JS: Move Source def into customizations lib

2026-04-30 19:26:02 +02:00 · 2021-03-02 13:52:27 +00:00
parent d916118ea4
commit 5d27cd934d
4 changed files with 51 additions and 24 deletions
--- a/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
+++ b/javascript/ql/src/semmle/javascript/security/TaintedObject.qll
@@ -16,22 +16,16 @@
 import javascript
 private import semmle.javascript.dataflow.InferredTypes

+/** Provides classes and predicates for reasoning about deeply tainted objects. */
 module TaintedObject {
  private import DataFlow
+  import TaintedObjectCustomizations::TaintedObject

-  private class TaintedObjectLabel extends FlowLabel {
-    TaintedObjectLabel() { this = "tainted-object" }
+  // Materialize flow labels
+  private class ConcreteTaintedObjectLabel extends TaintedObjectLabel {
+    ConcreteTaintedObjectLabel() { this = this }
  }

-  /**
-   * Gets the flow label representing a deeply tainted object.
-   *
-   * A "tainted object" is an array or object whose property values are all assumed to be tainted as well.
-   *
-   * Note that the presence of the this label generally implies the presence of the `taint` label as well.
-   */
-  FlowLabel label() { result instanceof TaintedObjectLabel }
-
  /**
   * Holds for the flows steps that are relevant for tracking user-controlled JSON objects.
   */
@@ -79,11 +73,6 @@ module TaintedObject {
   */
  predicate isSource(Node source, FlowLabel label) { source instanceof Source and label = label() }

-  /**
-   * A source of a user-controlled deep object.
-   */
-  abstract class Source extends DataFlow::Node { }
-
  /** Request input accesses as a JSON source. */
  private class RequestInputAsSource extends Source {
    RequestInputAsSource() { this.(HTTP::RequestInputAccess).isUserControlledObject() }
--- a/javascript/ql/src/semmle/javascript/security/TaintedObjectCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/TaintedObjectCustomizations.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides access to the "tainted object" flow label defined in `TaintedObject.qll`, without
+ * materializing that flow label.
+ */
+
+import javascript
+
+/** Provides classes and predicates for reasoning about deeply tainted objects. */
+module TaintedObject {
+  /** A flow label representing a deeply tainted object. */
+  abstract class TaintedObjectLabel extends DataFlow::FlowLabel {
+    TaintedObjectLabel() { this = "tainted-object" }
+  }
+
+  /**
+   * Gets the flow label representing a deeply tainted object.
+   *
+   * A "tainted object" is an array or object whose property values are all assumed to be tainted as well.
+   *
+   * Note that the presence of the this label generally implies the presence of the `taint` label as well.
+   */
+  DataFlow::FlowLabel label() { result instanceof TaintedObjectLabel }
+
+  /**
+   * A source of a user-controlled deep object.
+   */
+  abstract class Source extends DataFlow::Node { }
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustion.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustion.qll
@@ -21,13 +21,7 @@ module DeepObjectResourceExhaustion {
    Configuration() { this = "DeepObjectResourceExhaustion" }

    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-      source instanceof Source and label = TaintedObject::label()
-      or
-      // We currently can't expose the TaintedObject label in the Customizations library
-      // so just add its default sources here.
-      source instanceof TaintedObject::Source and label = TaintedObject::label()
-      or
-      source instanceof RemoteFlowSource and label.isTaint()
+      source.(Source).getAFlowLabel() = label
    }

    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionCustomizations.qll
@@ -4,6 +4,7 @@
 */

 import javascript
+private import semmle.javascript.security.TaintedObjectCustomizations

 /**
 * Provides sources, sinks and sanitizers for reasoning about
@@ -13,7 +14,22 @@ module DeepObjectResourceExhaustion {
  /**
   * A data flow source for slow input validation.
   */
-  abstract class Source extends DataFlow::Node { }
+  abstract class Source extends DataFlow::Node {
+    /** Gets a flow label to associate with this source. */
+    DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+  }
+
+  private class TaintedObjectSourceAsSource extends Source {
+    TaintedObjectSourceAsSource() { this instanceof TaintedObject::Source }
+
+    override DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+  }
+
+  private class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+
+    override DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
+  }

  /**
   * A data flow sink for slow input validation.