Merged config classes

2025-12-16 16:53:25 +01:00 · 2025-09-04 12:31:24 +00:00
parent 4dac80a998
commit 6c751ce934
2 changed files with 14 additions and 23 deletions
--- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -10,18 +10,15 @@ import javascript
 module CorsPermissiveConfiguration {
  private newtype TFlowState =
    TTaint() or
-    TTrueOrNull() or
-    TWildcard()
+    TPermissive()

-  /** A flow state to asociate with a tracked value. */
+  /** A flow state to associate with a tracked value. */
  class FlowState extends TFlowState {
    /** Gets a string representation of this flow state. */
    string toString() {
      this = TTaint() and result = "taint"
      or
-      this = TTrueOrNull() and result = "true-or-null"
-      or
-      this = TWildcard() and result = "wildcard"
+      this = TPermissive() and result = "permissive"
    }
  }

@@ -30,11 +27,8 @@ module CorsPermissiveConfiguration {
    /** A tainted value. */
    FlowState taint() { result = TTaint() }

-    /** A `true` or `null` value. */
-    FlowState trueOrNull() { result = TTrueOrNull() }
-
-    /** A `"*"` value. */
-    FlowState wildcard() { result = TWildcard() }
+    /** A permissive value (true, null, or "*"). */
+    FlowState permissive() { result = TPermissive() }
  }

  /**
@@ -59,14 +53,13 @@ module CorsPermissiveConfiguration {
    ActiveThreatModelSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
  }

-  /** An overly permissive value for `origin` (Apollo) */
-  class TrueNullValue extends Source {
-    TrueNullValue() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
-  }
-
-  /** An overly permissive value for `origin` (Express) */
-  class WildcardValue extends Source {
-    WildcardValue() { this.mayHaveStringValue("*") }
+  /** An overly permissive value for `origin` configuration. */
+  class PermissiveValue extends Source {
+    PermissiveValue() {
+      this.mayHaveBooleanValue(true) or
+      this.asExpr() instanceof NullLiteral or
+      this.mayHaveStringValue("*")
+    }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll
@@ -19,16 +19,14 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
  class FlowState = CorsPermissiveConfiguration::FlowState;

  predicate isSource(DataFlow::Node source, FlowState state) {
-    source instanceof TrueNullValue and state = FlowState::trueOrNull()
-    or
-    source instanceof WildcardValue and state = FlowState::wildcard()
+    source instanceof PermissiveValue and state = FlowState::permissive()
    or
    source instanceof RemoteFlowSource and state = FlowState::taint()
  }

  predicate isSink(DataFlow::Node sink, FlowState state) {
    sink instanceof CorsOriginSink and
-    state = [FlowState::taint(), FlowState::trueOrNull(), FlowState::wildcard()]
+    state = [FlowState::taint(), FlowState::permissive()]
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }