diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql index 3a4109512ad..f5598e0dccc 100644 --- a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql +++ b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql @@ -14,7 +14,7 @@ import javascript import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss -from Configuration xss, DataFlow::Node source, DataFlow::Node sink -where xss.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "Cross-site scripting vulnerability due to $@.", source, "user-provided value" \ No newline at end of file diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql index 429bccdf660..beb499a607b 100644 --- a/javascript/ql/src/Security/CWE-079/StoredXss.ql +++ b/javascript/ql/src/Security/CWE-079/StoredXss.ql @@ -14,7 +14,7 @@ import javascript import semmle.javascript.security.dataflow.StoredXss::StoredXss -from Configuration xss, DataFlow::Node source, DataFlow::Node sink -where xss.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "Stored cross-site scripting vulnerability due to $@.", source, "stored value" \ No newline at end of file diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql index 1971ac66355..25a6b83a449 100644 --- a/javascript/ql/src/Security/CWE-079/Xss.ql +++ b/javascript/ql/src/Security/CWE-079/Xss.ql @@ -14,7 +14,7 @@ import javascript import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss -from Configuration xss, DataFlow::Node source, Sink sink -where xss.hasFlow(source, sink) -select sink, sink.getVulnerabilityKind() + " vulnerability due to $@.", +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) +select sink, sink.(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source, "user-provided value" diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.ql b/javascript/ql/src/Security/CWE-089/SqlInjection.ql index 38b0c304631..25a0ff693b5 100644 --- a/javascript/ql/src/Security/CWE-089/SqlInjection.ql +++ b/javascript/ql/src/Security/CWE-089/SqlInjection.ql @@ -14,15 +14,8 @@ import javascript import semmle.javascript.security.dataflow.SqlInjection import semmle.javascript.security.dataflow.NosqlInjection -predicate sqlInjection(DataFlow::Node source, DataFlow::Node sink) { - any(SqlInjection::Configuration cfg).hasFlow(source, sink) -} - -predicate nosqlInjection(DataFlow::Node source, DataFlow::Node sink) { - any(NosqlInjection::Configuration cfg).hasFlow(source, sink) -} - -from DataFlow::Node source, DataFlow::Node sink -where sqlInjection(source, sink) or - nosqlInjection(source, sink) +from DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where (cfg instanceof SqlInjection::Configuration or + cfg instanceof NosqlInjection::Configuration) and + cfg.hasFlow(source, sink) select sink, "This query depends on $@.", source, "a user-provided value" diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql index 478b8b9efcc..c52d854ea67 100644 --- a/javascript/ql/src/Security/CWE-094/CodeInjection.ql +++ b/javascript/ql/src/Security/CWE-094/CodeInjection.ql @@ -15,6 +15,6 @@ import javascript import semmle.javascript.security.dataflow.CodeInjection::CodeInjection -from Configuration codeInjection, DataFlow::Node source, DataFlow::Node sink -where codeInjection.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "$@ flows to here and is interpreted as code.", source, "User-provided value" \ No newline at end of file diff --git a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql index 6845cd5aff8..c1dd3a4c40e 100644 --- a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql +++ b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql @@ -12,6 +12,6 @@ import javascript import semmle.javascript.security.dataflow.TaintedFormatString::TaintedFormatString -from Configuration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "$@ flows here and is used in a format string.", source, "User-provided value" diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql index 10b40d686a8..e43ffe38049 100644 --- a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql +++ b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql @@ -9,8 +9,8 @@ */ import javascript -import semmle.javascript.security.dataflow.FileAccessToHttp +import semmle.javascript.security.dataflow.FileAccessToHttp::FileAccessToHttp -from FileAccessToHttp::Configuration config, DataFlow::Node src, DataFlow::Node sink -where config.hasFlow (src, sink) -select sink, "$@ flows directly to outbound network request", src, "File data" +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow (source, sink) +select sink, "$@ flows directly to outbound network request", source, "File data" diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql index 1ff15ff07b6..9a645eadeb6 100644 --- a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql +++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql @@ -31,8 +31,8 @@ predicate inBrowserEnvironment(TopLevel tl) { ) } -from Configuration cfg, Source source, DataFlow::Node sink +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink where cfg.hasFlow(source, sink) and // ignore logging to the browser console (even though it is not a good practice) not inBrowserEnvironment(sink.asExpr().getTopLevel()) -select sink, "Sensitive data returned by $@ is logged here.", source, source.describe() +select sink, "Sensitive data returned by $@ is logged here.", source, source.(Source).describe() diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql index b11abf5abfa..03f876f9abc 100644 --- a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql +++ b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql @@ -15,6 +15,6 @@ import javascript import semmle.javascript.security.dataflow.CleartextStorage::CleartextStorage -from Configuration cleartextStorage, Source source, DataFlow::Node sink -where cleartextStorage.hasFlow(source, sink) -select sink, "Sensitive data returned by $@ is stored here.", source, source.describe() +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) +select sink, "Sensitive data returned by $@ is stored here.", source, source.(Source).describe() diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql index a597b6fc60f..242d79ecaa7 100644 --- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql +++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql @@ -8,12 +8,12 @@ * @tags security * external/cwe/cwe-327 */ + import javascript -import semmle.javascript.security.dataflow.RemoteFlowSources import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm::BrokenCryptoAlgorithm import semmle.javascript.security.SensitiveActions -from Configuration brokenCrypto, Source source, DataFlow::Node sink -where brokenCrypto.hasFlow(source, sink) and +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) and not source.asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash -select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.describe() +select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe() diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql index b43f6f700d2..a0476e02000 100644 --- a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql +++ b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql @@ -14,8 +14,8 @@ import javascript import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials::CorsMisconfigurationForCredentials -from Configuration cfg, DataFlow::Node source, Sink sink +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink where cfg.hasFlow(source, sink) select sink, "$@ leak vulnerability due to $@.", - sink.getCredentialsHeader(), "Credential", + sink.(Sink).getCredentialsHeader(), "Credential", source, "a misconfigured CORS header value" diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql index ae70f83ed87..32118edee27 100644 --- a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql +++ b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql @@ -15,8 +15,8 @@ import javascript import semmle.javascript.security.dataflow.RemotePropertyInjection::RemotePropertyInjection -from Configuration c, DataFlow::Node source, Sink sink -where c.hasFlow(source, sink) -select sink, "A $@ is used as" + sink.getMessage(), +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) +select sink, "A $@ is used as" + sink.(Sink).getMessage(), source, "user-provided value" diff --git a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql index 98ee34f1ef8..d0d8b0b6ddb 100644 --- a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql +++ b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql @@ -15,6 +15,6 @@ import javascript import semmle.javascript.security.dataflow.ClientSideUrlRedirect::ClientSideUrlRedirect -from Configuration urlRedirect, DataFlow::Node source, DataFlow::Node sink -where urlRedirect.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "Untrusted URL redirection due to $@.", source, "user-provided value" \ No newline at end of file diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql index 3c689345fd7..be6a4ef8ecb 100644 --- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql +++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql @@ -13,6 +13,6 @@ import javascript import semmle.javascript.security.dataflow.ServerSideUrlRedirect::ServerSideUrlRedirect -from Configuration urlRedirect, DataFlow::Node source, DataFlow::Node sink -where urlRedirect.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "Untrusted URL redirection due to $@.", source, "user-provided value" diff --git a/javascript/ql/src/Security/CWE-611/Xxe.ql b/javascript/ql/src/Security/CWE-611/Xxe.ql index 037e6af3dda..0863ea142c6 100644 --- a/javascript/ql/src/Security/CWE-611/Xxe.ql +++ b/javascript/ql/src/Security/CWE-611/Xxe.ql @@ -14,7 +14,7 @@ import javascript import semmle.javascript.security.dataflow.Xxe::Xxe -from Configuration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "A $@ is parsed as XML without guarding against external entity expansion.", source, "user-provided value" diff --git a/javascript/ql/src/Security/CWE-643/XpathInjection.ql b/javascript/ql/src/Security/CWE-643/XpathInjection.ql index 32f373db001..dd4e4954ca5 100644 --- a/javascript/ql/src/Security/CWE-643/XpathInjection.ql +++ b/javascript/ql/src/Security/CWE-643/XpathInjection.ql @@ -13,6 +13,6 @@ import javascript import semmle.javascript.security.dataflow.XpathInjection::XpathInjection -from Configuration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "$@ flows here and is used in an XPath expression.", source, "User-provided value" diff --git a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql index 532900895bc..4de4e0ec229 100644 --- a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql +++ b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql @@ -15,6 +15,6 @@ import javascript import semmle.javascript.security.dataflow.RegExpInjection::RegExpInjection -from Configuration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "This regular expression is constructed from a $@.", source, "user-provided value" diff --git a/javascript/ql/src/Security/CWE-776/XmlBomb.ql b/javascript/ql/src/Security/CWE-776/XmlBomb.ql index 3433ab5eb25..27c207751d4 100644 --- a/javascript/ql/src/Security/CWE-776/XmlBomb.ql +++ b/javascript/ql/src/Security/CWE-776/XmlBomb.ql @@ -14,7 +14,7 @@ import javascript import semmle.javascript.security.dataflow.XmlBomb::XmlBomb -from Configuration c, DataFlow::Node source, DataFlow::Node sink -where c.hasFlow(source, sink) +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) select sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.", source, "user-provided value" diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql index 54b3a023da2..e7da4f592f5 100644 --- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql +++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql @@ -15,11 +15,11 @@ import javascript private import semmle.javascript.security.dataflow.HardcodedCredentials::HardcodedCredentials -from Configuration cfg, DataFlow::Node source, Sink sink, string value +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string value where cfg.hasFlow(source, sink) and // use source value in message if it's available if source.asExpr() instanceof ConstantString then value = "The hard-coded value \"" + source.asExpr().(ConstantString).getStringValue() + "\"" else value = "This hard-coded value" -select source, value + " is used as $@.", sink, sink.getKind() +select source, value + " is used as $@.", sink, sink.(Sink).getKind() diff --git a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql index e939bb61f8a..b66609cc9fa 100644 --- a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql +++ b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql @@ -9,6 +9,7 @@ * external/cwe/cwe-807 * external/cwe/cwe-290 */ + import javascript import semmle.javascript.security.dataflow.ConditionalBypass::ConditionalBypass diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql index fa2aaf95e80..cf6144c440b 100644 --- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql +++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql @@ -9,8 +9,8 @@ */ import javascript -import semmle.javascript.security.dataflow.HttpToFileAccess +import semmle.javascript.security.dataflow.HttpToFileAccess::HttpToFileAccess -from HttpToFileAccess::Configuration configuration, DataFlow::Node src, DataFlow::Node sink -where configuration.hasFlow(src, sink) -select sink, "$@ flows to file system", src, "Untrusted data" +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink +where cfg.hasFlow(source, sink) +select sink, "$@ flows to file system", source, "Untrusted data" diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql index eb27d36b827..3b5c03e5fab 100644 --- a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql +++ b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql @@ -12,6 +12,6 @@ import javascript import semmle.javascript.security.dataflow.InsufficientPasswordHash::InsufficientPasswordHash -from Configuration cfg, Source source, DataFlow::Node sink +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink where cfg.hasFlow(source, sink) -select sink, "Password from $@ is hashed insecurely.", source , source.describe() +select sink, "Password from $@ is hashed insecurely.", source , source.(Source).describe() diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql index 3c968bf9fa6..95f8f348422 100644 --- a/javascript/ql/src/Security/CWE-918/RequestForgery.ql +++ b/javascript/ql/src/Security/CWE-918/RequestForgery.ql @@ -12,7 +12,7 @@ import javascript import semmle.javascript.security.dataflow.RequestForgery::RequestForgery -from Configuration cfg, DataFlow::Node source, Sink sink, DataFlow::Node request +from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node request where cfg.hasFlow(source, sink) and request = sink.getARequest() -select request, "The $@ of this request depends on $@.", sink, sink.getKind(), source, "a user-provided value" +select request, "The $@ of this request depends on $@.", sink, sink.(Sink).getKind(), source, "a user-provided value"