hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Fix some join orders

Browse Source
This commit is contained in:
Asger Feldthaus
2021-03-22 16:17:19 +00:00
parent 42e6c7eb2e
commit 6b19e69d30
5 changed files with 64 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
javascript/ql/src/semmle/javascript/DOM.qll
View File

@@ -315,6 +315,11 @@ module DOM {
)
}
private InferredType getArgumentTypeFromJQueryMethodGet(JQuery::MethodCall call) {
call.getMethodName() = "get" and
result = call.getArgument(0).analyze().getAType()
}
private class DefaultRange extends Range {
DefaultRange() {
this.asExpr().(VarAccess).getVariable() instanceof DOMGlobalVariable
@@ -344,7 +349,7 @@ module DOM {
or
exists(JQuery::MethodCall call | this = call and call.getMethodName() = "get" |
call.getNumArgument() = 1 and
unique(InferredType t | t = call.getArgument(0).analyze().getAType()) = TTNumber()
unique(InferredType t | t = getArgumentTypeFromJQueryMethodGet(call)) = TTNumber()
)
or
// A `this` node from a callback given to a `$().each(callback)` call.

83
javascript/ql/src/semmle/javascript/HtmlSanitizers.qll
View File

@@ -16,51 +16,54 @@ abstract class HtmlSanitizerCall extends DataFlow::CallNode {
abstract DataFlow::Node getInput();
}
pragma[noinline]
private DataFlow::SourceNode htmlSanitizerFunction() {
result = DataFlow::moduleMember("ent", "encode")
or
result = DataFlow::moduleMember("entities", "encodeHTML")
or
result = DataFlow::moduleMember("entities", "encodeXML")
or
result = DataFlow::moduleMember("escape-goat", "escape")
or
result = DataFlow::moduleMember("he", "encode")
or
result = DataFlow::moduleMember("he", "escape")
or
result = DataFlow::moduleImport("sanitize-html")
or
result = DataFlow::moduleMember("sanitizer", "escape")
or
result = DataFlow::moduleMember("sanitizer", "sanitize")
or
result = DataFlow::moduleMember("validator", "escape")
or
result = DataFlow::moduleImport("xss")
or
result = DataFlow::moduleMember("xss-filters", _)
or
result = LodashUnderscore::member("escape")
or
exists(DataFlow::PropRead read | read = result |
read.getPropertyName() = "sanitize" and
read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
)
or
exists(string name | name = "encode" or name = "encodeNonUTF" |
result =
DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or
result = DataFlow::moduleMember("html-entities", _).getAPropertyRead(name)
)
or
result = Closure::moduleImport("goog.string.htmlEscape")
}
/**
* Matches HTML sanitizers from known NPM packages as well as home-made sanitizers (matched by name).
*/
private class DefaultHtmlSanitizerCall extends HtmlSanitizerCall {
DefaultHtmlSanitizerCall() {
exists(DataFlow::SourceNode callee | this = callee.getACall() |
callee = DataFlow::moduleMember("ent", "encode")
or
callee = DataFlow::moduleMember("entities", "encodeHTML")
or
callee = DataFlow::moduleMember("entities", "encodeXML")
or
callee = DataFlow::moduleMember("escape-goat", "escape")
or
callee = DataFlow::moduleMember("he", "encode")
or
callee = DataFlow::moduleMember("he", "escape")
or
callee = DataFlow::moduleImport("sanitize-html")
or
callee = DataFlow::moduleMember("sanitizer", "escape")
or
callee = DataFlow::moduleMember("sanitizer", "sanitize")
or
callee = DataFlow::moduleMember("validator", "escape")
or
callee = DataFlow::moduleImport("xss")
or
callee = DataFlow::moduleMember("xss-filters", _)
or
callee = LodashUnderscore::member("escape")
or
exists(DataFlow::PropRead read | read = callee |
read.getPropertyName() = "sanitize" and
read.getBase().asExpr().(VarAccess).getName() = "DOMPurify"
)
or
exists(string name | name = "encode" or name = "encodeNonUTF" |
callee =
DataFlow::moduleMember("html-entities", _).getAnInstantiation().getAPropertyRead(name) or
callee = DataFlow::moduleMember("html-entities", _).getAPropertyRead(name)
)
or
callee = Closure::moduleImport("goog.string.htmlEscape")
)
this = htmlSanitizerFunction().getACall()
or
// Match home-made sanitizers by name.
exists(string calleeName | calleeName = getCalleeName() |

1
javascript/ql/src/semmle/javascript/Promises.qll
View File

@@ -596,6 +596,7 @@ private module ClosurePromise {
* A promise created by a call `goog.Promise.resolve(value)`.
*/
private class ResolvedClosurePromiseDefinition extends ResolvedPromiseDefinition {
pragma[noinline]
ResolvedClosurePromiseDefinition() {
this = Closure::moduleImport("goog.Promise.resolve").getACall()
}

6
javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll
View File

@@ -268,9 +268,11 @@ module SocketIO {
/** Gets the `i`th parameter through which data is received from a client. */
override DataFlow::SourceNode getReceivedItem(int i) {
exists(DataFlow::FunctionNode cb | cb = getListener() and result = cb.getParameter(i) |
exists(DataFlow::FunctionNode cb |
cb = getListener() and
result = cb.getParameter(i) and
// exclude last parameter if it looks like a callback
result != cb.getLastParameter() or not exists(result.getAnInvocation())
not (result = cb.getLastParameter() and exists(result.getAnInvocation()))
)
}

12
javascript/ql/src/semmle/javascript/security/dataflow/DOM.qll
View File

@@ -156,6 +156,12 @@ private module PersistentWebStorage {
result = DataFlow::globalVarRef(kind)
}
pragma[noinline]
WriteAccess getAWriteByName(string name, string kind) {
result.getKey() = name and
result.getKind() = kind
}
/**
* A read access.
*/
@@ -165,8 +171,10 @@ private module PersistentWebStorage {
ReadAccess() { this = webStorage(kind).getAMethodCall("getItem") }
override PersistentWriteAccess getAWrite() {
getArgument(0).mayHaveStringValue(result.(WriteAccess).getKey()) and
result.(WriteAccess).getKind() = kind
exists(string name |
getArgument(0).mayHaveStringValue(name) and
result = getAWriteByName(name, kind)
)
}
}