JS: rename query to Unsafe Dynamic Method Access

2025-12-16 16:53:25 +01:00 · 2018-11-21 12:34:18 +00:00
parent cb832b1de9
commit 4ae2493798
13 changed files with 18 additions and 18 deletions
--- a/change-notes/1.19/analysis-javascript.md
+++ b/change-notes/1.19/analysis-javascript.md
@@ -24,7 +24,7 @@
 | Enabling Node.js integration for Electron web content renderers (`js/enabling-electron-renderer-node-integration`) | security, frameworks/electron, external/cwe/cwe-094  | Highlights Electron web content renderer preferences with Node.js integration enabled, indicating a violation of [CWE-94](https://cwe.mitre.org/data/definitions/94.html). Results are not shown on LGTM by default. |
 | File data in outbound network request | security, external/cwe/cwe-200 | Highlights locations where file data is sent in a network request. Results are not shown on LGTM by default. |
 | Host header poisoning in email generation |  security, external/cwe/cwe-640 | Highlights code that generates emails with links that can be hijacked by HTTP host header poisoning, indicating a violation of [CWE-640](https://cwe.mitre.org/data/definitions/640.html). Results shown on LGTM by default.  |
-| Method name injection (`js/method-name-injection` ) | security, external/cwe/cwe-094 | Highlights code that invokes a user-controlled method on an object with unsafe methods. |
+| Unsafe dynamic method access (`js/unsafe-dynamic-method-access` ) | security, external/cwe/cwe-094 | Highlights code that invokes a user-controlled method on an object with unsafe methods. |
 | Replacement of a substring with itself (`js/identity-replacement`) | correctness, security, external/cwe/cwe-116 | Highlights string replacements that replace a string with itself, which usually indicates a mistake. Results shown on LGTM by default. |
 | Stored cross-site scripting (`js/stored-xss`) | security, external/cwe/cwe-079, external/cwe/cwe-116 | Highlights uncontrolled stored values flowing into HTML content, indicating a violation of [CWE-079](https://cwe.mitre.org/data/definitions/79.html). Results shown on LGTM by default. |
 | Unclear precedence of nested operators (`js/unclear-operator-precedence`) | maintainability, correctness, external/cwe/cwe-783 | Highlights nested binary operators whose relative precedence is easy to misunderstand. Results shown on LGTM by default. |
--- a/javascript/config/suites/javascript/security
+++ b/javascript/config/suites/javascript/security
@@ -7,6 +7,7 @@
 + semmlecode-javascript-queries/Security/CWE-079/Xss.ql: /Security/CWE/CWE-079
 + semmlecode-javascript-queries/Security/CWE-089/SqlInjection.ql: /Security/CWE/CWE-089
 + semmlecode-javascript-queries/Security/CWE-094/CodeInjection.ql: /Security/CWE/CWE-094
+ semmlecode-javascript-queries/Security/CWE-094/UnsafeDynamicMethodAccess.ql: /Security/CWE/CWE-094
 + semmlecode-javascript-queries/Security/CWE-116/IncompleteSanitization.ql: /Security/CWE/CWE-116
 + semmlecode-javascript-queries/Security/CWE-134/TaintedFormatString.ql: /Security/CWE/CWE-134
 + semmlecode-javascript-queries/Security/CWE-209/StackTraceExposure.ql: /Security/CWE/CWE-209
@@ -16,7 +17,6 @@
 + semmlecode-javascript-queries/Security/CWE-327/BrokenCryptoAlgorithm.ql: /Security/CWE/CWE-327
 + semmlecode-javascript-queries/Security/CWE-338/InsecureRandomness.ql: /Security/CWE/CWE-338
 + semmlecode-javascript-queries/Security/CWE-346/CorsMisconfigurationForCredentials.ql: /Security/CWE/CWE-346
-+ semmlecode-javascript-queries/Security/CWE-352/MethodNameInjection.ql: /Security/CWE/CWE-094
 + semmlecode-javascript-queries/Security/CWE-352/MissingCsrfMiddleware.ql: /Security/CWE/CWE-352
 + semmlecode-javascript-queries/Security/CWE-400/RemotePropertyInjection.ql: /Security/CWE/CWE-400
 + semmlecode-javascript-queries/Security/CWE-502/UnsafeDeserialization.ql: /Security/CWE/CWE-502
--- a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.qhelp
+++ b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.qhelp
@@ -27,14 +27,14 @@ A malicious website could embed the page in an iframe and execute arbitrary code
 with the name <code>eval</code>.
 </p>

-<sample src="examples/MethodNameInjection.js" />
+<sample src="examples/UnsafeDynamicMethodAccess.js" />

 <p>
 Instead of storing the API methods in the global scope, put them in an API object or Map. It is also good
 practice to prevent invocation of inherited methods like <code>toString</code> and <code>valueOf</code>.
 </p>

-<sample src="examples/MethodNameInjectionGood.js" />
+<sample src="examples/UnsafeDynamicMethodAccessGood.js" />

 </example>

--- a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
+++ b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
@@ -1,15 +1,15 @@
 /**
- * @name Method name injection
+ * @name Unsafe dynamic method access
 * @description Invoking user-controlled methods on certain objects can lead to remote code execution.
 * @kind path-problem
 * @problem.severity error
 * @precision high
- * @id js/method-name-injection
+ * @id js/unsafe-dynamic-method-access
 * @tags security
 *       external/cwe/cwe-094
 */
 import javascript
-import semmle.javascript.security.dataflow.MethodNameInjection::MethodNameInjection
+import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccess::UnsafeDynamicMethodAccess
 import DataFlow::PathGraph

 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
--- a/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccess.js
+++ b/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccess.js
--- a/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccessGood.js
+++ b/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccessGood.js
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
@@ -81,7 +81,7 @@ module RemotePropertyInjection {
      exists (DataFlow::PropRead pr | astNode = pr.getPropertyNameExpr() |
        exists (pr.getAnInvocation()) and

-        // Omit sinks covered by the MethodNameInjection query
+        // Omit sinks covered by the UnsafeDynamicMethodAccess query
        not PropertyInjection::hasUnsafeMethods(pr.getBase().getALocalSource())
      )
    }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
@@ -1,17 +1,17 @@
 /**
 * Provides a taint-tracking configuration for reasoning about method invocations
- * with a user-controlled method name.
+ * with a user-controlled method name on objects with unsafe methods.
 */

 import javascript
 import semmle.javascript.frameworks.Express
 import PropertyInjectionShared

-module MethodNameInjection {
+module UnsafeDynamicMethodAccess {
  private import DataFlow::FlowLabel
  
  /**
-   * A data flow source for method name injection.
+   * A data flow source for unsafe dynamic method access.
   */
  abstract class Source extends DataFlow::Node {
    /**
@@ -23,7 +23,7 @@ module MethodNameInjection {
  }

  /**
-   * A data flow sink for method name injection.
+   * A data flow sink for unsafe dynamic method access.
   */
  abstract class Sink extends DataFlow::Node {
    /**
@@ -33,7 +33,7 @@ module MethodNameInjection {
  }

  /**
-   * A sanitizer for method name injection.
+   * A sanitizer for unsafe dynamic method access.
   */
  abstract class Sanitizer extends DataFlow::Node { }

@@ -47,7 +47,7 @@ module MethodNameInjection {
  }

  /**
-   * A taint-tracking configuration for reasoning about method name injection.
+   * A taint-tracking configuration for reasoning about unsafe dynamic method access.
   */
  class Configuration extends TaintTracking::Configuration {
    Configuration() { this = "RemotePropertyInjection" }
@@ -101,21 +101,21 @@ module MethodNameInjection {
  }

  /**
-   * A source of remote user input, considered as a source for method name injection. 
+   * A source of remote user input, considered as a source for unsafe dynamic method access.
   */
  class RemoteFlowSourceAsSource extends Source {
    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
  }

  /**
-   * The page URL considered as a flow source for method name injection. 
+   * The page URL considered as a flow source for unsafe dynamic method access.
   */
  class DocumentUrlAsSource extends Source {
    DocumentUrlAsSource() { isDocumentURL(asExpr()) }
  }

  /**
-   * A function invocation of an unsafe function, as a sink for remote method name injection.
+   * A function invocation of an unsafe function, as a sink for remote unsafe dynamic method access.
   */
  class CalleeAsSink extends Sink {
    CalleeAsSink() {
--- a/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-094/MethodNameInjection/MethodNameInjection.qlref
@@ -1 +0,0 @@
-Security/CWE-094/MethodNameInjection.ql
--- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.expected
--- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/UnsafeDynamicMethodAccess.qlref
@@ -0,0 +1 @@
+Security/CWE-094/UnsafeDynamicMethodAccess.ql
--- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/example.js
--- a/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-094/UnsafeDynamicMethodAccess/tst.js
				`@@ -0,0 +1 @@`
				`Security/CWE-094/UnsafeDynamicMethodAccess.ql`