JavaScript: Address review comments.

2026-04-29 02:35:15 +02:00 · 2018-09-27 12:50:37 +01:00
parent a8a8754c89
commit 86ee58d019
2 changed files with 8 additions and 14 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -282,7 +282,7 @@ class PathSummary extends TPathSummary {
    result = hasCall
  }

-  /** Gets the flow label describing data at the end of this flow path. */
+  /** Gets the flow label describing the value at the end of this flow path. */
  FlowLabel getEndLabel() {
    result = end
  }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
@@ -44,9 +44,6 @@ module ClientSideUrlRedirect {
    }

    override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
-      source instanceof RemoteFlowSource and
-      lbl = DataFlow::FlowLabel::taint()
-      or
      isDocumentURL(source.asExpr()) and
      lbl instanceof DocumentUrl
    }
@@ -55,11 +52,6 @@ module ClientSideUrlRedirect {
      sink instanceof Sink
    }

-    override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel f) {
-      sink instanceof UrlSink and
-      f = DataFlow::FlowLabel::taint()
-    }
-
    override predicate isSanitizer(DataFlow::Node node) {
      super.isSanitizer(node) or
      node instanceof Sanitizer
@@ -76,6 +68,11 @@ module ClientSideUrlRedirect {
    }
  }

+  /** A source of remote user input, considered as a flow source for unvalidated URL redirects. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
  /**
   * Holds if `queryAccess` is an expression that may access the query string
   * of a URL that flows into `nd` (that is, the part after the `?`).
@@ -105,13 +102,10 @@ module ClientSideUrlRedirect {
    )
  }

-  abstract class UrlSink extends DataFlow::Node {
-  }
-
  /**
   * A sink which is used to set the window location.
   */
-  class LocationSink extends UrlSink, DataFlow::ValueNode {
+  class LocationSink extends Sink, DataFlow::ValueNode {
    LocationSink() {
      // A call to a `window.navigate` or `window.open`
      exists (string name |
@@ -152,7 +146,7 @@ module ClientSideUrlRedirect {
  /**
   * An expression that may be interpreted as the URL of a script.
   */
-  abstract class ScriptUrlSink extends UrlSink {
+  abstract class ScriptUrlSink extends Sink {
  }

  /**