Merge pull request #9572 from erik-krogh/heuristicSteps

JS: add heuristic taint-step for potentially unmodelled libraries
2026-04-30 03:05:15 +02:00 · 2022-06-21 09:00:58 +02:00
parent 7010dffed7 ce323e215b
commit 79696c6c5f
2 changed files with 54 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/heuristics/AdditionalTaintSteps.qll
+++ b/javascript/ql/lib/semmle/javascript/heuristics/AdditionalTaintSteps.qll
@@ -17,3 +17,15 @@ private class HeuristicStringManipulationTaintStep extends TaintTracking::Shared
    )
  }
 }
+
+/** Any call to a library component where we assume taint from any argument to the result */
+private class HeuristicLibraryCallTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call |
+      pred = call.getAnArgument() or // the plain argument
+      pred = call.getAnArgument().(DataFlow::SourceNode).getAPropertyWrite().getRhs() // one property down
+    |
+      succ = call
+    )
+  }
+}
--- a/javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
+++ b/javascript/ql/src/meta/analysis-quality/UnmodelledSteps.ql
@@ -0,0 +1,42 @@
+/**
+ * @name Unmodeled step
+ * @description A potential step from an argument to a return that has no data/taint step.
+ * @kind metric
+ * @metricType project
+ * @metricAggregate sum
+ * @tags meta
+ * @id js/meta/unmodeled-step
+ */
+
+import javascript
+import meta.MetaMetrics
+private import Expressions.ExprHasNoEffect
+import meta.internal.TaintMetrics
+
+predicate unmodeled(API::Node callee, API::CallNode call, DataFlow::Node pred, DataFlow::Node succ) {
+  callee.getACall() = call and
+  pred = call.getAnArgument() and
+  succ = call and
+  not inVoidContext(succ.asExpr()) and // void calls are irrelevant
+  not call.getAnArgument() = relevantTaintSink() and // calls with sinks are considered modeled
+  // we assume taint to the return value means the call is modeled
+  not (
+    TaintTracking::sharedTaintStep(_, succ)
+    or
+    DataFlow::SharedFlowStep::step(_, succ)
+    or
+    DataFlow::SharedFlowStep::step(_, succ, _, _)
+    or
+    DataFlow::SharedFlowStep::loadStep(_, succ, _)
+    or
+    DataFlow::SharedFlowStep::storeStep(_, succ, _)
+    or
+    DataFlow::SharedFlowStep::loadStoreStep(_, succ, _, _)
+    or
+    DataFlow::SharedFlowStep::loadStoreStep(_, succ, _)
+  ) and
+  not pred.getFile() instanceof IgnoredFile and
+  not succ.getFile() instanceof IgnoredFile
+}
+
+select projectRoot(), count(DataFlow::Node pred, DataFlow::Node succ | unmodeled(_, _, pred, succ))