JS: Port experimental EnvValueInjection to ConfigSig

2026-04-24 08:15:14 +02:00 · 2024-11-28 11:25:01 +01:00
parent 4f839070a0
commit 7e162f5451
2 changed files with 22 additions and 30 deletions
--- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
+++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
@@ -11,20 +11,21 @@
 */

 import javascript
-import DataFlow::PathGraph

 /** A taint tracking configuration for unsafe environment injection. */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "envInjection" }
+module EnvValueInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
    sink = API::moduleImport("process").getMember("env").getAMember().asSink()
  }
 }

-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+module EnvValueInjectionFlow = TaintTracking::Global<EnvValueInjectionConfig>;
+
+import EnvValueInjectionFlow::PathGraph
+
+from EnvValueInjectionFlow::PathNode source, EnvValueInjectionFlow::PathNode sink
+where EnvValueInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "this environment variable assignment is $@.",
  source.getNode(), "user controllable"
--- a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected
+++ b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected
@@ -1,26 +1,17 @@
-nodes
-| test.js:4:9:4:20 | { EnvValue } |
-| test.js:4:9:4:31 | EnvValue |
-| test.js:4:11:4:18 | EnvValue |
-| test.js:4:24:4:31 | req.body |
-| test.js:4:24:4:31 | req.body |
-| test.js:5:35:5:42 | EnvValue |
-| test.js:5:35:5:42 | EnvValue |
-| test.js:6:23:6:30 | EnvValue |
-| test.js:6:23:6:30 | EnvValue |
-| test.js:7:22:7:29 | EnvValue |
-| test.js:7:22:7:29 | EnvValue |
 edges
-| test.js:4:9:4:20 | { EnvValue } | test.js:4:11:4:18 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue |
-| test.js:4:11:4:18 | EnvValue | test.js:4:9:4:31 | EnvValue |
-| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } |
-| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } |
+| test.js:4:9:4:20 | { EnvValue } | test.js:4:9:4:31 | EnvValue | provenance |  |
+| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue | provenance |  |
+| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue | provenance |  |
+| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue | provenance |  |
+| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } | provenance |  |
+nodes
+| test.js:4:9:4:20 | { EnvValue } | semmle.label | { EnvValue } |
+| test.js:4:9:4:31 | EnvValue | semmle.label | EnvValue |
+| test.js:4:24:4:31 | req.body | semmle.label | req.body |
+| test.js:5:35:5:42 | EnvValue | semmle.label | EnvValue |
+| test.js:6:23:6:30 | EnvValue | semmle.label | EnvValue |
+| test.js:7:22:7:29 | EnvValue | semmle.label | EnvValue |
+subpaths
 #select
 | test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |
 | test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |