From 3fcd02ab0e226f9563a302c847c4acfbec038db9 Mon Sep 17 00:00:00 2001 From: Max Schaefer Date: Wed, 14 Nov 2018 11:23:17 +0000 Subject: [PATCH] JavaScript: Rename `hasPathFlow` to `hasFlowPath` for consistency with other languages. --- javascript/ql/src/Security/CWE-022/TaintedPath.ql | 2 +- .../ql/src/Security/CWE-078/CommandInjection.ql | 2 +- javascript/ql/src/Security/CWE-079/ReflectedXss.ql | 2 +- javascript/ql/src/Security/CWE-079/StoredXss.ql | 2 +- javascript/ql/src/Security/CWE-079/Xss.ql | 2 +- javascript/ql/src/Security/CWE-089/SqlInjection.ql | 2 +- javascript/ql/src/Security/CWE-094/CodeInjection.ql | 2 +- .../ql/src/Security/CWE-134/TaintedFormatString.ql | 2 +- .../ql/src/Security/CWE-200/FileAccessToHttp.ql | 2 +- .../ql/src/Security/CWE-209/StackTraceExposure.ql | 2 +- .../ql/src/Security/CWE-312/CleartextLogging.ql | 2 +- .../ql/src/Security/CWE-312/CleartextStorage.ql | 2 +- .../src/Security/CWE-327/BrokenCryptoAlgorithm.ql | 2 +- .../ql/src/Security/CWE-338/InsecureRandomness.ql | 2 +- .../CWE-346/CorsMisconfigurationForCredentials.ql | 2 +- .../src/Security/CWE-400/RemotePropertyInjection.ql | 2 +- .../src/Security/CWE-502/UnsafeDeserialization.ql | 2 +- .../src/Security/CWE-601/ClientSideUrlRedirect.ql | 2 +- .../src/Security/CWE-601/ServerSideUrlRedirect.ql | 2 +- javascript/ql/src/Security/CWE-611/Xxe.ql | 2 +- .../CWE-640/HostHeaderPoisoningInEmailGeneration.ql | 2 +- .../ql/src/Security/CWE-643/XpathInjection.ql | 2 +- .../ql/src/Security/CWE-730/RegExpInjection.ql | 2 +- javascript/ql/src/Security/CWE-776/XmlBomb.ql | 2 +- .../ql/src/Security/CWE-798/HardcodedCredentials.ql | 2 +- .../ql/src/Security/CWE-807/ConditionalBypass.ql | 6 +++--- .../TypeConfusionThroughParameterTampering.ql | 2 +- .../ql/src/Security/CWE-912/HttpToFileAccess.ql | 2 +- .../Security/CWE-916/InsufficientPasswordHash.ql | 2 +- .../ql/src/Security/CWE-918/RequestForgery.ql | 2 +- .../semmle/javascript/dataflow/Configuration.qll | 13 +++++++++++-- 31 files changed, 43 insertions(+), 34 deletions(-) diff --git a/javascript/ql/src/Security/CWE-022/TaintedPath.ql b/javascript/ql/src/Security/CWE-022/TaintedPath.ql index 8a3e7075216..b545fabafed 100644 --- a/javascript/ql/src/Security/CWE-022/TaintedPath.ql +++ b/javascript/ql/src/Security/CWE-022/TaintedPath.ql @@ -19,6 +19,6 @@ import semmle.javascript.security.dataflow.TaintedPath::TaintedPath import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "This path depends on $@.", source.getNode(), "a user-provided value" diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.ql b/javascript/ql/src/Security/CWE-078/CommandInjection.ql index 317c407003c..2e356e9fdc3 100644 --- a/javascript/ql/src/Security/CWE-078/CommandInjection.ql +++ b/javascript/ql/src/Security/CWE-078/CommandInjection.ql @@ -17,7 +17,7 @@ import semmle.javascript.security.dataflow.CommandInjection::CommandInjection import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight -where cfg.hasPathFlow(source, sink) and +where cfg.hasFlowPath(source, sink) and if cfg.isSinkWithHighlight(sink.getNode(), _) then cfg.isSinkWithHighlight(sink.getNode(), highlight) else diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql index 5b308800209..c9ed51c35cd 100644 --- a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql +++ b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql @@ -16,6 +16,6 @@ import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql index f1e386c291b..e0deee47b71 100644 --- a/javascript/ql/src/Security/CWE-079/StoredXss.ql +++ b/javascript/ql/src/Security/CWE-079/StoredXss.ql @@ -16,6 +16,6 @@ import semmle.javascript.security.dataflow.StoredXss::StoredXss import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.", source.getNode(), "stored value" diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql index b6ba13918cb..c1e5f1f376b 100644 --- a/javascript/ql/src/Security/CWE-079/Xss.ql +++ b/javascript/ql/src/Security/CWE-079/Xss.ql @@ -16,6 +16,6 @@ import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.ql b/javascript/ql/src/Security/CWE-089/SqlInjection.ql index 6ae6d092723..4df8b41a06f 100644 --- a/javascript/ql/src/Security/CWE-089/SqlInjection.ql +++ b/javascript/ql/src/Security/CWE-089/SqlInjection.ql @@ -18,6 +18,6 @@ import DataFlow::PathGraph from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink where (cfg instanceof SqlInjection::Configuration or cfg instanceof NosqlInjection::Configuration) and - cfg.hasPathFlow(source, sink) + cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "This query depends on $@.", source.getNode(), "a user-provided value" diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql index 506e206bc0a..745dd2cd62e 100644 --- a/javascript/ql/src/Security/CWE-094/CodeInjection.ql +++ b/javascript/ql/src/Security/CWE-094/CodeInjection.ql @@ -17,6 +17,6 @@ import semmle.javascript.security.dataflow.CodeInjection::CodeInjection import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.", source.getNode(), "User-provided value" diff --git a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql index 78ab720d235..bd7e9c869c7 100644 --- a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql +++ b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql @@ -14,6 +14,6 @@ import semmle.javascript.security.dataflow.TaintedFormatString::TaintedFormatStr import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "$@ flows here and is used in a format string.", source.getNode(), "User-provided value" diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql index 22b254a8bd6..05a28eba3c6 100644 --- a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql +++ b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql @@ -13,6 +13,6 @@ import semmle.javascript.security.dataflow.FileAccessToHttp::FileAccessToHttp import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "$@ flows directly to outbound network request", source.getNode(), "File data" diff --git a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql index d67d9f643ab..24bb60be541 100644 --- a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql +++ b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql @@ -16,6 +16,6 @@ import semmle.javascript.security.dataflow.StackTraceExposure::StackTraceExposur import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Stack trace information from $@ may be exposed to an external user here.", source.getNode(), "here" diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql index 34a4f5414cf..03c86d32755 100644 --- a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql +++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql @@ -33,7 +33,7 @@ predicate inBrowserEnvironment(TopLevel tl) { } from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) and +where cfg.hasFlowPath(source, sink) and // ignore logging to the browser console (even though it is not a good practice) not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel()) select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.", diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql index b87b266ed36..d54d51b024c 100644 --- a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql +++ b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql @@ -17,6 +17,6 @@ import semmle.javascript.security.dataflow.CleartextStorage::CleartextStorage import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.", source.getNode(), source.getNode().(Source).describe() diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql index 533c8109018..501041a4b2f 100644 --- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql +++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql @@ -15,7 +15,7 @@ import semmle.javascript.security.SensitiveActions import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) and +where cfg.hasFlowPath(source, sink) and not source.getNode().asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash select sink.getNode(), source, sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source.getNode(), source.getNode().(Source).describe() diff --git a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql index 3b9df302008..5b48a98740e 100644 --- a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql +++ b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql @@ -15,6 +15,6 @@ import semmle.javascript.security.dataflow.InsecureRandomness::InsecureRandomnes import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.", source.getNode(), "random value" diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql index 44c478ea1c5..2c1aef77795 100644 --- a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql +++ b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql @@ -16,7 +16,7 @@ import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials::C import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "$@ leak vulnerability due to $@.", sink.getNode().(Sink).getCredentialsHeader(), "Credential", source.getNode(), "a misconfigured CORS header value" diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql index b9af490ffb6..4457899f6b3 100644 --- a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql +++ b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql @@ -17,6 +17,6 @@ import semmle.javascript.security.dataflow.RemotePropertyInjection::RemoteProper import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "A $@ is used as" + sink.getNode().(Sink).getMessage(), source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql index 107868857bd..8795546883e 100644 --- a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql +++ b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql @@ -15,6 +15,6 @@ import semmle.javascript.security.dataflow.UnsafeDeserialization::UnsafeDeserial import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Unsafe deserialization of $@.", source.getNode(), "user input" diff --git a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql index 8080784e894..9edc3e739d8 100644 --- a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql +++ b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql @@ -17,6 +17,6 @@ import semmle.javascript.security.dataflow.ClientSideUrlRedirect::ClientSideUrlR import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql index 62d2671c8ea..a591f9d1d52 100644 --- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql +++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql @@ -15,6 +15,6 @@ import semmle.javascript.security.dataflow.ServerSideUrlRedirect::ServerSideUrlR import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-611/Xxe.ql b/javascript/ql/src/Security/CWE-611/Xxe.ql index 914f1e4a726..3f2cb797e1c 100644 --- a/javascript/ql/src/Security/CWE-611/Xxe.ql +++ b/javascript/ql/src/Security/CWE-611/Xxe.ql @@ -16,6 +16,6 @@ import semmle.javascript.security.dataflow.Xxe::Xxe import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql index c12f0e736f5..c5749967e2c 100644 --- a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql +++ b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql @@ -15,6 +15,6 @@ import semmle.javascript.security.dataflow.HostHeaderPoisoningInEmailGeneration: import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", source.getNode(), "here" diff --git a/javascript/ql/src/Security/CWE-643/XpathInjection.ql b/javascript/ql/src/Security/CWE-643/XpathInjection.ql index f212e4a7a1a..8fe847b8f16 100644 --- a/javascript/ql/src/Security/CWE-643/XpathInjection.ql +++ b/javascript/ql/src/Security/CWE-643/XpathInjection.ql @@ -15,6 +15,6 @@ import semmle.javascript.security.dataflow.XpathInjection::XpathInjection import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.", source.getNode(), "User-provided value" diff --git a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql index 3053a64f53f..57873397447 100644 --- a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql +++ b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql @@ -17,6 +17,6 @@ import semmle.javascript.security.dataflow.RegExpInjection::RegExpInjection import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "This regular expression is constructed from a $@.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-776/XmlBomb.ql b/javascript/ql/src/Security/CWE-776/XmlBomb.ql index 733fe7fe414..878d01d6f4d 100644 --- a/javascript/ql/src/Security/CWE-776/XmlBomb.ql +++ b/javascript/ql/src/Security/CWE-776/XmlBomb.ql @@ -16,6 +16,6 @@ import semmle.javascript.security.dataflow.XmlBomb::XmlBomb import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.", source.getNode(), "user-provided value" diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql index b172e28edb9..9c6959989e7 100644 --- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql +++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql @@ -17,7 +17,7 @@ private import semmle.javascript.security.dataflow.HardcodedCredentials::Hardcod import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value -where cfg.hasPathFlow(source, sink) and +where cfg.hasFlowPath(source, sink) and // use source value in message if it's available if source.getNode().asExpr() instanceof ConstantString then value = "The hard-coded value \"" + source.getNode().asExpr().(ConstantString).getStringValue() + "\"" diff --git a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql index f31549d259c..8470dc7a4c3 100644 --- a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql +++ b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql @@ -73,13 +73,13 @@ predicate isTaintedGuardForSensitiveAction(DataFlow::PathNode sink, DataFlow::Pa not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and exists (Configuration cfg | // ordinary taint tracking to a guard - cfg.hasPathFlow(source, sink) or + cfg.hasFlowPath(source, sink) or // taint tracking to both operands of a guard comparison exists (SensitiveActionGuardComparison cmp, DataFlow::PathNode lSource, DataFlow::PathNode rSource, DataFlow::PathNode lSink, DataFlow::PathNode rSink | sink.getNode() = cmp.getGuard() and - cfg.hasPathFlow(lSource, lSink) and lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and - cfg.hasPathFlow(rSource, rSink) and rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand()) | + cfg.hasFlowPath(lSource, lSink) and lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and + cfg.hasFlowPath(rSource, rSink) and rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand()) | source = lSource or source = rSource ) diff --git a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql index d0499905a93..c2bad509015 100644 --- a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql +++ b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql @@ -14,6 +14,6 @@ import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperin import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Potential type confusion for $@.", source.getNode(), "HTTP request parameter" diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql index 3f913ea4530..fe42fe8ef04 100644 --- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql +++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql @@ -13,5 +13,5 @@ import semmle.javascript.security.dataflow.HttpToFileAccess::HttpToFileAccess import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "$@ flows to file system", source.getNode(), "Untrusted data" diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql index 37d0bb8c8c2..e2a94d06ae0 100644 --- a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql +++ b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql @@ -14,6 +14,6 @@ import semmle.javascript.security.dataflow.InsufficientPasswordHash::Insufficien import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink -where cfg.hasPathFlow(source, sink) +where cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.", source.getNode(), source.getNode().(Source).describe() diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql index 24039a70a1a..c1d80a78a3e 100644 --- a/javascript/ql/src/Security/CWE-918/RequestForgery.ql +++ b/javascript/ql/src/Security/CWE-918/RequestForgery.ql @@ -14,7 +14,7 @@ import semmle.javascript.security.dataflow.RequestForgery::RequestForgery import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request -where cfg.hasPathFlow(source, sink) and +where cfg.hasFlowPath(source, sink) and request = sink.getNode().(Sink).getARequest() select request, source, sink, "The $@ of this request depends on $@.", sink.getNode(), sink.getNode().(Sink).getKind(), source, "a user-provided value" diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index 9f23ef9c5e2..681b252f085 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -189,7 +189,7 @@ abstract class Configuration extends string { predicate hasFlow(DataFlow::Node source, DataFlow::Node sink) { isSource(_, this, _) and isSink(_, this, _) and exists (SourcePathNode flowsource, SinkPathNode flowsink | - hasPathFlow(flowsource, flowsink) and + hasFlowPath(flowsource, flowsink) and source = flowsource.getNode() and sink = flowsink.getNode() ) @@ -198,10 +198,19 @@ abstract class Configuration extends string { /** * Holds if data may flow from `source` to `sink` for this configuration. */ - predicate hasPathFlow(SourcePathNode source, SinkPathNode sink) { + predicate hasFlowPath(SourcePathNode source, SinkPathNode sink) { flowsTo(source, _, sink, _, this) } + /** + * DEPRECATED: Use `hasFlowPath` instead. + * + * Holds if data may flow from `source` to `sink` for this configuration. + */ + deprecated predicate hasPathFlow(SourcePathNode source, SinkPathNode sink) { + hasFlowPath(source, sink) + } + /** * DEPRECATED: Use `hasFlow` instead. *