JS: introduce models of three cookie libraries

2026-05-01 19:55:15 +02:00 · 2018-12-05 23:10:34 +01:00
parent 28b4a78430
commit 45b207c21b
9 changed files with 134 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/CookieLibraries.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/CookieLibraries.qll
@@ -0,0 +1,93 @@
+
+/**
+ * Provides classes for reasoning about cookies.
+ */
+
+import javascript
+
+/**
+ * A model of the `js-cookie` library (https://github.com/js-cookie/js-cookie).
+ */
+private module JsCookie {
+  /**
+   * Gets a function call that invokes method `name` of the `js-cookie` library.
+   */
+  DataFlow::CallNode libMemberCall(string name) {
+    result = DataFlow::globalVarRef("Cookie").getAMemberCall(name) or
+    result = DataFlow::globalVarRef("Cookie").getAMemberCall("noConflict").getAMemberCall(name) or
+    result = DataFlow::moduleMember("js-cookie", name).getACall()
+  }
+
+  class ReadAccess extends PersistentReadAccess, DataFlow::CallNode {
+    ReadAccess() { this = libMemberCall("get") }
+
+    override PersistentWriteAccess getAWrite() {
+      getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey())
+    }
+  }
+
+  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    WriteAccess() { this = libMemberCall("set") }
+
+    string getKey() { getArgument(0).mayHaveStringValue(result) }
+
+    override DataFlow::Node getValue() { result = getArgument(1) }
+  }
+}
+
+/**
+ * A model of the `browser-cookies` library (https://github.com/voltace/browser-cookies).
+ */
+private module BrowserCookies {
+  /**
+   * Gets a function call that invokes method `name` of the `browser-cookies` library.
+   */
+  DataFlow::CallNode libMemberCall(string name) {
+    result = DataFlow::moduleMember("browser-cookies", name).getACall()
+  }
+
+  class ReadAccess extends PersistentReadAccess, DataFlow::CallNode {
+    ReadAccess() { this = libMemberCall("get") }
+
+    override PersistentWriteAccess getAWrite() {
+      getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey())
+    }
+  }
+
+  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    WriteAccess() { this = libMemberCall("set") }
+
+    string getKey() { getArgument(0).mayHaveStringValue(result) }
+
+    override DataFlow::Node getValue() { result = getArgument(1) }
+  }
+}
+
+/**
+ * A model of the `cookie` library (https://github.com/jshttp/cookie).
+ */
+private module LibCookie {
+  /**
+   * Gets a function call that invokes method `name` of the `cookie` library.
+   */
+  DataFlow::CallNode libMemberCall(string name) {
+    result = DataFlow::moduleMember("cookie", name).getACall()
+  }
+
+  class ReadAccess extends PersistentReadAccess {
+    string key;
+    ReadAccess() { this = libMemberCall("parse").getAPropertyRead(key) }
+
+    override PersistentWriteAccess getAWrite() {
+      key = result.(WriteAccess).getKey()
+    }
+  }
+
+  class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode {
+    WriteAccess() { this = libMemberCall("serialize") }
+
+    string getKey() { getArgument(0).mayHaveStringValue(result) }
+
+    override DataFlow::Node getValue() { result = getArgument(1) }
+  }
+}