hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Swift: Rewrite UnsafeJsEval to use `DataFlow::ConfigSig

Browse Source
This commit is contained in:
Jeroen Ketema
2023-04-03 16:22:32 +02:00
parent db641e508a
commit 56156cfa36
2 changed files with 26 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll
View File

@@ -12,7 +12,7 @@ import codeql.swift.security.UnsafeJsEvalExtensions
/**
* A taint configuration from taint sources to sinks for this query.
*/
class UnsafeJsEvalConfig extends TaintTracking::Configuration {
deprecated class UnsafeJsEvalConfig extends TaintTracking::Configuration {
UnsafeJsEvalConfig() { this = "UnsafeJsEvalConfig" }
override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
@@ -27,3 +27,25 @@ class UnsafeJsEvalConfig extends TaintTracking::Configuration {
any(UnsafeJsEvalAdditionalTaintStep s).step(nodeFrom, nodeTo)
}
}
/**
* A taint configuration from taint sources to sinks for this query.
*/
module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
predicate isSink(DataFlow::Node node) { node instanceof UnsafeJsEvalSink }
predicate isBarrier(DataFlow::Node sanitizer) {
sanitizer instanceof UnsafeJsEvalSanitizer
}
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(UnsafeJsEvalAdditionalTaintStep s).step(nodeFrom, nodeTo)
}
}
/**
* Detect taint flow of taint sources to sinks for this query.
*/
module UnsafeJsEvalFlow = TaintTracking::Global<UnsafeJsEvalConfig>;

7
swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql
View File

@@ -15,12 +15,11 @@
import swift
import codeql.swift.dataflow.DataFlow
import codeql.swift.security.UnsafeJsEvalQuery
import DataFlow::PathGraph
import UnsafeJsEvalFlow::PathGraph
from
UnsafeJsEvalConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode,
UnsafeJsEvalSink sink
UnsafeJsEvalFlow::PathNode sourceNode, UnsafeJsEvalFlow::PathNode sinkNode, UnsafeJsEvalSink sink
where
config.hasFlowPath(sourceNode, sinkNode) and
UnsafeJsEvalFlow::flowPath(sourceNode, sinkNode) and
sink = sinkNode.getNode()
select sink, sourceNode, sinkNode, "Evaluation of uncontrolled JavaScript from a remote source."