JS: Port UnsafeDynamicMethodAccess

2026-05-02 12:15:17 +02:00 · 2023-10-05 09:25:26 +02:00
parent 758f42495c
commit 7f4d42ddcd
3 changed files with 93 additions and 50 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
@@ -20,7 +20,66 @@ private class ConcreteUnsafeFunction extends UnsafeFunction {
 /**
 * A taint-tracking configuration for reasoning about unsafe dynamic method access.
 */
-class Configuration extends TaintTracking::Configuration {
+module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source.(Source).getFlowLabel() = label
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink.(Sink).getFlowLabel() = label
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Sanitizer
+    or
+    exists(StringConcatenation::getOperand(node, _)) and
+    not StringConcatenation::isCoercion(node)
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
+    TaintTracking::defaultSanitizer(node) and
+    label.isTaint()
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::FlowLabel srclabel, DataFlow::Node dst,
+    DataFlow::FlowLabel dstlabel
+  ) {
+    // Reading a property of the global object or of a function
+    exists(DataFlow::PropRead read |
+      PropertyInjection::hasUnsafeMethods(read.getBase().getALocalSource()) and
+      src = read.getPropertyNameExpr().flow() and
+      dst = read and
+      srclabel.isTaint() and
+      dstlabel = unsafeFunction()
+    )
+    or
+    // Reading a chain of properties from any object with a prototype can lead to Function
+    exists(PropertyProjection proj |
+      not PropertyInjection::isPrototypeLessObject(proj.getObject().getALocalSource()) and
+      src = proj.getASelector() and
+      dst = proj and
+      srclabel.isTaint() and
+      dstlabel = unsafeFunction()
+    )
+    or
+    srclabel.isTaint() and
+    TaintTracking::defaultTaintStep(src, dst) and
+    srclabel = dstlabel
+  }
+}
+
+/**
+ * Taint-tracking for reasoning about unsafe dynamic method access.
+ */
+module UnsafeDynamicMethodAccessFlow = DataFlow::GlobalWithState<UnsafeDynamicMethodAccessConfig>;
+
+/**
+ * DEPRECATED. Use the `UnsafeDynamicMethodAccessFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "UnsafeDynamicMethodAccess" }

  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {