add new Xss queries to extraction code

2026-05-21 06:37:10 +02:00 · 2022-03-09 13:19:15 +00:00
parent 322c391909
commit 601c55ea5d
3 changed files with 54 additions and 14 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
@@ -16,8 +16,10 @@ import experimental.adaptivethreatmodeling.EndpointTypes
 import experimental.adaptivethreatmodeling.FilteringReasons
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomATM
 import Labels
 import NoFeaturizationRestrictionsConfig
 import Queries
@@ -29,9 +31,13 @@ AtmConfig getAtmCfg(Query query) {
  or
  query instanceof SqlInjectionQuery and result instanceof SqlInjectionATM::SqlInjectionAtmConfig
  or
-  query instanceof TaintedPathQuery and result instanceof TaintedPathATM::TaintedPathAtmConfig
+  query instanceof StoredXssQuery and result instanceof StoredXssATM::StoredXssATMConfig
  or
-  query instanceof XssQuery and result instanceof XssATM::DomBasedXssAtmConfig
+  query instanceof TaintedPathQuery and result instanceof TaintedPathATM::TaintedPathATMConfig
+  or
+  query instanceof XssQuery and result instanceof XssATM::DomBasedXssATMConfig
+  or
+  query instanceof XssThroughDomQuery and result instanceof XssThroughDomATM::XssThroughDOMATMConfig
 }

 /** DEPRECATED: Alias for getAtmCfg */
@@ -46,6 +52,10 @@ DataFlow::Configuration getDataFlowCfg(Query query) {
  query instanceof TaintedPathQuery and result instanceof TaintedPathATM::Configuration
  or
  query instanceof XssQuery and result instanceof XssATM::Configuration
+  or
+  query instanceof StoredXssQuery and result instanceof StoredXssATM::Configuration
+  or
+  query instanceof XssThroughDomQuery and result instanceof XssThroughDomATM::Configuration
 }

 /** Gets a known sink for the specified query. */
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql
@@ -8,21 +8,41 @@ import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomATM
 import experimental.adaptivethreatmodeling.AdaptiveThreatModeling

-from string queryName, AtmConfig c, EndpointType e
+from string queryName, ATMConfig c, int endpointTypeEncoded
 where
  (
-    queryName = "SqlInjectionATM.ql" and
-    c instanceof SqlInjectionATM::SqlInjectionAtmConfig
+    queryName = "Unknown" and
+    endpointTypeEncoded = 0
    or
-    queryName = "NosqlInjectionATM.ql" and
-    c instanceof NosqlInjectionATM::NosqlInjectionAtmConfig
+    queryName = "NotASink" and
+    endpointTypeEncoded = 0
    or
-    queryName = "TaintedPathInjectionATM.ql" and
-    c instanceof TaintedPathATM::TaintedPathAtmConfig
+    queryName = "XssSink" and
+    c instanceof XssATM::DomBasedXssATMConfig and
+    endpointTypeEncoded = c.getASinkEndpointType().getEncoding()
    or
-    queryName = "XssATM.ql" and c instanceof XssATM::DomBasedXssAtmConfig
-  ) and
-  e = c.getASinkEndpointType()
-select queryName, e.getEncoding() as endpointTypeEncoded
+    queryName = "StoredXssSink" and
+    c instanceof StoredXssATM::StoredXssATMConfig and
+    endpointTypeEncoded = c.getASinkEndpointType().getEncoding()
+    or
+    queryName = "XssThroughDomSink" and
+    c instanceof XssThroughDomATM::XssThroughDOMATMConfig and
+    endpointTypeEncoded = c.getASinkEndpointType().getEncoding()
+    or
+    queryName = "SqlInjectionSink" and
+    c instanceof SqlInjectionATM::SqlInjectionATMConfig and
+    endpointTypeEncoded = c.getASinkEndpointType().getEncoding()
+    or
+    queryName = "NosqlInjectionSink" and
+    c instanceof NosqlInjectionATM::NosqlInjectionATMConfig and
+    endpointTypeEncoded = c.getASinkEndpointType().getEncoding()
+    or
+    queryName = "TaintedPathSink" and
+    c instanceof TaintedPathATM::TaintedPathATMConfig and
+    endpointTypeEncoded = c.getASinkEndpointType().getEncoding()
+  )
+select queryName, endpointTypeEncoded order by endpointTypeEncoded
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/Queries.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/Queries.qll
@@ -8,7 +8,9 @@ newtype TQuery =
  TNosqlInjectionQuery() or
  TSqlInjectionQuery() or
  TTaintedPathQuery() or
-  TXssQuery()
+  TXssQuery() or
+  TStoredXssQuery() or
+  TXssThroughDomQuery()

 abstract class Query extends TQuery {
  abstract string getName();
@@ -24,6 +26,10 @@ class SqlInjectionQuery extends Query, TSqlInjectionQuery {
  override string getName() { result = "SqlInjection" }
 }

+class StoredXssQuery extends Query, TStoredXssQuery {
+  override string getName() { result = "StoredXss" }
+}
+
 class TaintedPathQuery extends Query, TTaintedPathQuery {
  override string getName() { result = "TaintedPath" }
 }
@@ -31,3 +37,7 @@ class TaintedPathQuery extends Query, TTaintedPathQuery {
 class XssQuery extends Query, TXssQuery {
  override string getName() { result = "Xss" }
 }
+
+class XssThroughDomQuery extends Query, TXssThroughDomQuery {
+  override string getName() { result = "XssThroughDom" }
+}