JS: split CommandInjection.qll

2025-12-18 01:33:15 +01:00 · 2019-07-04 13:13:47 +02:00
parent ccc171ce18
commit 48b655f1c7
2 changed files with 45 additions and 29 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CommandInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CommandInjection.qll
@@ -1,26 +1,16 @@
 /**
- * Provides a taint tracking configuration for reasoning about command-injection
- * vulnerabilities (CWE-078).
+ * Provides a taint tracking configuration for reasoning about
+ * command-injection vulnerabilities (CWE-078).
+ *
+ * Note, for performance reasons: only import this file if
+ * `CommandInjection::Configuration` is needed, otherwise
+ * `CommandInjectionCustomizations` should be imported instead.
 */

 import javascript
-import semmle.javascript.security.dataflow.RemoteFlowSources

 module CommandInjection {
-  /**
-   * A data flow source for command-injection vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for command-injection vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for command-injection vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import CommandInjectionCustomizations::CommandInjection

  /**
   * A taint-tracking configuration for reasoning about command-injection vulnerabilities.
@@ -45,18 +35,6 @@ module CommandInjection {
    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
  }

-  /** A source of remote user input, considered as a flow source for command injection. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * A command argument to a function that initiates an operating system command.
-   */
-  class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
-    SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
-  }
-
  /**
   * Auxiliary data flow configuration for tracking string literals that look like they
   * may refer to an operating system shell, and array literals that may end up being
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
@@ -0,0 +1,38 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * command-injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module CommandInjection {
+  /**
+   * A data flow source for command-injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for command-injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for command-injection vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for command injection. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * A command argument to a function that initiates an operating system command.
+   */
+  class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
+    SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
+  }
+
+}