JS: rename query to Unsafe Dynamic Method Access

2026-04-29 10:45:15 +02:00 · 2018-11-21 12:34:18 +00:00
parent cb832b1de9
commit 4ae2493798
13 changed files with 18 additions and 18 deletions
--- a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.qhelp
+++ b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.qhelp
@@ -27,14 +27,14 @@ A malicious website could embed the page in an iframe and execute arbitrary code
 with the name <code>eval</code>.
 </p>

-<sample src="examples/MethodNameInjection.js" />
+<sample src="examples/UnsafeDynamicMethodAccess.js" />

 <p>
 Instead of storing the API methods in the global scope, put them in an API object or Map. It is also good
 practice to prevent invocation of inherited methods like <code>toString</code> and <code>valueOf</code>.
 </p>

-<sample src="examples/MethodNameInjectionGood.js" />
+<sample src="examples/UnsafeDynamicMethodAccessGood.js" />

 </example>

--- a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
+++ b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
@@ -1,15 +1,15 @@
 /**
- * @name Method name injection
+ * @name Unsafe dynamic method access
 * @description Invoking user-controlled methods on certain objects can lead to remote code execution.
 * @kind path-problem
 * @problem.severity error
 * @precision high
- * @id js/method-name-injection
+ * @id js/unsafe-dynamic-method-access
 * @tags security
 *       external/cwe/cwe-094
 */
 import javascript
-import semmle.javascript.security.dataflow.MethodNameInjection::MethodNameInjection
+import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccess::UnsafeDynamicMethodAccess
 import DataFlow::PathGraph

 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
--- a/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccess.js
+++ b/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccess.js
--- a/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccessGood.js
+++ b/javascript/ql/src/Security/CWE-094/examples/UnsafeDynamicMethodAccessGood.js
--- a/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/RemotePropertyInjection.qll
@@ -81,7 +81,7 @@ module RemotePropertyInjection {
      exists (DataFlow::PropRead pr | astNode = pr.getPropertyNameExpr() |
        exists (pr.getAnInvocation()) and

-        // Omit sinks covered by the MethodNameInjection query
+        // Omit sinks covered by the UnsafeDynamicMethodAccess query
        not PropertyInjection::hasUnsafeMethods(pr.getBase().getALocalSource())
      )
    }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
@@ -1,17 +1,17 @@
 /**
 * Provides a taint-tracking configuration for reasoning about method invocations
- * with a user-controlled method name.
+ * with a user-controlled method name on objects with unsafe methods.
 */

 import javascript
 import semmle.javascript.frameworks.Express
 import PropertyInjectionShared

-module MethodNameInjection {
+module UnsafeDynamicMethodAccess {
  private import DataFlow::FlowLabel
  
  /**
-   * A data flow source for method name injection.
+   * A data flow source for unsafe dynamic method access.
   */
  abstract class Source extends DataFlow::Node {
    /**
@@ -23,7 +23,7 @@ module MethodNameInjection {
  }

  /**
-   * A data flow sink for method name injection.
+   * A data flow sink for unsafe dynamic method access.
   */
  abstract class Sink extends DataFlow::Node {
    /**
@@ -33,7 +33,7 @@ module MethodNameInjection {
  }

  /**
-   * A sanitizer for method name injection.
+   * A sanitizer for unsafe dynamic method access.
   */
  abstract class Sanitizer extends DataFlow::Node { }

@@ -47,7 +47,7 @@ module MethodNameInjection {
  }

  /**
-   * A taint-tracking configuration for reasoning about method name injection.
+   * A taint-tracking configuration for reasoning about unsafe dynamic method access.
   */
  class Configuration extends TaintTracking::Configuration {
    Configuration() { this = "RemotePropertyInjection" }
@@ -101,21 +101,21 @@ module MethodNameInjection {
  }

  /**
-   * A source of remote user input, considered as a source for method name injection. 
+   * A source of remote user input, considered as a source for unsafe dynamic method access.
   */
  class RemoteFlowSourceAsSource extends Source {
    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
  }

  /**
-   * The page URL considered as a flow source for method name injection. 
+   * The page URL considered as a flow source for unsafe dynamic method access.
   */
  class DocumentUrlAsSource extends Source {
    DocumentUrlAsSource() { isDocumentURL(asExpr()) }
  }

  /**
-   * A function invocation of an unsafe function, as a sink for remote method name injection.
+   * A function invocation of an unsafe function, as a sink for remote unsafe dynamic method access.
   */
  class CalleeAsSink extends Sink {
    CalleeAsSink() {