mirror of
https://github.com/github/codeql.git
synced 2026-03-21 15:06:46 +01:00
JavaScript: Select Nodes (instead of PathNodes) everywhere.
This commit is contained in:
Max Schaefer
@@ -20,4 +20,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "This path depends on $@.", source, "a user-provided value"
|
||||
select sink.getNode(), source, sink, "This path depends on $@.",
|
||||
source.getNode(), "a user-provided value"
|
||||
|
||||
@@ -22,4 +22,5 @@ where cfg.hasPathFlow(source, sink) and
|
||||
cfg.isSinkWithHighlight(sink.getNode(), highlight)
|
||||
else
|
||||
highlight = sink.getNode()
|
||||
select highlight, source, sink, "This command depends on $@.", source, "a user-provided value"
|
||||
select highlight, source, sink, "This command depends on $@.",
|
||||
source.getNode(), "a user-provided value"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
||||
source, "user-provided value"
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.",
|
||||
source, "stored value"
|
||||
source.getNode(), "stored value"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
|
||||
source, "user-provided value"
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -19,4 +19,5 @@ from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode
|
||||
where (cfg instanceof SqlInjection::Configuration or
|
||||
cfg instanceof NosqlInjection::Configuration) and
|
||||
cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "This query depends on $@.", source, "a user-provided value"
|
||||
select sink.getNode(), source, sink, "This query depends on $@.",
|
||||
source.getNode(), "a user-provided value"
|
||||
|
||||
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.", source, "User-provided value"
|
||||
select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
|
||||
source.getNode(), "User-provided value"
|
||||
|
||||
@@ -15,4 +15,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ flows here and is used in a format string.", source, "User-provided value"
|
||||
select sink.getNode(), source, sink, "$@ flows here and is used in a format string.",
|
||||
source.getNode(), "User-provided value"
|
||||
|
||||
@@ -14,4 +14,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ flows directly to outbound network request", source, "File data"
|
||||
select sink.getNode(), source, sink, "$@ flows directly to outbound network request",
|
||||
source.getNode(), "File data"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Stack trace information from $@ may be exposed to an external user here.",
|
||||
source, "here"
|
||||
source.getNode(), "here"
|
||||
|
||||
@@ -36,4 +36,5 @@ from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
// ignore logging to the browser console (even though it is not a good practice)
|
||||
not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
|
||||
select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.", source, source.getNode().(Source).describe()
|
||||
select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.",
|
||||
source.getNode(), source.getNode().(Source).describe()
|
||||
|
||||
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.", source, source.getNode().(Source).describe()
|
||||
select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.",
|
||||
source.getNode(), source.getNode().(Source).describe()
|
||||
|
||||
@@ -16,5 +16,6 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
not source.asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
|
||||
select sink.getNode(), source, sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()
|
||||
not source.getNode().asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
|
||||
select sink.getNode(), source, sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.",
|
||||
source.getNode(), source.getNode().(Source).describe()
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.", source, "random value"
|
||||
select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.",
|
||||
source.getNode(), "random value"
|
||||
|
||||
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ leak vulnerability due to $@.",
|
||||
sink.(Sink).getCredentialsHeader(), "Credential",
|
||||
source, "a misconfigured CORS header value"
|
||||
sink.getNode().(Sink).getCredentialsHeader(), "Credential",
|
||||
source.getNode(), "a misconfigured CORS header value"
|
||||
|
||||
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "A $@ is used as" + sink.(Sink).getMessage(),
|
||||
source, "user-provided value"
|
||||
select sink.getNode(), source, sink, "A $@ is used as" + sink.getNode().(Sink).getMessage(),
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Unsafe deserialization of $@.", source, "user input"
|
||||
select sink.getNode(), source, sink, "Unsafe deserialization of $@.",
|
||||
source.getNode(), "user input"
|
||||
|
||||
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against external entity expansion.",
|
||||
source, "user-provided value"
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"
|
||||
select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.",
|
||||
source.getNode(), "here"
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.", source, "User-provided value"
|
||||
select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.",
|
||||
source.getNode(), "User-provided value"
|
||||
|
||||
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "This regular expression is constructed from a $@.", source, "user-provided value"
|
||||
select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
|
||||
source, "user-provided value"
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -23,4 +23,5 @@ where cfg.hasPathFlow(source, sink) and
|
||||
value = "The hard-coded value \"" + source.getNode().asExpr().(ConstantString).getStringValue() + "\""
|
||||
else
|
||||
value = "This hard-coded value"
|
||||
select source.getNode(), source, sink, value + " is used as $@.", sink, sink.getNode().(Sink).getKind()
|
||||
select source.getNode(), source, sink, value + " is used as $@.",
|
||||
sink.getNode(), sink.getNode().(Sink).getKind()
|
||||
|
||||
@@ -114,4 +114,4 @@ where isTaintedGuardForSensitiveAction(sink, source, action) and
|
||||
not isEarlyAbortGuard(sink, action)
|
||||
select sink.getNode(), source, sink, "This condition guards a sensitive $@, but $@ controls it.",
|
||||
action, "action",
|
||||
source, "a user-provided value"
|
||||
source.getNode(), "a user-provided value"
|
||||
|
||||
@@ -15,4 +15,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Potential type confusion for $@.", source, "HTTP request parameter"
|
||||
select sink.getNode(), source, sink, "Potential type confusion for $@.",
|
||||
source.getNode(), "HTTP request parameter"
|
||||
|
||||
@@ -14,4 +14,4 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ flows to file system", source, "Untrusted data"
|
||||
select sink.getNode(), source, sink, "$@ flows to file system", source.getNode(), "Untrusted data"
|
||||
|
||||
@@ -15,4 +15,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasPathFlow(source, sink)
|
||||
select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.", source , source.(Source).describe()
|
||||
select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.",
|
||||
source.getNode(), source.getNode().(Source).describe()
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
|
||||
where cfg.hasPathFlow(source, sink) and
|
||||
request = sink.getNode().(Sink).getARequest()
|
||||
select request, source, sink, "The $@ of this request depends on $@.", sink, sink.getNode().(Sink).getKind(), source, "a user-provided value"
|
||||
select request, source, sink, "The $@ of this request depends on $@.",
|
||||
sink.getNode(), sink.getNode().(Sink).getKind(), source, "a user-provided value"
|
||||
|
||||
Reference in New Issue
Block a user