hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Don't create new flow labels in *Customizations.qll files

Browse Source
This commit is contained in:
Asger Feldthaus
2020-10-08 14:03:21 +01:00
parent 28b449226c
commit 42fc4ff78c
13 changed files with 61 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
View File

@@ -14,6 +14,11 @@ import UrlConcatenation
module ClientSideUrlRedirect {
import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect
// Materialize flow labels
private class ConcreteDocumentUrl extends DocumentUrl {
ConcreteDocumentUrl() { this = this }
}
/**
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
*/

2
javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -29,7 +29,7 @@ module ClientSideUrlRedirect {
* A flow label for values that represent the URL of the current document, and
* hence are only partially user-controlled.
*/
class DocumentUrl extends DataFlow::FlowLabel {
abstract class DocumentUrl extends DataFlow::FlowLabel {
DocumentUrl() { this = "document.url" }
}

8
javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownload.qll
View File

@@ -14,6 +14,14 @@ import javascript
module InsecureDownload {
import InsecureDownloadCustomizations::InsecureDownload
// Materialize flow labels
private class ConcreteSensitiveInsecureURL extends Label::SensitiveInsecureURL {
ConcreteSensitiveInsecureURL() { this = this }
}
private class ConcreteInsecureURL extends Label::InsecureURL {
ConcreteInsecureURL() { this = this }
}
/**
* A taint tracking configuration for download of sensitive file through insecure connection.
*/

5
javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStar.qll
View File

@@ -12,6 +12,11 @@ import javascript
module PostMessageStar {
import PostMessageStarCustomizations::PostMessageStar
// Materialize flow labels
private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
ConcretePartiallyTaintedObject() { this = this }
}
/**
* A taint tracking configuration for cross-window communication with unrestricted origin.
*

2
javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStarCustomizations.qll
View File

@@ -26,7 +26,7 @@ module PostMessageStar {
/**
* A flow label representing an object with at least one tainted property.
*/
class PartiallyTaintedObject extends DataFlow::FlowLabel {
abstract class PartiallyTaintedObject extends DataFlow::FlowLabel {
PartiallyTaintedObject() { this = "partially tainted object" }
}

5
javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollution.qll
View File

@@ -15,6 +15,11 @@ import semmle.javascript.dependencies.SemVer
module PrototypePollution {
import PrototypePollutionCustomizations::PrototypePollution
// Materialize flow labels
private class ConcreteTaintedObjectWrapper extends TaintedObjectWrapper {
ConcreteTaintedObjectWrapper() { this = this }
}
/**
* A taint tracking configuration for user-controlled objects flowing into deep `extend` calls,
* leading to prototype pollution.

10
javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
View File

@@ -24,11 +24,13 @@ module PrototypePollution {
* }
* ```
*/
module TaintedObjectWrapper {
private class TaintedObjectWrapper extends DataFlow::FlowLabel {
TaintedObjectWrapper() { this = "tainted-object-wrapper" }
}
abstract class TaintedObjectWrapper extends DataFlow::FlowLabel {
TaintedObjectWrapper() { this = "tainted-object-wrapper" }
}
/** Companion module to the `TaintedObjectWrapper` class. */
module TaintedObjectWrapper {
/** Gets the instance of the `TaintedObjectWrapper` label. */
TaintedObjectWrapper label() { any() }
}

8
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
View File

@@ -12,6 +12,14 @@ import javascript
module TaintedPath {
import TaintedPathCustomizations::TaintedPath
// Materialize flow labels
private class ConcretePosixPath extends Label::PosixPath {
ConcretePosixPath() { this = this }
}
private class ConcreteSplitPath extends Label::SplitPath {
ConcreteSplitPath() { this = this }
}
/**
* A taint-tracking configuration for reasoning about tainted-path vulnerabilities.
*/

4
javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -55,7 +55,7 @@ module TaintedPath {
* There are currently four flow labels, representing the different combinations of
* normalization and absoluteness.
*/
class PosixPath extends DataFlow::FlowLabel {
abstract class PosixPath extends DataFlow::FlowLabel {
Normalization normalization;
Relativeness relativeness;
@@ -113,7 +113,7 @@ module TaintedPath {
/**
* A flow label representing an array of path elements that may include "..".
*/
class SplitPath extends DataFlow::FlowLabel {
abstract class SplitPath extends DataFlow::FlowLabel {
SplitPath() { this = "splitPath" }
}
}

5
javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
View File

@@ -14,6 +14,11 @@ module UnsafeDynamicMethodAccess {
private import DataFlow::FlowLabel
import UnsafeDynamicMethodAccessCustomizations::UnsafeDynamicMethodAccess
// Materialize flow labels
private class ConcreteUnsafeFunction extends UnsafeFunction {
ConcreteUnsafeFunction() { this = this }
}
/**
* A taint-tracking configuration for reasoning about unsafe dynamic method access.
*/

6
javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll
View File

@@ -43,7 +43,11 @@ module UnsafeDynamicMethodAccess {
*/
UnsafeFunction unsafeFunction() { any() }
private class UnsafeFunction extends DataFlow::FlowLabel {
/**
* Flow label describing values that may refer to an unsafe
* function as a result of an attacker-controlled property name.
*/
abstract class UnsafeFunction extends DataFlow::FlowLabel {
UnsafeFunction() { this = "UnsafeFunction" }
}

8
javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll
View File

@@ -17,6 +17,14 @@ module UnvalidatedDynamicMethodCall {
import UnvalidatedDynamicMethodCallCustomizations::UnvalidatedDynamicMethodCall
private import DataFlow::FlowLabel
// Materialize flow labels
private class ConcreteMaybeNonFunction extends MaybeNonFunction {
ConcreteMaybeNonFunction() { this = this }
}
private class ConcreteMaybeFromProto extends MaybeFromProto {
ConcreteMaybeFromProto() { this = this }
}
/**
* A taint-tracking configuration for reasoning about unvalidated dynamic method calls.
*/

4
javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll
View File

@@ -43,7 +43,7 @@ module UnvalidatedDynamicMethodCall {
* A flow label describing values read from a user-controlled property that
* may not be functions.
*/
class MaybeNonFunction extends DataFlow::FlowLabel {
abstract class MaybeNonFunction extends DataFlow::FlowLabel {
MaybeNonFunction() { this = "MaybeNonFunction" }
}
@@ -51,7 +51,7 @@ module UnvalidatedDynamicMethodCall {
* A flow label describing values read from a user-controlled property that
* may originate from a prototype object.
*/
class MaybeFromProto extends DataFlow::FlowLabel {
abstract class MaybeFromProto extends DataFlow::FlowLabel {
MaybeFromProto() { this = "MaybeFromProto" }
}