JS: Port HostHeaderPoisoningInEmailGeneration

2026-04-30 11:15:13 +02:00 · 2023-10-05 09:19:32 +02:00
parent bc88f50a5f
commit 8715c1b324
3 changed files with 30 additions and 20 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
@@ -6,9 +6,28 @@
 import javascript

 /**
- * A taint tracking configuration for host header poisoning in email generation.
+ * A taint tracking configuration for host header poisoning.
 */
-class Configuration extends TaintTracking::Configuration {
+module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    exists(Http::RequestHeaderAccess input | node = input |
+      input.getKind() = "header" and
+      input.getAHeaderName() = "host"
+    )
+  }
+
+  predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }
+}
+
+/**
+ * Taint tracking configuration host header poisoning.
+ */
+module HostHeaderPoisoningFlow = TaintTracking::Global<HostHeaderPoisoningConfig>;
+
+/**
+ * DEPRECATED. Use the `HostHeaderPoisoningFlow` module instead.
+ */
+deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "TaintedHostHeader" }

  override predicate isSource(DataFlow::Node node) {