testSinks() {
testlib.sink3(source()); // NOT OK
testlib.sink4(source()); // OK
}
function testFlowThroughReceiver() {
let source = testlib.getSource();
sink(source); // NOT OK
sink(source.continue()); // NOT OK
sink(source.blah()); // OK
}

10
javascript/ql/test/library-tests/frameworks/data/test.ql
View File

@@ -9,9 +9,11 @@ class Steps extends ModelInput::SummaryModelCsv {
[
"testlib;;Member[preserveTaint];Argument[0];ReturnValue;taint",
"testlib;;Member[taintIntoCallback];Argument[0];Argument[1..2].Parameter[0];taint",
"testlib;;Member[taintIntoCallbackThis];Argument[0];Argument[1..2].Parameter[this];taint",
"testlib;;Member[preserveArgZeroAndTwo];Argument[0,2];ReturnValue;taint",
"testlib;;Member[preserveAllButFirstArgument];Argument[1..];ReturnValue;taint",
"testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint"
"testlib;;Member[preserveAllIfCall].Call;Argument[0..];ReturnValue;taint",
"testlib;;Member[getSource].ReturnValue.Member[continue];Argument[this];ReturnValue;taint",
]
}
}
@@ -35,11 +37,17 @@ class Sinks extends ModelInput::SinkModelCsv {
}
}
class Sources extends ModelInput::SourceModelCsv {
override predicate row(string row) { row = "testlib;;Member[getSource].ReturnValue;test-source" }
}
class BasicTaintTracking extends TaintTracking::Configuration {
BasicTaintTracking() { this = "BasicTaintTracking" }
override predicate isSource(DataFlow::Node source) {
source.(DataFlow::CallNode).getCalleeName() = "source"
or
source = ModelOutput::getASourceNode("test-source").getAnImmediateUse()
}
override predicate isSink(DataFlow::Node sink) {

4
javascript/ql/test/library-tests/frameworks/data/warnings.expected
View File

@@ -1,10 +1,6 @@
| CSV type row should have 5 columns but has 2: test;TooFewColumns |
| CSV type row should have 5 columns but has 8: test;TooManyColumns;;;Member[Foo].Instance;too;many;columns |
| Invalid argument '0-1' in token 'Argument[0-1]' in access path: Method[foo].Argument[0-1] |
| Invalid argument '0..' in token 'Argument[0..]' in access path: Argument[0..].Member[password] |
| Invalid argument '0..' in token 'Argument[0..]' in access path: Argument[0..].Member[username] |
| Invalid argument '0..' in token 'Argument[0..]' in access path: Member[executeSql].Argument[0..].Parameter[1] |
| Invalid argument '0..' in token 'Argument[0..]' in access path: Member[run].Argument[0..].Parameter[1] |
| Invalid argument '*' in token 'Argument[*]' in access path: Method[foo].Argument[*] |
| Invalid token 'Argument' is missing its arguments, in access path: Method[foo].Argument |
| Invalid token 'Member' is missing its arguments, in access path: Method[foo].Member |