JS: Port SqlInjection

2026-04-27 17:55:19 +02:00 · 2023-10-04 21:24:57 +02:00
parent 65e9706c8e
commit 547a8a958a
5 changed files with 497 additions and 736 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -14,7 +14,57 @@ import NosqlInjectionCustomizations::NosqlInjection
 /**
 * A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
 */
-class Configuration extends TaintTracking::Configuration {
+module NosqlInjectionConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel state) {
+    source instanceof Source and state.isTaint()
+    or
+    TaintedObject::isSource(source, state)
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel state) {
+    sink.(Sink).getAFlowLabel() = state
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel state) {
+    node instanceof Sanitizer and state.isTaint()
+    or
+    TaintTracking::defaultSanitizer(node) and state.isTaint()
+    or
+    node = TaintedObject::SanitizerGuard::getABarrierNode(state)
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
+    DataFlow::FlowLabel state2
+  ) {
+    TaintedObject::step(node1, node2, state1, state2)
+    or
+    // additional flow step to track taint through NoSQL query objects
+    state1 = TaintedObject::label() and
+    state2 = TaintedObject::label() and
+    exists(NoSql::Query query, DataFlow::SourceNode queryObj |
+      queryObj.flowsTo(query) and
+      queryObj.flowsTo(node2) and
+      node1 = queryObj.getAPropertyWrite().getRhs()
+    )
+    or
+    TaintTracking::defaultTaintStep(node1, node2) and
+    state1.isTaint() and
+    state2 = state1
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about SQL-injection vulnerabilities.
+ */
+module NosqlInjectionFlow = DataFlow::GlobalWithState<NosqlInjectionConfig>;
+
+/**
+ * DEPRECATED. Use the `NosqlInjectionFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "NosqlInjection" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -37,17 +87,9 @@ class Configuration extends TaintTracking::Configuration {
  }

  override predicate isAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+    DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1,
+    DataFlow::FlowLabel state2
  ) {
-    TaintedObject::step(src, trg, inlbl, outlbl)
-    or
-    // additional flow step to track taint through NoSQL query objects
-    inlbl = TaintedObject::label() and
-    outlbl = TaintedObject::label() and
-    exists(NoSql::Query query, DataFlow::SourceNode queryObj |
-      queryObj.flowsTo(query) and
-      queryObj.flowsTo(trg) and
-      src = queryObj.getAPropertyWrite().getRhs()
-    )
+    NosqlInjectionConfig::isAdditionalFlowStep(node1, state1, node2, state2)
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll
@@ -13,7 +13,35 @@ import SqlInjectionCustomizations::SqlInjection
 /**
 * A taint-tracking configuration for reasoning about string based query injection vulnerabilities.
 */
-class Configuration extends TaintTracking::Configuration {
+module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(LdapJS::TaintPreservingLdapFilterStep filter |
+      pred = filter.getInput() and
+      succ = filter.getOutput()
+    )
+    or
+    exists(HtmlSanitizerCall call |
+      pred = call.getInput() and
+      succ = call
+    )
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about string based query injection vulnerabilities.
+ */
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
+
+/**
+ * DEPRECATED. Use the `SqlInjectionFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "SqlInjection" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -26,14 +54,6 @@ class Configuration extends TaintTracking::Configuration {
  }

  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(LdapJS::TaintPreservingLdapFilterStep filter |
-      pred = filter.getInput() and
-      succ = filter.getOutput()
-    )
-    or
-    exists(HtmlSanitizerCall call |
-      pred = call.getInput() and
-      succ = call
-    )
+    SqlInjectionConfig::isAdditionalFlowStep(pred, succ)
  }
 }