hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

changed the exceptional taint-steps to step through each call-site

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2019-11-15 16:05:15 +01:00
parent e95cceef1d
commit 3edd65f9ab
2 changed files with 50 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
View File

@@ -14,6 +14,14 @@ module ExceptionXss {
import Xss::StoredXss as StoredXss
import Xss as XSS
DataFlow::ExceptionalInvocationReturnNode getCallerExceptionalReturn(DataFlow::FunctionNode func) {
exists(DataFlow::InvokeNode call |
not call.isImprecise() and
func.getFunction() = call.(DataFlow::InvokeNode).getACallee() and
result = call.getExceptionalReturn()
)
}
DataFlow::Node getExceptionalSuccssor(DataFlow::Node pred) {
exists(DataFlow::FunctionNode func |
pred.getContainer() = func.getFunction() and
@@ -22,14 +30,12 @@ module ExceptionXss {
result.(DataFlow::ParameterNode).getParameter() = getEnclosingTryStmt(pred
.asExpr()
.getEnclosingStmt()).getACatchClause().getAParameter()
else result = getExceptionalSuccssor(func.getExceptionalReturn())
or
pred = func.getExceptionalReturn() and
exists(DataFlow::InvokeNode call |
not call.isImprecise() and
func.getFunction() = call.(DataFlow::InvokeNode).getACallee() and
result = getExceptionalSuccssor(call)
)
else result = getCallerExceptionalReturn(func)
)
or
exists(DataFlow::InvokeNode call |
pred = call.getExceptionalReturn() and
result = getExceptionalSuccssor(call)
)
}
@@ -53,7 +59,9 @@ module ExceptionXss {
}
/**
* A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
* A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
* Flow labels are used to ensure that we only report taint-flow that has been thrown in
* an exception.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "ExceptionXss"}
@@ -63,8 +71,8 @@ module ExceptionXss {
}
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
sink instanceof XSS::Shared::Sink and label.isDataOrTaint()
}
sink instanceof XSS::Shared::Sink and not label instanceof NotYetThrown
}
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
@@ -72,12 +80,14 @@ module ExceptionXss {
}
override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl) {
inlbl instanceof NotYetThrown and (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
succ = getExceptionalSuccssor(pred) and
(canThrowSensitiveInformation(pred) or pred = any(DataFlow::InvokeNode c).getExceptionalReturn())
or
// All the usual taint-flow steps applies on data-flow before it has been thrown in an exception.
this.isAdditionalFlowStep(pred, succ) and inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown
or
inlbl instanceof NotYetThrown and outlbl.isTaint() and
succ = getExceptionalSuccssor(pred) and
canThrowSensitiveInformation(pred)
or
// We taint an object deep if it happens before an exception has been thrown.
inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown and
exists(DataFlow::PropWrite write | write.getRhs() = pred and write.getBase() = succ)
}

28
javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
View File

@@ -8,6 +8,8 @@ nodes
| exception-xss.js:10:10:10:10 | e |
| exception-xss.js:11:18:11:18 | e |
| exception-xss.js:11:18:11:18 | e |
| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
| exception-xss.js:15:9:15:11 | foo |
| exception-xss.js:16:10:16:10 | e |
| exception-xss.js:17:18:17:18 | e |
@@ -28,16 +30,23 @@ nodes
| exception-xss.js:35:18:35:18 | e |
| exception-xss.js:35:18:35:18 | e |
| exception-xss.js:38:16:38:16 | x |
| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) |
| exception-xss.js:39:9:39:9 | x |
| exception-xss.js:41:17:41:17 | x |
| exception-xss.js:42:3:42:10 | exceptional return of inner(x) |
| exception-xss.js:42:9:42:9 | x |
| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
| exception-xss.js:46:8:46:18 | "bar" + foo |
| exception-xss.js:46:16:46:18 | foo |
| exception-xss.js:47:10:47:10 | e |
| exception-xss.js:48:18:48:18 | e |
| exception-xss.js:48:18:48:18 | e |
| exception-xss.js:74:28:74:28 | x |
| exception-xss.js:75:4:75:11 | exceptional return of inner(x) |
| exception-xss.js:75:10:75:10 | x |
| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
| exception-xss.js:81:16:81:18 | foo |
| exception-xss.js:82:10:82:10 | e |
| exception-xss.js:83:18:83:18 | e |
@@ -71,12 +80,15 @@ edges
| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
| exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
| exception-xss.js:4:20:4:20 | x | exception-xss.js:5:14:5:14 | x |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:16:10:16:10 | e |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:47:10:47:10 | e |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:82:10:82:10 | e |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:42:3:42:10 | exceptional return of inner(x) |
| exception-xss.js:5:14:5:14 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) |
| exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
| exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
| exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
| exception-xss.js:15:9:15:11 | foo | exception-xss.js:4:20:4:20 | x |
| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
| exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
@@ -93,15 +105,24 @@ edges
| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
| exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
| exception-xss.js:38:16:38:16 | x | exception-xss.js:39:9:39:9 | x |
| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
| exception-xss.js:39:9:39:9 | x | exception-xss.js:41:17:41:17 | x |
| exception-xss.js:41:17:41:17 | x | exception-xss.js:42:9:42:9 | x |
| exception-xss.js:42:3:42:10 | exceptional return of inner(x) | exception-xss.js:39:3:39:10 | exceptional return of deep2(x) |
| exception-xss.js:42:9:42:9 | x | exception-xss.js:4:20:4:20 | x |
| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
| exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:38:16:38:16 | x |
| exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo |
| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
| exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
| exception-xss.js:74:28:74:28 | x | exception-xss.js:75:10:75:10 | x |
| exception-xss.js:75:4:75:11 | exceptional return of inner(x) | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
| exception-xss.js:75:4:75:11 | exceptional return of inner(x) | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
| exception-xss.js:75:10:75:10 | x | exception-xss.js:4:20:4:20 | x |
| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
| exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
| exception-xss.js:81:16:81:18 | foo | exception-xss.js:74:28:74:28 | x |
| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
| exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
@@ -128,3 +149,4 @@ edges
| exception-xss.js:83:18:83:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:83:18:83:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
| exception-xss.js:91:18:91:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:91:18:91:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
| exception-xss.js:97:18:97:18 | e | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:97:18:97:18 | e | Cross-site scripting vulnerability due to $@. | exception-xss.js:2:15:2:31 | document.location | user-provided value |
| exception-xss.js:109:14:109:30 | "Exception: " + e | exception-xss.js:107:13:107:25 | req.params.id | exception-xss.js:109:14:109:30 | "Exception: " + e | Cross-site scripting vulnerability due to $@. | exception-xss.js:107:13:107:25 | req.params.id | user-provided value |