JS: Port CorsMisconfigurationForCredentials

2026-04-25 16:55:19 +02:00 · 2023-10-05 09:13:42 +02:00
parent f14303acea
commit 30f1fbc10d
3 changed files with 32 additions and 26 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll
@@ -14,7 +14,26 @@ import CorsMisconfigurationForCredentialsCustomizations::CorsMisconfigurationFor
 /**
 * A data flow configuration for CORS misconfiguration for credentials transfer.
 */
-class Configuration extends TaintTracking::Configuration {
+module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer or
+    node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
+  }
+}
+
+/**
+ * Data flow for CORS misconfiguration for credentials transfer.
+ */
+module CorsMisconfigurationFlow = TaintTracking::Global<CorsMisconfigurationConfig>;
+
+/**
+ * DEPRECATED. Use the `CorsMisconfigurationFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "CorsMisconfigurationForCredentials" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }
--- a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
+++ b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
@@ -14,10 +14,10 @@

 import javascript
 import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsQuery
-import DataFlow::PathGraph
+import CorsMisconfigurationFlow::PathGraph

-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from CorsMisconfigurationFlow::PathNode source, CorsMisconfigurationFlow::PathNode sink
+where CorsMisconfigurationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "$@ leak vulnerability due to a $@.",
  sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(),
  "misconfigured CORS header value"
--- a/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-346/CorsMisconfigurationForCredentials.expected
@@ -1,28 +1,15 @@
-nodes
-| tst.js:12:9:12:54 | origin |
-| tst.js:12:18:12:41 | url.par ... , true) |
-| tst.js:12:18:12:47 | url.par ... ).query |
-| tst.js:12:18:12:54 | url.par ... .origin |
-| tst.js:12:28:12:34 | req.url |
-| tst.js:12:28:12:34 | req.url |
-| tst.js:13:50:13:55 | origin |
-| tst.js:13:50:13:55 | origin |
-| tst.js:18:50:18:53 | null |
-| tst.js:18:50:18:53 | null |
-| tst.js:18:50:18:53 | null |
-| tst.js:23:50:23:55 | "null" |
-| tst.js:23:50:23:55 | "null" |
-| tst.js:23:50:23:55 | "null" |
 edges
 | tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin |
-| tst.js:12:9:12:54 | origin | tst.js:13:50:13:55 | origin |
-| tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:18:12:47 | url.par ... ).query |
-| tst.js:12:18:12:47 | url.par ... ).query | tst.js:12:18:12:54 | url.par ... .origin |
-| tst.js:12:18:12:54 | url.par ... .origin | tst.js:12:9:12:54 | origin |
+| tst.js:12:18:12:41 | url.par ... , true) | tst.js:12:9:12:54 | origin |
 | tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) |
-| tst.js:12:28:12:34 | req.url | tst.js:12:18:12:41 | url.par ... , true) |
-| tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null |
-| tst.js:23:50:23:55 | "null" | tst.js:23:50:23:55 | "null" |
+nodes
+| tst.js:12:9:12:54 | origin | semmle.label | origin |
+| tst.js:12:18:12:41 | url.par ... , true) | semmle.label | url.par ... , true) |
+| tst.js:12:28:12:34 | req.url | semmle.label | req.url |
+| tst.js:13:50:13:55 | origin | semmle.label | origin |
+| tst.js:18:50:18:53 | null | semmle.label | null |
+| tst.js:23:50:23:55 | "null" | semmle.label | "null" |
+subpaths
 #select
 | tst.js:13:50:13:55 | origin | tst.js:12:28:12:34 | req.url | tst.js:13:50:13:55 | origin | $@ leak vulnerability due to a $@. | tst.js:14:5:14:59 | res.set ... , true) | Credential | tst.js:12:28:12:34 | req.url | misconfigured CORS header value |
 | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | tst.js:18:50:18:53 | null | $@ leak vulnerability due to a $@. | tst.js:19:5:19:59 | res.set ... , true) | Credential | tst.js:18:50:18:53 | null | misconfigured CORS header value |