hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-22 23:49:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Refactor security queries for uniformity.

Browse Source
This commit is contained in:
Max Schaefer
2018-11-08 12:41:44 +00:00
parent 9b4ae9e4d3
commit 65bcf0f526
23 changed files with 56 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/src/Security/CWE-079/ReflectedXss.ql
View File

@@ -14,7 +14,7 @@
import javascript
import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss
from Configuration xss, DataFlow::Node source, DataFlow::Node sink
where xss.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "Cross-site scripting vulnerability due to $@.",
source, "user-provided value"

4
javascript/ql/src/Security/CWE-079/StoredXss.ql
View File

@@ -14,7 +14,7 @@
import javascript
import semmle.javascript.security.dataflow.StoredXss::StoredXss
from Configuration xss, DataFlow::Node source, DataFlow::Node sink
where xss.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "Stored cross-site scripting vulnerability due to $@.",
source, "stored value"

6
javascript/ql/src/Security/CWE-079/Xss.ql
View File

@@ -14,7 +14,7 @@
import javascript
import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
from Configuration xss, DataFlow::Node source, Sink sink
where xss.hasFlow(source, sink)
select sink, sink.getVulnerabilityKind() + " vulnerability due to $@.",
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, sink.(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
source, "user-provided value"

15
javascript/ql/src/Security/CWE-089/SqlInjection.ql
View File

@@ -14,15 +14,8 @@ import javascript
import semmle.javascript.security.dataflow.SqlInjection
import semmle.javascript.security.dataflow.NosqlInjection
predicate sqlInjection(DataFlow::Node source, DataFlow::Node sink) {
any(SqlInjection::Configuration cfg).hasFlow(source, sink)
}
predicate nosqlInjection(DataFlow::Node source, DataFlow::Node sink) {
any(NosqlInjection::Configuration cfg).hasFlow(source, sink)
}
from DataFlow::Node source, DataFlow::Node sink
where sqlInjection(source, sink) or
nosqlInjection(source, sink)
from DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where (cfg instanceof SqlInjection::Configuration or
cfg instanceof NosqlInjection::Configuration) and
cfg.hasFlow(source, sink)
select sink, "This query depends on $@.", source, "a user-provided value"

4
javascript/ql/src/Security/CWE-094/CodeInjection.ql
View File

@@ -15,6 +15,6 @@
import javascript
import semmle.javascript.security.dataflow.CodeInjection::CodeInjection
from Configuration codeInjection, DataFlow::Node source, DataFlow::Node sink
where codeInjection.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "$@ flows to here and is interpreted as code.", source, "User-provided value"

4
javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
View File

@@ -12,6 +12,6 @@
import javascript
import semmle.javascript.security.dataflow.TaintedFormatString::TaintedFormatString
from Configuration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "$@ flows here and is used in a format string.", source, "User-provided value"

8
javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
View File

@@ -9,8 +9,8 @@
*/
import javascript
import semmle.javascript.security.dataflow.FileAccessToHttp
import semmle.javascript.security.dataflow.FileAccessToHttp::FileAccessToHttp
from FileAccessToHttp::Configuration config, DataFlow::Node src, DataFlow::Node sink
where config.hasFlow (src, sink)
select sink, "$@ flows directly to outbound network request", src, "File data"
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow (source, sink)
select sink, "$@ flows directly to outbound network request", source, "File data"

4
javascript/ql/src/Security/CWE-312/CleartextLogging.ql
View File

@@ -31,8 +31,8 @@ predicate inBrowserEnvironment(TopLevel tl) {
)
}
from Configuration cfg, Source source, DataFlow::Node sink
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink) and
// ignore logging to the browser console (even though it is not a good practice)
not inBrowserEnvironment(sink.asExpr().getTopLevel())
select sink, "Sensitive data returned by $@ is logged here.", source, source.describe()
select sink, "Sensitive data returned by $@ is logged here.", source, source.(Source).describe()

6
javascript/ql/src/Security/CWE-312/CleartextStorage.ql
View File

@@ -15,6 +15,6 @@
import javascript
import semmle.javascript.security.dataflow.CleartextStorage::CleartextStorage
from Configuration cleartextStorage, Source source, DataFlow::Node sink
where cleartextStorage.hasFlow(source, sink)
select sink, "Sensitive data returned by $@ is stored here.", source, source.describe()
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "Sensitive data returned by $@ is stored here.", source, source.(Source).describe()

8
javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
View File

@@ -8,12 +8,12 @@
* @tags security
* external/cwe/cwe-327
*/
import javascript
import semmle.javascript.security.dataflow.RemoteFlowSources
import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm::BrokenCryptoAlgorithm
import semmle.javascript.security.SensitiveActions
from Configuration brokenCrypto, Source source, DataFlow::Node sink
where brokenCrypto.hasFlow(source, sink) and
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink) and
not source.asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.describe()
select sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()

4
javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
View File

@@ -14,8 +14,8 @@
import javascript
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials::CorsMisconfigurationForCredentials
from Configuration cfg, DataFlow::Node source, Sink sink
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "$@ leak vulnerability due to $@.",
sink.getCredentialsHeader(), "Credential",
sink.(Sink).getCredentialsHeader(), "Credential",
source, "a misconfigured CORS header value"

6
javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
View File

@@ -15,8 +15,8 @@
import javascript
import semmle.javascript.security.dataflow.RemotePropertyInjection::RemotePropertyInjection
from Configuration c, DataFlow::Node source, Sink sink
where c.hasFlow(source, sink)
select sink, "A $@ is used as" + sink.getMessage(),
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "A $@ is used as" + sink.(Sink).getMessage(),
source, "user-provided value"

4
javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
View File

@@ -15,6 +15,6 @@
import javascript
import semmle.javascript.security.dataflow.ClientSideUrlRedirect::ClientSideUrlRedirect
from Configuration urlRedirect, DataFlow::Node source, DataFlow::Node sink
where urlRedirect.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "Untrusted URL redirection due to $@.", source, "user-provided value"

4
javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
View File

@@ -13,6 +13,6 @@
import javascript
import semmle.javascript.security.dataflow.ServerSideUrlRedirect::ServerSideUrlRedirect
from Configuration urlRedirect, DataFlow::Node source, DataFlow::Node sink
where urlRedirect.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "Untrusted URL redirection due to $@.", source, "user-provided value"

4
javascript/ql/src/Security/CWE-611/Xxe.ql
View File

@@ -14,7 +14,7 @@
import javascript
import semmle.javascript.security.dataflow.Xxe::Xxe
from Configuration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "A $@ is parsed as XML without guarding against external entity expansion.",
source, "user-provided value"

4
javascript/ql/src/Security/CWE-643/XpathInjection.ql
View File

@@ -13,6 +13,6 @@
import javascript
import semmle.javascript.security.dataflow.XpathInjection::XpathInjection
from Configuration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "$@ flows here and is used in an XPath expression.", source, "User-provided value"

4
javascript/ql/src/Security/CWE-730/RegExpInjection.ql
View File

@@ -15,6 +15,6 @@
import javascript
import semmle.javascript.security.dataflow.RegExpInjection::RegExpInjection
from Configuration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "This regular expression is constructed from a $@.", source, "user-provided value"

4
javascript/ql/src/Security/CWE-776/XmlBomb.ql
View File

@@ -14,7 +14,7 @@
import javascript
import semmle.javascript.security.dataflow.XmlBomb::XmlBomb
from Configuration c, DataFlow::Node source, DataFlow::Node sink
where c.hasFlow(source, sink)
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
source, "user-provided value"

4
javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
View File

@@ -15,11 +15,11 @@
import javascript
private import semmle.javascript.security.dataflow.HardcodedCredentials::HardcodedCredentials
from Configuration cfg, DataFlow::Node source, Sink sink, string value
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string value
where cfg.hasFlow(source, sink) and
// use source value in message if it's available
if source.asExpr() instanceof ConstantString then
value = "The hard-coded value \"" + source.asExpr().(ConstantString).getStringValue() + "\""
else
value = "This hard-coded value"
select source, value + " is used as $@.", sink, sink.getKind()
select source, value + " is used as $@.", sink, sink.(Sink).getKind()

1
javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
View File

@@ -9,6 +9,7 @@
* external/cwe/cwe-807
* external/cwe/cwe-290
*/
import javascript
import semmle.javascript.security.dataflow.ConditionalBypass::ConditionalBypass

8
javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
View File

@@ -9,8 +9,8 @@
*/
import javascript
import semmle.javascript.security.dataflow.HttpToFileAccess
import semmle.javascript.security.dataflow.HttpToFileAccess::HttpToFileAccess
from HttpToFileAccess::Configuration configuration, DataFlow::Node src, DataFlow::Node sink
where configuration.hasFlow(src, sink)
select sink, "$@ flows to file system", src, "Untrusted data"
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "$@ flows to file system", source, "Untrusted data"

4
javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
View File

@@ -12,6 +12,6 @@
import javascript
import semmle.javascript.security.dataflow.InsufficientPasswordHash::InsufficientPasswordHash
from Configuration cfg, Source source, DataFlow::Node sink
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
select sink, "Password from $@ is hashed insecurely.", source , source.describe()
select sink, "Password from $@ is hashed insecurely.", source , source.(Source).describe()

4
javascript/ql/src/Security/CWE-918/RequestForgery.ql
View File

@@ -12,7 +12,7 @@
import javascript
import semmle.javascript.security.dataflow.RequestForgery::RequestForgery
from Configuration cfg, DataFlow::Node source, Sink sink, DataFlow::Node request
from Configuration cfg, DataFlow::Node source, DataFlow::Node sink, DataFlow::Node request
where cfg.hasFlow(source, sink) and
request = sink.getARequest()
select request, "The $@ of this request depends on $@.", sink, sink.getKind(), source, "a user-provided value"
select request, "The $@ of this request depends on $@.", sink, sink.(Sink).getKind(), source, "a user-provided value"