diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll index 57cabe0ea79..0be461f5118 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll @@ -14,7 +14,26 @@ import CorsMisconfigurationForCredentialsCustomizations::CorsMisconfigurationFor /** * A data flow configuration for CORS misconfiguration for credentials transfer. */ -class Configuration extends TaintTracking::Configuration { +module CorsMisconfigurationConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof Source } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node node) { + node instanceof Sanitizer or + node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode() + } +} + +/** + * Data flow for CORS misconfiguration for credentials transfer. + */ +module CorsMisconfigurationFlow = TaintTracking::Global; + +/** + * DEPRECATED. Use the `CorsMisconfigurationFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "CorsMisconfigurationForCredentials" } override predicate isSource(DataFlow::Node source) { source instanceof Source } diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql index 279f09f71ba..ac8acac4742 100644 --- a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql +++ b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql @@ -14,10 +14,10 @@ import javascript import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsQuery -import DataFlow::PathGraph +import CorsMisconfigurationFlow::PathGraph -from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasFlowPath(source, sink) +from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink +where CorsMisconfigurationFlow::flowPath(source, sink) select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.", sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(), "misconfigured CORS header value" diff --git a/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected b/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected index 83e103f121b..fdbf937e0a2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected +++ b/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected @@ -1,28 +1,15 @@ -nodes -| tst.js:12:9:12:54 | origin | -| tst.js:12:18:12:41 | url.par ... , true) | -| tst.js:12:18:12:47 | url.par ... ).query | -| tst.js:12:18:12:54 | url.par ... .origin | -| tst.js:12:28:12:34 | req.url | -| tst.js:12:28:12:34 | req.url | -| tst.js:13:50:13:55 | origin | -| tst.js:13:50:13:55 | origin | -| tst.js:18:50:18:53 | null | -| tst.js:18:50:18:53 | null | -| tst.js:18:50:18:53 | null | -| tst.js:23:50:23:55 | "null" | -| tst.js:23:50:23:55 | "null" | -| tst.js:23:50:23:55 | "null" | edges | tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin | -| tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin | -| tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:18:12:47 | url.par ... ).query | -| tst.js:12:18:12:47 | url.par ... ).query | tst.js:12:18:12:54 | url.par ... .origin | -| tst.js:12:18:12:54 | url.par ... .origin | tst.js:12:9:12:54 | origin | +| tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:9:12:54 | origin | | tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) | -| tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) | -| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | -| tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" | +nodes +| tst.js:12:9:12:54 | origin | semmle.label | origin | +| tst.js:12:18:12:41 | url.par ... , true) | semmle.label | url.par ... , true) | +| tst.js:12:28:12:34 | req.url | semmle.label | req.url | +| tst.js:13:50:13:55 | origin | semmle.label | origin | +| tst.js:18:50:18:53 | null | semmle.label | null | +| tst.js:23:50:23:55 | "null" | semmle.label | "null" | +subpaths #select | tst.js:13:50:13:55 | origin | tst.js:12:28:12:34 | req.url | tst.js:13:50:13:55 | origin | $@ leak vulnerability due to a $@. | tst.js:14:5:14:59 | res.set ... , true) | Credential | tst.js:12:28:12:34 | req.url | misconfigured CORS header value | | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | $@ leak vulnerability due to a $@. | tst.js:19:5:19:59 | res.set ... , true) | Credential | tst.js:18:50:18:53 | null | misconfigured CORS header value |