JS: Port UnsafeDeserialization

2026-04-25 16:55:19 +02:00 · 2023-10-05 09:25:16 +02:00
parent 32022ccbda
commit 758f42495c
3 changed files with 30 additions and 37 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationQuery.qll
@@ -12,7 +12,23 @@ import UnsafeDeserializationCustomizations::UnsafeDeserialization
 /**
 * A taint-tracking configuration for reasoning about unsafe deserialization.
 */
-class Configuration extends TaintTracking::Configuration {
+module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for reasoning about unsafe deserialization.
+ */
+module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
+
+/**
+ * DEPRECATED. Use the `UnsafeDeserializationFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "UnsafeDeserialization" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }
--- a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -13,9 +13,9 @@

 import javascript
 import semmle.javascript.security.dataflow.UnsafeDeserializationQuery
-import DataFlow::PathGraph
+import UnsafeDeserializationFlow::PathGraph

-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+from UnsafeDeserializationFlow::PathNode source, UnsafeDeserializationFlow::PathNode sink
+where UnsafeDeserializationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
  "user-provided value"
--- a/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-502/UnsafeDeserialization.expected
@@ -1,37 +1,14 @@
-nodes
-| tst.js:13:22:13:36 | req.params.data |
-| tst.js:13:22:13:36 | req.params.data |
-| tst.js:13:22:13:36 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data |
 edges
-| tst.js:13:22:13:36 | req.params.data | tst.js:13:22:13:36 | req.params.data |
-| tst.js:14:25:14:39 | req.params.data | tst.js:14:25:14:39 | req.params.data |
-| tst.js:15:26:15:40 | req.params.data | tst.js:15:26:15:40 | req.params.data |
-| tst.js:16:29:16:43 | req.params.data | tst.js:16:29:16:43 | req.params.data |
-| tst.js:20:22:20:36 | req.params.data | tst.js:20:22:20:36 | req.params.data |
-| tst.js:21:22:21:36 | req.params.data | tst.js:21:22:21:36 | req.params.data |
-| tst.js:24:22:24:36 | req.params.data | tst.js:24:22:24:36 | req.params.data |
-| tst.js:25:22:25:36 | req.params.data | tst.js:25:22:25:36 | req.params.data |
+nodes
+| tst.js:13:22:13:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:14:25:14:39 | req.params.data | semmle.label | req.params.data |
+| tst.js:15:26:15:40 | req.params.data | semmle.label | req.params.data |
+| tst.js:16:29:16:43 | req.params.data | semmle.label | req.params.data |
+| tst.js:20:22:20:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:21:22:21:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:24:22:24:36 | req.params.data | semmle.label | req.params.data |
+| tst.js:25:22:25:36 | req.params.data | semmle.label | req.params.data |
+subpaths
 #select
 | tst.js:13:22:13:36 | req.params.data | tst.js:13:22:13:36 | req.params.data | tst.js:13:22:13:36 | req.params.data | Unsafe deserialization depends on a $@. | tst.js:13:22:13:36 | req.params.data | user-provided value |
 | tst.js:14:25:14:39 | req.params.data | tst.js:14:25:14:39 | req.params.data | tst.js:14:25:14:39 | req.params.data | Unsafe deserialization depends on a $@. | tst.js:14:25:14:39 | req.params.data | user-provided value |