hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3099 from esbena/js/introduce-poi-utility

Browse Source 
Approved by erik-krogh
This commit is contained in:
semmle-qlci
2020-04-23 12:14:00 +01:00
committed by GitHub
parent 312e6229fb a66b4b55fe
commit 801ce89c67
18 changed files with 563 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/test/experimental/PoI/CommandInjectionPoIConfiguration.expected Normal file
View File

@@ -0,0 +1,4 @@
| tst.js:16:15:16:25 | req.query.x | SourcePoI | tst.js:16:15:16:25 | req.query.x | irrelevant | tst.js:16:15:16:25 | req.query.x | irrelevant |
| tst.js:17:11:17:21 | req.query.x | SinkPoI | tst.js:17:11:17:21 | req.query.x | irrelevant | tst.js:17:11:17:21 | req.query.x | irrelevant |
| tst.js:17:11:17:21 | req.query.x | SourcePoI | tst.js:17:11:17:21 | req.query.x | irrelevant | tst.js:17:11:17:21 | req.query.x | irrelevant |
| tst.js:18:12:18:22 | req.query.x | SourcePoI | tst.js:18:12:18:22 | req.query.x | irrelevant | tst.js:18:12:18:22 | req.query.x | irrelevant |

13
javascript/ql/test/experimental/PoI/CommandInjectionPoIConfiguration.ql Normal file
View File

@@ -0,0 +1,13 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
import semmle.javascript.security.dataflow.CommandInjection
import semmle.javascript.security.dataflow.IndirectCommandInjection
import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironment
class MyDataFlowConfigurationPoIs extends DataFlowConfigurationPoI, ActivePoI { }
query predicate problems = alertQuery/6;

3
javascript/ql/test/experimental/PoI/ServerPoIConfiguration.expected Normal file
View File

@@ -0,0 +1,3 @@
| tst.js:6:1:6:16 | (req, res) => 42 | UnpromotedRouteHandlerPoI | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant |
| tst.js:6:1:6:16 | (req, res) => 42 | UnpromotedRouteHandlerWithFlowPoI: $@ | tst.js:6:1:6:16 | (req, res) => 42 | ends here | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant |
| tst.js:13:1:13:36 | otherAp ... h", rh) | UnpromotedRouteSetupPoI | tst.js:13:1:13:36 | otherAp ... h", rh) | irrelevant | tst.js:13:1:13:36 | otherAp ... h", rh) | irrelevant |

10
javascript/ql/test/experimental/PoI/ServerPoIConfiguration.ql Normal file
View File

@@ -0,0 +1,10 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
class MyServerRelatedPoIs extends ServerRelatedPoI, ActivePoI { }
query predicate problems = alertQuery/6;

3
javascript/ql/test/experimental/PoI/ServerPoIs.expected Normal file
View File

@@ -0,0 +1,3 @@
| tst.js:6:1:6:16 | (req, res) => 42 | UnpromotedRouteHandlerPoI | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant |
| tst.js:6:1:6:16 | (req, res) => 42 | UnpromotedRouteHandlerWithFlowPoI: $@ | tst.js:6:1:6:16 | (req, res) => 42 | ends here | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant |
| tst.js:13:1:13:36 | otherAp ... h", rh) | UnpromotedRouteSetupPoI | tst.js:13:1:13:36 | otherAp ... h", rh) | irrelevant | tst.js:13:1:13:36 | otherAp ... h", rh) | irrelevant |

10
javascript/ql/test/experimental/PoI/ServerPoIs.ql Normal file
View File

@@ -0,0 +1,10 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
class MyServerRelatedPoI extends ServerRelatedPoI, ActivePoI { }
query predicate problems = alertQuery/6;

6
javascript/ql/test/experimental/PoI/TaintedPathPoIConfiguration.expected Normal file
View File

@@ -0,0 +1,6 @@
| tst.js:1:23:1:31 | "express" | SinkPoI | tst.js:1:23:1:31 | "express" | irrelevant | tst.js:1:23:1:31 | "express" | irrelevant |
| tst.js:2:16:2:19 | "fs" | SinkPoI | tst.js:2:16:2:19 | "fs" | irrelevant | tst.js:2:16:2:19 | "fs" | irrelevant |
| tst.js:3:16:3:30 | "child_process" | SinkPoI | tst.js:3:16:3:30 | "child_process" | irrelevant | tst.js:3:16:3:30 | "child_process" | irrelevant |
| tst.js:16:15:16:25 | req.query.x | SourcePoI | tst.js:16:15:16:25 | req.query.x | irrelevant | tst.js:16:15:16:25 | req.query.x | irrelevant |
| tst.js:17:11:17:21 | req.query.x | SourcePoI | tst.js:17:11:17:21 | req.query.x | irrelevant | tst.js:17:11:17:21 | req.query.x | irrelevant |
| tst.js:18:12:18:22 | req.query.x | SourcePoI | tst.js:18:12:18:22 | req.query.x | irrelevant | tst.js:18:12:18:22 | req.query.x | irrelevant |

11
javascript/ql/test/experimental/PoI/TaintedPathPoIConfiguration.ql Normal file
View File

@@ -0,0 +1,11 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
import semmle.javascript.security.dataflow.TaintedPath
class MyDataflowRelatedPoIs extends DataFlowConfigurationPoI, ActivePoI { }
query predicate problems = alertQuery/6;

9
javascript/ql/test/experimental/PoI/TestCustomPoIs.expected Normal file
View File

@@ -0,0 +1,9 @@
| tst.js:8:1:8:44 | app.get ... es) {}) | RouteSetupAndRouterAndRouteHandlerPoI: $@ $@ | tst.js:4:11:4:19 | express() | router | tst.js:8:23:8:43 | functio ... res) {} | routehandler |
| tst.js:8:23:8:43 | functio ... res) {} | RouteHandlerAndSetupPoI: $@ | tst.js:8:1:8:44 | app.get ... es) {}) | setup | tst.js:8:23:8:43 | functio ... res) {} | irrelevant |
| tst.js:8:23:8:43 | functio ... res) {} | RouteHandlerPoI | tst.js:8:23:8:43 | functio ... res) {} | irrelevant | tst.js:8:23:8:43 | functio ... res) {} | irrelevant |
| tst.js:10:10:10:30 | functio ... res) {} | RouteHandlerAndSetupPoI: $@ | tst.js:11:1:11:31 | app.get ... h", rh) | setup | tst.js:10:10:10:30 | functio ... res) {} | irrelevant |
| tst.js:10:10:10:30 | functio ... res) {} | RouteHandlerPoI | tst.js:10:10:10:30 | functio ... res) {} | irrelevant | tst.js:10:10:10:30 | functio ... res) {} | irrelevant |
| tst.js:11:1:11:31 | app.get ... h", rh) | RouteSetupAndRouterAndRouteHandlerPoI: $@ $@ | tst.js:4:11:4:19 | express() | router | tst.js:10:10:10:30 | functio ... res) {} | routehandler |
| tst.js:15:1:19:2 | app.get ... .x);\\n}) | RouteSetupAndRouterAndRouteHandlerPoI: $@ $@ | tst.js:4:11:4:19 | express() | router | tst.js:15:23:19:1 | functio ... y.x);\\n} | routehandler |
| tst.js:15:23:19:1 | functio ... y.x);\\n} | RouteHandlerAndSetupPoI: $@ | tst.js:15:1:19:2 | app.get ... .x);\\n}) | setup | tst.js:15:23:19:1 | functio ... y.x);\\n} | irrelevant |
| tst.js:15:23:19:1 | functio ... y.x);\\n} | RouteHandlerPoI | tst.js:15:23:19:1 | functio ... y.x);\\n} | irrelevant | tst.js:15:23:19:1 | functio ... y.x);\\n} | irrelevant |

34
javascript/ql/test/experimental/PoI/TestCustomPoIs.ql Normal file
View File

@@ -0,0 +1,34 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
import DataFlow
class RouteHandlerPoI extends ActivePoI {
RouteHandlerPoI() { this = "RouteHandlerPoI" }
override predicate is(Node l0) { l0 instanceof Express::RouteHandler }
}
class RouteHandlerAndSetupPoI extends ActivePoI {
RouteHandlerAndSetupPoI() { this = "RouteHandlerAndSetupPoI" }
override predicate is(Node l0, Node l1, string t1) {
l1.asExpr().(Express::RouteSetup).getARouteHandler() = l0 and t1 = "setup"
}
}
class RouteSetupAndRouterAndRouteHandlerPoI extends ActivePoI {
RouteSetupAndRouterAndRouteHandlerPoI() { this = "RouteSetupAndRouterAndRouteHandlerPoI" }
override predicate is(Node l0, Node l1, string t1, Node l2, string t2) {
l0.asExpr().(Express::RouteSetup).getRouter().flow() = l1 and
t1 = "router" and
l0.asExpr().(Express::RouteSetup).getARouteHandler() = l2 and
t2 = "routehandler"
}
}
query predicate problems = alertQuery/6;

1
javascript/ql/test/experimental/PoI/TestStandardPoIs.expected Normal file
View File

@@ -0,0 +1 @@
| tst.js:6:1:6:16 | (req, res) => 42 | UnpromotedRouteHandlerPoI | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant | tst.js:6:1:6:16 | (req, res) => 42 | irrelevant |

10
javascript/ql/test/experimental/PoI/TestStandardPoIs.ql Normal file
View File

@@ -0,0 +1,10 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
class MyUnpromotedRouteHandlerPoIs extends UnpromotedRouteHandlerPoI, ActivePoI { }
query predicate problems = alertQuery/6;

4
javascript/ql/test/experimental/PoI/XssPoIConfiguration.expected Normal file
View File

@@ -0,0 +1,4 @@
| tst.js:16:15:16:25 | req.query.x | SourcePoI | tst.js:16:15:16:25 | req.query.x | irrelevant | tst.js:16:15:16:25 | req.query.x | irrelevant |
| tst.js:17:11:17:21 | req.query.x | SourcePoI | tst.js:17:11:17:21 | req.query.x | irrelevant | tst.js:17:11:17:21 | req.query.x | irrelevant |
| tst.js:18:12:18:22 | req.query.x | SinkPoI | tst.js:18:12:18:22 | req.query.x | irrelevant | tst.js:18:12:18:22 | req.query.x | irrelevant |
| tst.js:18:12:18:22 | req.query.x | SourcePoI | tst.js:18:12:18:22 | req.query.x | irrelevant | tst.js:18:12:18:22 | req.query.x | irrelevant |

14
javascript/ql/test/experimental/PoI/XssPoIConfiguration.ql Normal file
View File

@@ -0,0 +1,14 @@
/**
* @kind problem
*/
import javascript
import experimental.poi.PoI
import semmle.javascript.security.dataflow.ReflectedXss
import semmle.javascript.security.dataflow.StoredXss
import semmle.javascript.security.dataflow.DomBasedXss
import semmle.javascript.security.dataflow.ExceptionXss
class MyDataFlowConfigurationPoIs extends DataFlowConfigurationPoI, ActivePoI { }
query predicate problems = alertQuery/6;

19
javascript/ql/test/experimental/PoI/tst.js Normal file
View File

@@ -0,0 +1,19 @@
var express = require("express"),
fs = require("fs"),
cp = require("child_process");
var app = express();
(req, res) => 42;
app.get("/some/path", function(req, res) {});
let rh = function(req, res) {};
app.get("/some/other/path", rh);
otherApp.get("/some/other/path", rh);
app.get("/some/path", function(req, res) {
fs.readFile(req.query.x);
cp.exec(req.query.x);
res.send(req.query.x);
});