JS: Port ResourceExhaustion

2026-04-29 02:35:15 +02:00 · 2023-10-05 09:22:04 +02:00
parent b9bd0520e2
commit 4af7694309
4 changed files with 80 additions and 90 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
@@ -31,6 +31,21 @@ module ResourceExhaustion {
   */
  abstract class Sanitizer extends DataFlow::Node { }

+  /**
+   * A barrier guard for resource exhaustion vulnerabilities.
+   */
+  abstract class BarrierGuard extends DataFlow::Node {
+    /**
+     * Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e) { none() }
+  }
+
+  /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
+  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
+    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  }
+
  /** A source of remote user input, considered as a data flow source for resource exhaustion vulnerabilities. */
  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
    RemoteFlowSourceAsSource() {
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll
@@ -13,7 +13,31 @@ import ResourceExhaustionCustomizations::ResourceExhaustion
 /**
 * A data flow configuration for resource exhaustion vulnerabilities.
 */
-class Configuration extends TaintTracking::Configuration {
+module ResourceExhaustionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer or
+    node = any(DataFlow::PropRead read | read.getPropertyName() = "length") or
+    node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node dst) {
+    isNumericFlowStep(src, dst)
+  }
+}
+
+/**
+ * Data flow for resource exhaustion vulnerabilities.
+ */
+module ResourceExhaustionFlow = TaintTracking::Global<ResourceExhaustionConfig>;
+
+/**
+ * DEPRECATED. Use the `ResourceExhaustionFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "ResourceExhaustion" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -49,10 +73,10 @@ predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) {
 /**
 * A sanitizer that blocks taint flow if the size of a number is limited.
 */
-class UpperBoundsCheckSanitizerGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+class UpperBoundsCheckSanitizerGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
  override RelationalComparison astNode;

-  override predicate sanitizes(boolean outcome, Expr e) {
+  override predicate blocksExpr(boolean outcome, Expr e) {
    true = outcome and
    e = astNode.getLesserOperand()
    or