JS: Add database threat-model source modeling

2026-04-26 17:25:19 +02:00 · 2024-10-29 14:57:17 +01:00
parent 7c7420a9a4
commit 3656864695
2 changed files with 24 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/Concepts.qll
+++ b/javascript/ql/lib/semmle/javascript/Concepts.qll
@@ -148,6 +148,17 @@ abstract class DatabaseAccess extends DataFlow::Node {
  }
 }

+/**
+ * A DatabaseAccess seen as a ThreatModelSource.
+ */
+private class DatabaseAccessAsThreatModelSource extends ThreatModelSource::Range {
+  DatabaseAccessAsThreatModelSource() { this = any(DatabaseAccess access).getAResult() }
+
+  override string getThreatModel() { result = "database" }
+
+  override string getSourceType() { result = "DatabaseAccess" }
+}
+
 /**
 * A data flow node that reads persistent data.
 */
--- a/javascript/ql/test/library-tests/threat-models/sources/sources.js
+++ b/javascript/ql/test/library-tests/threat-models/sources/sources.js
@@ -42,3 +42,16 @@ const program = new Command();
 program.parse(process.argv); // $ threat-source=commandargs

 SINK(program.opts().foo); // $ hasFlow SPURIOUS: threat-source=commandargs
+
+// ------ reading from database ------
+
+// Accessing database using mysql
+const mysql = require('mysql');
+const connection = mysql.createConnection({host: 'localhost'});
+connection.connect();
+connection.query('SELECT 1 + 1 AS solution', function (error, results, fields) { // $ threat-source=database
+    if (error) throw error;
+    SINK(results); // $ hasFlow
+    SINK(results[0]); // $ hasFlow
+    SINK(results[0].solution); // $ hasFlow
+});