From 4ba7243b1f14bc8ea5617b89e0bd42db1d951b1c Mon Sep 17 00:00:00 2001 From: Stephan Brandauer Date: Tue, 10 May 2022 16:56:48 +0200 Subject: [PATCH] add assignedToPropName feature to let the model improve number of false positives for XSS query --- .../EndpointFeatures.qll | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll index b4a9002b28f..e9411d367a2 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll @@ -236,7 +236,8 @@ private newtype TEndpointFeature = TInputAccessPathFromCallee() or TInputArgumentIndex() or TContextFunctionInterfaces() or - TContextSurroundingFunctionParameters() + TContextSurroundingFunctionParameters() or + TAssignedToPropName() /** * An implementation of an endpoint feature: produces feature names and values for used in ML. @@ -472,6 +473,25 @@ class ContextSurroundingFunctionParameters extends EndpointFeature, } } +/** + * The feature that gives the name an endpoint is assigned to (if any). + * + * ### Example + * ```javascript + * const div = document.createElement('div'); + * div.innerHTML = endpoint; // feature value is 'innerHTML' + * ``` + */ +class AssignedToPropName extends EndpointFeature, TAssignedToPropName { + override string getName() { result = "assignedToPropName" } + + override string getValue(DataFlow::Node endpoint) { + exists(DataFlow::PropWrite w | w.getRhs().asExpr().getUnderlyingValue().flow() = endpoint | + result = w.getPropertyName() + ) + } +} + /** * The feature for the imports used in the callee of an invocation. *