From 5b9c0bb87c11823040bcb06dd16d65c7b50f62d2 Mon Sep 17 00:00:00 2001 From: Erik Krogh Kristensen Date: Tue, 1 Mar 2022 11:18:42 +0100 Subject: [PATCH] restrict the size of the `getASubexpressionWithinQuery` predicate, and remove double-recursion --- .../adaptivethreatmodeling/NosqlInjectionATM.qll | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll index ed5ac92ba58..45128d9c4a7 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll @@ -120,13 +120,17 @@ predicate isBaseAdditionalFlowStep( } /** + * Gets a value that is (transitively) written to `query`, where `query` is a NoSQL sink. + * * This predicate allows us to propagate data flow through property writes and array constructors * within a query object, enabling the security query to pick up NoSQL injection vulnerabilities * involving more complex queries. */ DataFlow::Node getASubexpressionWithinQuery(DataFlow::Node query) { + any(NosqlInjectionATMConfig cfg).isEffectiveSink(query) and exists(DataFlow::SourceNode receiver | - receiver.flowsTo(getASubexpressionWithinQuery*(query.getALocalSource())) and + receiver = [getASubexpressionWithinQuery(query), query].getALocalSource() + | result = [receiver.getAPropertyWrite().getRhs(), receiver.(DataFlow::ArrayCreationNode).getAnElement()] )