mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
JavaScript: Autoformat
This commit is contained in:
Anders Schack-Mulligen
@@ -317,7 +317,8 @@ abstract class OtherModeledArgumentCharacteristic extends EndpointCharacteristic
|
||||
* A characteristic that is an indicator of not being a sink of any type, because it's an argument to a function of a
|
||||
* builtin object.
|
||||
*/
|
||||
abstract private class ArgumentToBuiltinFunctionCharacteristic extends OtherModeledArgumentCharacteristic {
|
||||
abstract private class ArgumentToBuiltinFunctionCharacteristic extends OtherModeledArgumentCharacteristic
|
||||
{
|
||||
bindingset[this]
|
||||
ArgumentToBuiltinFunctionCharacteristic() { any() }
|
||||
}
|
||||
@@ -358,7 +359,8 @@ abstract class LikelyNotASinkCharacteristic extends EndpointCharacteristic {
|
||||
}
|
||||
|
||||
private class LodashUnderscoreCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
LodashUnderscoreCharacteristic() { this = "LodashUnderscoreArgument" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -367,7 +369,8 @@ private class LodashUnderscoreCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class JQueryArgumentCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
JQueryArgumentCharacteristic() { this = "JQueryArgument" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -376,7 +379,8 @@ private class JQueryArgumentCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class ClientRequestCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
ClientRequestCharacteristic() { this = "ClientRequest" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -387,7 +391,8 @@ private class ClientRequestCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class PromiseDefinitionCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
PromiseDefinitionCharacteristic() { this = "PromiseDefinition" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -398,14 +403,16 @@ private class PromiseDefinitionCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class CryptographicKeyCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
CryptographicKeyCharacteristic() { this = "CryptographicKey" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) { n instanceof CryptographicKey }
|
||||
}
|
||||
|
||||
private class CryptographicOperationFlowCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
CryptographicOperationFlowCharacteristic() { this = "CryptographicOperationFlow" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -414,7 +421,8 @@ private class CryptographicOperationFlowCharacteristic extends NotASinkCharacter
|
||||
}
|
||||
|
||||
private class LoggerMethodCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
LoggerMethodCharacteristic() { this = "LoggerMethod" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -425,7 +433,8 @@ private class LoggerMethodCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class TimeoutCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
TimeoutCharacteristic() { this = "Timeout" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -436,7 +445,8 @@ private class TimeoutCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class ReceiverStorageCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
ReceiverStorageCharacteristic() { this = "ReceiverStorage" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -447,7 +457,8 @@ private class ReceiverStorageCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class StringStartsWithCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
StringStartsWithCharacteristic() { this = "StringStartsWith" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -458,7 +469,8 @@ private class StringStartsWithCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class StringEndsWithCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
StringEndsWithCharacteristic() { this = "StringEndsWith" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -467,7 +479,8 @@ private class StringEndsWithCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class StringRegExpTestCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
StringRegExpTestCharacteristic() { this = "StringRegExpTest" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -478,7 +491,8 @@ private class StringRegExpTestCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class EventRegistrationCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
EventRegistrationCharacteristic() { this = "EventRegistration" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -487,7 +501,8 @@ private class EventRegistrationCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class EventDispatchCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
EventDispatchCharacteristic() { this = "EventDispatch" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -496,7 +511,8 @@ private class EventDispatchCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class MembershipCandidateTestCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
MembershipCandidateTestCharacteristic() { this = "MembershipCandidateTest" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -507,7 +523,8 @@ private class MembershipCandidateTestCharacteristic extends NotASinkCharacterist
|
||||
}
|
||||
|
||||
private class FileSystemAccessCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
FileSystemAccessCharacteristic() { this = "FileSystemAccess" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -516,7 +533,8 @@ private class FileSystemAccessCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class DatabaseAccessCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
DatabaseAccessCharacteristic() { this = "DatabaseAccess" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -540,7 +558,8 @@ private class DomCharacteristic extends NotASinkCharacteristic, OtherModeledArgu
|
||||
}
|
||||
|
||||
private class NextFunctionCallCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
NextFunctionCallCharacteristic() { this = "NextFunctionCall" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -552,7 +571,8 @@ private class NextFunctionCallCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class DojoRequireCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
DojoRequireCharacteristic() { this = "DojoRequire" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -563,7 +583,8 @@ private class DojoRequireCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class Base64ManipulationCharacteristic extends NotASinkCharacteristic,
|
||||
OtherModeledArgumentCharacteristic {
|
||||
OtherModeledArgumentCharacteristic
|
||||
{
|
||||
Base64ManipulationCharacteristic() { this = "Base64Manipulation" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -573,7 +594,8 @@ private class Base64ManipulationCharacteristic extends NotASinkCharacteristic,
|
||||
}
|
||||
|
||||
private class ArgumentToArrayCharacteristic extends ArgumentToBuiltinFunctionCharacteristic,
|
||||
LikelyNotASinkCharacteristic {
|
||||
LikelyNotASinkCharacteristic
|
||||
{
|
||||
ArgumentToArrayCharacteristic() { this = "ArgumentToArray" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -588,7 +610,8 @@ private class ArgumentToArrayCharacteristic extends ArgumentToBuiltinFunctionCha
|
||||
}
|
||||
|
||||
private class ArgumentToBuiltinGlobalVarRefCharacteristic extends ArgumentToBuiltinFunctionCharacteristic,
|
||||
LikelyNotASinkCharacteristic {
|
||||
LikelyNotASinkCharacteristic
|
||||
{
|
||||
ArgumentToBuiltinGlobalVarRefCharacteristic() { this = "ArgumentToBuiltinGlobalVarRef" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -607,7 +630,8 @@ private class ArgumentToBuiltinGlobalVarRefCharacteristic extends ArgumentToBuil
|
||||
}
|
||||
|
||||
private class ConstantReceiverCharacteristic extends ArgumentToBuiltinFunctionCharacteristic,
|
||||
NotASinkCharacteristic {
|
||||
NotASinkCharacteristic
|
||||
{
|
||||
ConstantReceiverCharacteristic() { this = "ConstantReceiver" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -623,7 +647,8 @@ private class ConstantReceiverCharacteristic extends ArgumentToBuiltinFunctionCh
|
||||
}
|
||||
|
||||
private class BuiltinCallNameCharacteristic extends ArgumentToBuiltinFunctionCharacteristic,
|
||||
NotASinkCharacteristic {
|
||||
NotASinkCharacteristic
|
||||
{
|
||||
BuiltinCallNameCharacteristic() { this = "BuiltinCallName" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -684,7 +709,8 @@ class IsArgumentToModeledFunctionCharacteristic extends StandardEndpointFilterCh
|
||||
}
|
||||
}
|
||||
|
||||
private class IsArgumentToSinklessLibraryCharacteristic extends StandardEndpointFilterCharacteristic {
|
||||
private class IsArgumentToSinklessLibraryCharacteristic extends StandardEndpointFilterCharacteristic
|
||||
{
|
||||
IsArgumentToSinklessLibraryCharacteristic() { this = "argument to sinkless library" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -750,7 +776,8 @@ private class InIrrelevantFileCharacteristic extends StandardEndpointFilterChara
|
||||
}
|
||||
|
||||
/** An EndpointFilterCharacteristic that indicates that an endpoint is unlikely to be a NoSQL injection sink. */
|
||||
abstract private class NosqlInjectionSinkEndpointFilterCharacteristic extends EndpointFilterCharacteristic {
|
||||
abstract private class NosqlInjectionSinkEndpointFilterCharacteristic extends EndpointFilterCharacteristic
|
||||
{
|
||||
bindingset[this]
|
||||
NosqlInjectionSinkEndpointFilterCharacteristic() { any() }
|
||||
|
||||
@@ -763,7 +790,8 @@ abstract private class NosqlInjectionSinkEndpointFilterCharacteristic extends En
|
||||
}
|
||||
}
|
||||
|
||||
private class DatabaseAccessCallHeuristicCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class DatabaseAccessCallHeuristicCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
DatabaseAccessCallHeuristicCharacteristic() { this = "matches database access call heuristic" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -794,7 +822,8 @@ private class ModeledSinkCharacteristic extends NosqlInjectionSinkEndpointFilter
|
||||
}
|
||||
}
|
||||
|
||||
private class PredecessorInModeledFlowStepCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class PredecessorInModeledFlowStepCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
PredecessorInModeledFlowStepCharacteristic() { this = "predecessor in a modeled flow step" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -805,7 +834,8 @@ private class PredecessorInModeledFlowStepCharacteristic extends NosqlInjectionS
|
||||
}
|
||||
}
|
||||
|
||||
private class ModeledDatabaseAccessCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class ModeledDatabaseAccessCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
ModeledDatabaseAccessCharacteristic() { this = "modeled database access" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -818,7 +848,8 @@ private class ModeledDatabaseAccessCharacteristic extends NosqlInjectionSinkEndp
|
||||
}
|
||||
}
|
||||
|
||||
private class ReceiverIsHttpRequestExpressionCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class ReceiverIsHttpRequestExpressionCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
ReceiverIsHttpRequestExpressionCharacteristic() { this = "receiver is a HTTP request expression" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -829,7 +860,8 @@ private class ReceiverIsHttpRequestExpressionCharacteristic extends NosqlInjecti
|
||||
}
|
||||
}
|
||||
|
||||
private class ReceiverIsHttpResponseExpressionCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class ReceiverIsHttpResponseExpressionCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
ReceiverIsHttpResponseExpressionCharacteristic() {
|
||||
this = "receiver is a HTTP response expression"
|
||||
}
|
||||
@@ -842,7 +874,8 @@ private class ReceiverIsHttpResponseExpressionCharacteristic extends NosqlInject
|
||||
}
|
||||
}
|
||||
|
||||
private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkNosqlCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkNosqlCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkNosqlCharacteristic() {
|
||||
this = "not a direct argument to a likely external library call or a heuristic sink (nosql)"
|
||||
}
|
||||
@@ -885,7 +918,8 @@ private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkNosqlCh
|
||||
}
|
||||
|
||||
/** An EndpointFilterCharacteristic that indicates that an endpoint is unlikely to be a SQL injection sink. */
|
||||
abstract private class SqlInjectionSinkEndpointFilterCharacteristic extends EndpointFilterCharacteristic {
|
||||
abstract private class SqlInjectionSinkEndpointFilterCharacteristic extends EndpointFilterCharacteristic
|
||||
{
|
||||
bindingset[this]
|
||||
SqlInjectionSinkEndpointFilterCharacteristic() { any() }
|
||||
|
||||
@@ -898,7 +932,8 @@ abstract private class SqlInjectionSinkEndpointFilterCharacteristic extends Endp
|
||||
}
|
||||
}
|
||||
|
||||
private class PreparedSqlStatementCharacteristic extends SqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class PreparedSqlStatementCharacteristic extends SqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
PreparedSqlStatementCharacteristic() { this = "prepared SQL statement" }
|
||||
|
||||
override predicate appliesToEndpoint(DataFlow::Node n) {
|
||||
@@ -932,7 +967,8 @@ private class HtmlOrRenderingCharacteristic extends SqlInjectionSinkEndpointFilt
|
||||
}
|
||||
}
|
||||
|
||||
private class NotAnArgumentToLikelyExternalLibraryCallOrHeuristicSinkCharacteristic extends SqlInjectionSinkEndpointFilterCharacteristic {
|
||||
private class NotAnArgumentToLikelyExternalLibraryCallOrHeuristicSinkCharacteristic extends SqlInjectionSinkEndpointFilterCharacteristic
|
||||
{
|
||||
NotAnArgumentToLikelyExternalLibraryCallOrHeuristicSinkCharacteristic() {
|
||||
this = "not an argument to a likely external library call or a heuristic sink"
|
||||
}
|
||||
@@ -956,7 +992,8 @@ private class NotAnArgumentToLikelyExternalLibraryCallOrHeuristicSinkCharacteris
|
||||
}
|
||||
|
||||
/** An EndpointFilterCharacteristic that indicates that an endpoint is unlikely to be a tainted path injection sink. */
|
||||
abstract private class TaintedPathSinkEndpointFilterCharacteristic extends EndpointFilterCharacteristic {
|
||||
abstract private class TaintedPathSinkEndpointFilterCharacteristic extends EndpointFilterCharacteristic
|
||||
{
|
||||
bindingset[this]
|
||||
TaintedPathSinkEndpointFilterCharacteristic() { any() }
|
||||
|
||||
@@ -969,7 +1006,8 @@ abstract private class TaintedPathSinkEndpointFilterCharacteristic extends Endpo
|
||||
}
|
||||
}
|
||||
|
||||
private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkTaintedPathCharacteristic extends TaintedPathSinkEndpointFilterCharacteristic {
|
||||
private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkTaintedPathCharacteristic extends TaintedPathSinkEndpointFilterCharacteristic
|
||||
{
|
||||
NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkTaintedPathCharacteristic() {
|
||||
this =
|
||||
"not a direct argument to a likely external library call or a heuristic sink (tainted path)"
|
||||
@@ -1021,7 +1059,8 @@ abstract private class XssSinkEndpointFilterCharacteristic extends EndpointFilte
|
||||
}
|
||||
}
|
||||
|
||||
private class SetStateCallsInReactApplicationsCharacteristic extends XssSinkEndpointFilterCharacteristic {
|
||||
private class SetStateCallsInReactApplicationsCharacteristic extends XssSinkEndpointFilterCharacteristic
|
||||
{
|
||||
SetStateCallsInReactApplicationsCharacteristic() {
|
||||
this = "setState calls ought to be safe in react applications"
|
||||
}
|
||||
@@ -1031,7 +1070,8 @@ private class SetStateCallsInReactApplicationsCharacteristic extends XssSinkEndp
|
||||
}
|
||||
}
|
||||
|
||||
private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkXssCharacteristic extends XssSinkEndpointFilterCharacteristic {
|
||||
private class NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkXssCharacteristic extends XssSinkEndpointFilterCharacteristic
|
||||
{
|
||||
NotDirectArgumentToLikelyExternalLibraryCallOrHeuristicSinkXssCharacteristic() {
|
||||
this = "not a direct argument to a likely external library call or a heuristic sink (xss)"
|
||||
}
|
||||
|
||||
@@ -204,7 +204,8 @@ class FileImports extends EndpointFeature, TFileImports {
|
||||
* will be treated by tokenization as if they were spaces.
|
||||
*/
|
||||
class ContextSurroundingFunctionParameters extends EndpointFeature,
|
||||
TContextSurroundingFunctionParameters {
|
||||
TContextSurroundingFunctionParameters
|
||||
{
|
||||
override string getName() { result = "contextSurroundingFunctionParameters" }
|
||||
|
||||
Function getRelevantFunction(DataFlow::Node endpoint) {
|
||||
|
||||
@@ -64,7 +64,8 @@ class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType {
|
||||
|
||||
/** The `ShellCommandInjectionFromEnvironmentSink` class that can be predicted by endpoint scoring models. */
|
||||
class ShellCommandInjectionFromEnvironmentSinkType extends EndpointType,
|
||||
TShellCommandInjectionFromEnvironmentSinkType {
|
||||
TShellCommandInjectionFromEnvironmentSinkType
|
||||
{
|
||||
override string getDescription() { result = "ShellCommandInjectionFromEnvironmentSink" }
|
||||
|
||||
override int getEncoding() { result = 5 }
|
||||
|
||||
@@ -51,7 +51,8 @@ class TaintedPathAtmConfig extends AtmConfig {
|
||||
* of barrier guards, we port the barrier guards for the boosted query from the standard library to
|
||||
* sanitizer guards here.
|
||||
*/
|
||||
private class BarrierGuardNodeAsSanitizerGuardNode extends TaintTracking::LabeledSanitizerGuardNode instanceof TaintedPath::BarrierGuardNode {
|
||||
private class BarrierGuardNodeAsSanitizerGuardNode extends TaintTracking::LabeledSanitizerGuardNode instanceof TaintedPath::BarrierGuardNode
|
||||
{
|
||||
override predicate sanitizes(boolean outcome, Expr e) {
|
||||
blocks(outcome, e) or blocks(outcome, e, _)
|
||||
}
|
||||
|
||||
@@ -40,7 +40,8 @@ class DomBasedXssAtmConfig extends AtmConfig {
|
||||
private import semmle.javascript.security.dataflow.Xss::Shared as Shared
|
||||
|
||||
private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode,
|
||||
DomBasedXss::PrefixStringSanitizer {
|
||||
DomBasedXss::PrefixStringSanitizer
|
||||
{
|
||||
PrefixStringSanitizerActivated() { this = this }
|
||||
}
|
||||
|
||||
@@ -52,6 +53,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -71,7 +71,8 @@ class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNo
|
||||
private import semmle.javascript.security.dataflow.Xss::Shared as Shared
|
||||
|
||||
private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
|
||||
DomBasedXss::PrefixStringSanitizer {
|
||||
DomBasedXss::PrefixStringSanitizer
|
||||
{
|
||||
PrefixStringSanitizer() { this = this }
|
||||
}
|
||||
|
||||
@@ -83,6 +84,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -39,6 +39,7 @@ class XssThroughDomQuery extends Query, TXssThroughDomQuery {
|
||||
}
|
||||
|
||||
class ShellCommandInjectionFromEnvironmentQuery extends Query,
|
||||
TShellCommandInjectionFromEnvironmentQuery {
|
||||
TShellCommandInjectionFromEnvironmentQuery
|
||||
{
|
||||
override string getName() { result = "ShellCommandInjectionFromEnvironment" }
|
||||
}
|
||||
|
||||
@@ -48,7 +48,8 @@ module Closure {
|
||||
* A call to a method on the `goog.` namespace, as a closure reference.
|
||||
*/
|
||||
abstract private class DefaultNamespaceRef extends DataFlow::MethodCallNode,
|
||||
ClosureNamespaceRef::Range {
|
||||
ClosureNamespaceRef::Range
|
||||
{
|
||||
DefaultNamespaceRef() { this = DataFlow::globalVarRef("goog").getAMethodCall() }
|
||||
|
||||
override string getClosureNamespace() { result = getArgument(0).getStringValue() }
|
||||
@@ -75,21 +76,22 @@ module Closure {
|
||||
/**
|
||||
* A top-level call to `goog.provide`.
|
||||
*/
|
||||
class ClosureProvideCall extends ClosureNamespaceRef, DataFlow::MethodCallNode instanceof DefaultClosureProvideCall {
|
||||
}
|
||||
class ClosureProvideCall extends ClosureNamespaceRef, DataFlow::MethodCallNode instanceof DefaultClosureProvideCall
|
||||
{ }
|
||||
|
||||
/**
|
||||
* A call to `goog.require`.
|
||||
*/
|
||||
private class DefaultClosureRequireCall extends DefaultNamespaceRef, ClosureNamespaceAccess::Range {
|
||||
private class DefaultClosureRequireCall extends DefaultNamespaceRef, ClosureNamespaceAccess::Range
|
||||
{
|
||||
DefaultClosureRequireCall() { getMethodName() = "require" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `goog.require`.
|
||||
*/
|
||||
class ClosureRequireCall extends ClosureNamespaceAccess, DataFlow::MethodCallNode instanceof DefaultClosureRequireCall {
|
||||
}
|
||||
class ClosureRequireCall extends ClosureNamespaceAccess, DataFlow::MethodCallNode instanceof DefaultClosureRequireCall
|
||||
{ }
|
||||
|
||||
/**
|
||||
* A top-level call to `goog.module` or `goog.declareModuleId`.
|
||||
@@ -104,8 +106,8 @@ module Closure {
|
||||
/**
|
||||
* A top-level call to `goog.module` or `goog.declareModuleId`.
|
||||
*/
|
||||
class ClosureModuleDeclaration extends ClosureNamespaceRef, DataFlow::MethodCallNode instanceof DefaultClosureModuleDeclaration {
|
||||
}
|
||||
class ClosureModuleDeclaration extends ClosureNamespaceRef, DataFlow::MethodCallNode instanceof DefaultClosureModuleDeclaration
|
||||
{ }
|
||||
|
||||
private GlobalVariable googVariable() { variables(result, "goog", any(GlobalScope sc)) }
|
||||
|
||||
|
||||
@@ -124,7 +124,8 @@ module Cryptography {
|
||||
* Extend this class to refine existing API models. If you want to model new APIs,
|
||||
* extend `CryptographicOperation::Range` instead.
|
||||
*/
|
||||
class CryptographicOperation extends SC::CryptographicOperation instanceof CryptographicOperation::Range {
|
||||
class CryptographicOperation extends SC::CryptographicOperation instanceof CryptographicOperation::Range
|
||||
{
|
||||
/**
|
||||
* DEPRECATED. This predicate has been renamed to `getAnInput`.
|
||||
*
|
||||
|
||||
@@ -63,7 +63,8 @@ module DOM {
|
||||
/**
|
||||
* An HTML element, viewed as an `ElementDefinition`.
|
||||
*/
|
||||
private class HtmlElementDefinition extends ElementDefinition, @xmlelement instanceof HTML::Element {
|
||||
private class HtmlElementDefinition extends ElementDefinition, @xmlelement instanceof HTML::Element
|
||||
{
|
||||
override string getName() { result = HTML::Element.super.getName() }
|
||||
|
||||
override AttributeDefinition getAttribute(int i) {
|
||||
@@ -127,7 +128,8 @@ module DOM {
|
||||
/**
|
||||
* An HTML attribute, viewed as an `AttributeDefinition`.
|
||||
*/
|
||||
private class HtmlAttributeDefinition extends AttributeDefinition, @xmlattribute instanceof HTML::Attribute {
|
||||
private class HtmlAttributeDefinition extends AttributeDefinition, @xmlattribute instanceof HTML::Attribute
|
||||
{
|
||||
override string getName() { result = HTML::Attribute.super.getName() }
|
||||
|
||||
override string getStringValue() { result = super.getValue() }
|
||||
@@ -138,7 +140,8 @@ module DOM {
|
||||
/**
|
||||
* A JSX attribute, viewed as an `AttributeDefinition`.
|
||||
*/
|
||||
private class JsxAttributeDefinition extends AttributeDefinition, @jsx_attribute instanceof JsxAttribute {
|
||||
private class JsxAttributeDefinition extends AttributeDefinition, @jsx_attribute instanceof JsxAttribute
|
||||
{
|
||||
override string getName() { result = JsxAttribute.super.getName() }
|
||||
|
||||
override DataFlow::Node getValueNode() {
|
||||
|
||||
@@ -37,7 +37,8 @@ import javascript
|
||||
* ```
|
||||
*/
|
||||
class Function extends @function, Parameterized, TypeParameterized, StmtContainer, Documentable,
|
||||
AST::ValueNode {
|
||||
AST::ValueNode
|
||||
{
|
||||
/** Gets the `i`th parameter of this function. */
|
||||
Parameter getParameter(int i) { result = this.getChildExpr(i) }
|
||||
|
||||
|
||||
@@ -16,8 +16,8 @@ abstract class GeneratedCodeMarkerComment extends Comment { }
|
||||
/**
|
||||
* A source mapping comment, viewed as a marker comment indicating generated code.
|
||||
*/
|
||||
private class SourceMappingCommentMarkerComment extends GeneratedCodeMarkerComment instanceof SourceMappingComment {
|
||||
}
|
||||
private class SourceMappingCommentMarkerComment extends GeneratedCodeMarkerComment instanceof SourceMappingComment
|
||||
{ }
|
||||
|
||||
/**
|
||||
* A marker comment left by a known code generator.
|
||||
|
||||
@@ -220,7 +220,8 @@ module MembershipCandidate {
|
||||
* A candidate that may be a property name of an object.
|
||||
*/
|
||||
class ObjectPropertyNameMembershipCandidate extends MembershipCandidate::Range,
|
||||
DataFlow::ValueNode {
|
||||
DataFlow::ValueNode
|
||||
{
|
||||
Expr test;
|
||||
Expr membersNode;
|
||||
|
||||
|
||||
@@ -616,7 +616,8 @@ module Bluebird {
|
||||
}
|
||||
|
||||
private class BluebirdCoroutineDefinitionAsPartialInvoke extends DataFlow::PartialInvokeNode::Range,
|
||||
BluebirdCoroutineDefinition {
|
||||
BluebirdCoroutineDefinition
|
||||
{
|
||||
override DataFlow::SourceNode getBoundFunction(DataFlow::Node callback, int boundArgs) {
|
||||
boundArgs = 0 and
|
||||
callback = this.getArgument(0) and
|
||||
|
||||
@@ -508,7 +508,8 @@ module Routing {
|
||||
/**
|
||||
* An array which has been determined to be a route node, seen as a route node with arguments.
|
||||
*/
|
||||
private class ImpliedArrayRoute extends ValueNode::WithArguments, DataFlow::ArrayCreationNode instanceof ValueNode::UseSite {
|
||||
private class ImpliedArrayRoute extends ValueNode::WithArguments, DataFlow::ArrayCreationNode instanceof ValueNode::UseSite
|
||||
{
|
||||
override DataFlow::Node getArgumentNode(int n) { result = this.getElement(n) }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -50,7 +50,8 @@ class DirectEval extends CallExpr {
|
||||
* argument as the receiver to the callback.
|
||||
*/
|
||||
private class ArrayIterationCallbackAsPartialInvoke extends DataFlow::PartialInvokeNode::Range,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
ArrayIterationCallbackAsPartialInvoke() {
|
||||
this.getNumArgument() = 2 and
|
||||
// Filter out library methods named 'forEach' etc
|
||||
|
||||
@@ -1470,7 +1470,8 @@ class NamespaceAccess extends TypeExpr, NamespaceRef, @namespace_access {
|
||||
* An identifier that refers to a namespace from inside a type annotation.
|
||||
*/
|
||||
class LocalNamespaceAccess extends NamespaceAccess, LexicalAccess, Identifier,
|
||||
@local_namespace_access {
|
||||
@local_namespace_access
|
||||
{
|
||||
override Identifier getIdentifier() { result = this }
|
||||
|
||||
/** Gets the local name being accessed. */
|
||||
|
||||
@@ -117,7 +117,8 @@ private class IntRefinement extends NumberRefinement, NumberLiteral {
|
||||
* A use of the global variable `undefined`, viewed as a refinement expression.
|
||||
*/
|
||||
private class UndefinedInRefinement extends RefinementCandidate,
|
||||
SyntacticConstants::UndefinedConstant {
|
||||
SyntacticConstants::UndefinedConstant
|
||||
{
|
||||
override SsaSourceVariable getARefinedVar() { none() }
|
||||
|
||||
override RefinementValue eval(RefinementContext ctxt) {
|
||||
|
||||
@@ -1005,7 +1005,8 @@ module TaintTracking {
|
||||
* Note that the `includes` method is covered by `MembershipTestSanitizer`.
|
||||
*/
|
||||
class WhitelistContainmentCallSanitizer extends AdditionalSanitizerGuardNode,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
WhitelistContainmentCallSanitizer() {
|
||||
this.getMethodName() = ["contains", "has", "hasOwnProperty", "hasOwn"]
|
||||
}
|
||||
|
||||
@@ -120,7 +120,8 @@ abstract class AnalyzedPropertyWrite extends DataFlow::Node {
|
||||
/**
|
||||
* Flow analysis for property writes.
|
||||
*/
|
||||
private class AnalyzedExplicitPropertyWrite extends AnalyzedPropertyWrite instanceof DataFlow::PropWrite {
|
||||
private class AnalyzedExplicitPropertyWrite extends AnalyzedPropertyWrite instanceof DataFlow::PropWrite
|
||||
{
|
||||
override predicate writes(AbstractValue base, string prop, DataFlow::AnalyzedNode source) {
|
||||
explicitPropertyWrite(this, base, prop, source)
|
||||
}
|
||||
|
||||
@@ -690,7 +690,8 @@ abstract private class CallWithAnalyzedParameters extends FunctionWithAnalyzedPa
|
||||
/**
|
||||
* Flow analysis for simple parameters of IIFEs.
|
||||
*/
|
||||
private class IifeWithAnalyzedParameters extends CallWithAnalyzedParameters instanceof ImmediatelyInvokedFunctionExpr {
|
||||
private class IifeWithAnalyzedParameters extends CallWithAnalyzedParameters instanceof ImmediatelyInvokedFunctionExpr
|
||||
{
|
||||
IifeWithAnalyzedParameters() { super.getInvocationKind() = "direct" }
|
||||
|
||||
override DataFlow::InvokeNode getAnInvocation() { result = super.getInvocation().flow() }
|
||||
@@ -711,7 +712,8 @@ private class IifeWithAnalyzedParameters extends CallWithAnalyzedParameters inst
|
||||
/**
|
||||
* Enables inter-procedural type inference for `LocalFunction`.
|
||||
*/
|
||||
private class LocalFunctionWithAnalyzedParameters extends CallWithAnalyzedParameters instanceof LocalFunction {
|
||||
private class LocalFunctionWithAnalyzedParameters extends CallWithAnalyzedParameters instanceof LocalFunction
|
||||
{
|
||||
override DataFlow::InvokeNode getAnInvocation() { result = LocalFunction.super.getAnInvocation() }
|
||||
|
||||
override predicate isIncomplete(DataFlow::Incompleteness cause) { none() }
|
||||
|
||||
@@ -226,7 +226,8 @@ abstract class ScriptDependency extends Dependency {
|
||||
/**
|
||||
* An embedded JavaScript library included inside a `<script>` tag.
|
||||
*/
|
||||
class InlineScriptDependency extends ScriptDependency, @toplevel instanceof FrameworkLibraryInstance {
|
||||
class InlineScriptDependency extends ScriptDependency, @toplevel instanceof FrameworkLibraryInstance
|
||||
{
|
||||
override predicate info(string id, string v) {
|
||||
exists(FrameworkLibrary fl |
|
||||
FrameworkLibraryInstance.super.info(fl, v) and
|
||||
@@ -248,7 +249,8 @@ class InlineScriptDependency extends ScriptDependency, @toplevel instanceof Fram
|
||||
* An external JavaScript library referenced via the `src` attribute
|
||||
* of a `<script>` tag.
|
||||
*/
|
||||
class ExternalScriptDependency extends ScriptDependency, @xmlattribute instanceof FrameworkLibraryReference {
|
||||
class ExternalScriptDependency extends ScriptDependency, @xmlattribute instanceof FrameworkLibraryReference
|
||||
{
|
||||
override predicate info(string id, string v) {
|
||||
exists(FrameworkLibrary fl |
|
||||
FrameworkLibraryReference.super.info(fl, v) and
|
||||
|
||||
@@ -346,7 +346,8 @@ private class JQueryInstance extends FrameworkLibraryInstance {
|
||||
/**
|
||||
* The jQuery Mobile framework.
|
||||
*/
|
||||
private class JQueryMobile extends FrameworkLibraryWithGenericUrl, FrameworkLibraryWithMarkerComment {
|
||||
private class JQueryMobile extends FrameworkLibraryWithGenericUrl, FrameworkLibraryWithMarkerComment
|
||||
{
|
||||
JQueryMobile() { this = "jquery-mobile" }
|
||||
|
||||
override string getAnAlias() { result = "jquery.mobile" }
|
||||
@@ -371,7 +372,8 @@ private class JQueryUI extends FrameworkLibraryWithGenericUrl, FrameworkLibraryW
|
||||
* The jQuery TextExt framework.
|
||||
*/
|
||||
private class JQueryTextExt extends FrameworkLibraryWithGenericUrl,
|
||||
FrameworkLibraryWithMarkerComment {
|
||||
FrameworkLibraryWithMarkerComment
|
||||
{
|
||||
JQueryTextExt() { this = "jquery-textext" }
|
||||
|
||||
override string getAnAlias() { result = "jquery.textext" }
|
||||
@@ -387,7 +389,8 @@ private class JQueryTextExt extends FrameworkLibraryWithGenericUrl,
|
||||
* The jQuery DataTables framework.
|
||||
*/
|
||||
private class JQueryDataTables extends FrameworkLibraryWithGenericUrl,
|
||||
FrameworkLibraryWithMarkerComment {
|
||||
FrameworkLibraryWithMarkerComment
|
||||
{
|
||||
JQueryDataTables() { this = "jquery-dataTables" }
|
||||
|
||||
override string getAnAlias() { result = "jquery.dataTables" }
|
||||
@@ -400,7 +403,8 @@ private class JQueryDataTables extends FrameworkLibraryWithGenericUrl,
|
||||
/**
|
||||
* The jQuery jsTree framework.
|
||||
*/
|
||||
private class JQueryJsTree extends FrameworkLibraryWithGenericUrl, FrameworkLibraryWithMarkerComment {
|
||||
private class JQueryJsTree extends FrameworkLibraryWithGenericUrl, FrameworkLibraryWithMarkerComment
|
||||
{
|
||||
JQueryJsTree() { this = "jquery-jstree" }
|
||||
|
||||
override string getAnAlias() { result = "jquery.jstree" }
|
||||
@@ -412,7 +416,8 @@ private class JQueryJsTree extends FrameworkLibraryWithGenericUrl, FrameworkLibr
|
||||
* The jQuery Snippet framework.
|
||||
*/
|
||||
private class JQuerySnippet extends FrameworkLibraryWithGenericUrl,
|
||||
FrameworkLibraryWithMarkerComment {
|
||||
FrameworkLibraryWithMarkerComment
|
||||
{
|
||||
JQuerySnippet() { this = "jquery-snippet" }
|
||||
|
||||
override string getAnAlias() { result = "jquery.snippet" }
|
||||
|
||||
@@ -1013,7 +1013,8 @@ private class RouteInstantiatedController extends Controller instanceof RouteSet
|
||||
/**
|
||||
* Dataflow for the arguments of AngularJS dependency-injected functions.
|
||||
*/
|
||||
private class DependencyInjectedArgumentInitializer extends DataFlow::AnalyzedNode instanceof DataFlow::ParameterNode {
|
||||
private class DependencyInjectedArgumentInitializer extends DataFlow::AnalyzedNode instanceof DataFlow::ParameterNode
|
||||
{
|
||||
DataFlow::AnalyzedNode service;
|
||||
|
||||
DependencyInjectedArgumentInitializer() {
|
||||
|
||||
@@ -93,7 +93,8 @@ abstract class InjectableFunction extends DataFlow::ValueNode {
|
||||
* An injectable function that does not explicitly list its dependencies,
|
||||
* instead relying on implicit matching by parameter names.
|
||||
*/
|
||||
private class FunctionWithImplicitDependencyAnnotation extends InjectableFunction instanceof DataFlow::FunctionNode {
|
||||
private class FunctionWithImplicitDependencyAnnotation extends InjectableFunction instanceof DataFlow::FunctionNode
|
||||
{
|
||||
FunctionWithImplicitDependencyAnnotation() {
|
||||
this.(DataFlow::FunctionNode).flowsTo(any(DependencyInjection d).getAnInjectableFunction()) and
|
||||
not exists(getAPropertyDependencyInjection(this))
|
||||
@@ -121,7 +122,8 @@ private DataFlow::PropWrite getAPropertyDependencyInjection(DataFlow::FunctionNo
|
||||
* An injectable function with an `$inject` property that lists its
|
||||
* dependencies.
|
||||
*/
|
||||
private class FunctionWithInjectProperty extends InjectableFunction instanceof DataFlow::FunctionNode {
|
||||
private class FunctionWithInjectProperty extends InjectableFunction instanceof DataFlow::FunctionNode
|
||||
{
|
||||
DataFlow::ArrayCreationNode dependencies;
|
||||
|
||||
FunctionWithInjectProperty() {
|
||||
@@ -154,7 +156,8 @@ private class FunctionWithInjectProperty extends InjectableFunction instanceof D
|
||||
/**
|
||||
* An injectable function embedded in an array of dependencies.
|
||||
*/
|
||||
private class FunctionWithExplicitDependencyAnnotation extends InjectableFunction instanceof DataFlow::ArrayCreationNode {
|
||||
private class FunctionWithExplicitDependencyAnnotation extends InjectableFunction instanceof DataFlow::ArrayCreationNode
|
||||
{
|
||||
DataFlow::FunctionNode function;
|
||||
|
||||
FunctionWithExplicitDependencyAnnotation() {
|
||||
|
||||
@@ -235,7 +235,8 @@ abstract class CustomServiceDefinition extends DataFlow::Node {
|
||||
* A definition of a custom AngularJS dependency injection service using a "recipe".
|
||||
*/
|
||||
abstract class RecipeDefinition extends DataFlow::CallNode, CustomServiceDefinition,
|
||||
DependencyInjection {
|
||||
DependencyInjection
|
||||
{
|
||||
string methodName;
|
||||
string name;
|
||||
|
||||
@@ -268,7 +269,8 @@ abstract class RecipeDefinition extends DataFlow::CallNode, CustomServiceDefinit
|
||||
* (used through `ng-controller` directives).
|
||||
*/
|
||||
abstract private class CustomSpecialServiceDefinition extends CustomServiceDefinition,
|
||||
DependencyInjection {
|
||||
DependencyInjection
|
||||
{
|
||||
override DataFlow::Node getAnInjectableFunction() { result = this.getAFactoryFunction() }
|
||||
}
|
||||
|
||||
@@ -625,7 +627,8 @@ class ProviderRecipeDefinition extends RecipeDefinition {
|
||||
}
|
||||
}
|
||||
|
||||
private class ProviderRecipeServiceInjection extends DependencyInjection instanceof ProviderRecipeDefinition {
|
||||
private class ProviderRecipeServiceInjection extends DependencyInjection instanceof ProviderRecipeDefinition
|
||||
{
|
||||
override DataFlow::Node getAnInjectableFunction() { result = super.getAService() }
|
||||
}
|
||||
|
||||
|
||||
@@ -70,7 +70,8 @@ module AsyncPackage {
|
||||
* to the first parameter of the final callback, while `result1, result2, ...` are propagated to
|
||||
* the parameters of the following task.
|
||||
*/
|
||||
private class WaterfallNextTaskCall extends DataFlow::PartialInvokeNode::Range, DataFlow::CallNode {
|
||||
private class WaterfallNextTaskCall extends DataFlow::PartialInvokeNode::Range, DataFlow::CallNode
|
||||
{
|
||||
Waterfall waterfall;
|
||||
int n;
|
||||
|
||||
|
||||
@@ -125,7 +125,8 @@ module Connect {
|
||||
/**
|
||||
* An access to a user-controlled Connect request input.
|
||||
*/
|
||||
private class RequestInputAccess extends Http::RequestInputAccess instanceof DataFlow::MethodCallNode {
|
||||
private class RequestInputAccess extends Http::RequestInputAccess instanceof DataFlow::MethodCallNode
|
||||
{
|
||||
RequestNode request;
|
||||
string kind;
|
||||
|
||||
|
||||
@@ -150,7 +150,8 @@ private module JsCookie {
|
||||
}
|
||||
|
||||
class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode,
|
||||
CookieWrites::ClientSideCookieWrite {
|
||||
CookieWrites::ClientSideCookieWrite
|
||||
{
|
||||
WriteAccess() { this = libMemberCall("set") }
|
||||
|
||||
string getKey() { this.getArgument(0).mayHaveStringValue(result) }
|
||||
@@ -192,7 +193,8 @@ private module BrowserCookies {
|
||||
}
|
||||
|
||||
class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode,
|
||||
CookieWrites::ClientSideCookieWrite {
|
||||
CookieWrites::ClientSideCookieWrite
|
||||
{
|
||||
WriteAccess() { this = libMemberCall("set") }
|
||||
|
||||
string getKey() { this.getArgument(0).mayHaveStringValue(result) }
|
||||
@@ -242,7 +244,8 @@ private module LibCookie {
|
||||
}
|
||||
|
||||
class WriteAccess extends PersistentWriteAccess, DataFlow::CallNode,
|
||||
CookieWrites::ClientSideCookieWrite {
|
||||
CookieWrites::ClientSideCookieWrite
|
||||
{
|
||||
WriteAccess() { this = libMemberCall("serialize") }
|
||||
|
||||
string getKey() { this.getArgument(0).mayHaveStringValue(result) }
|
||||
@@ -271,7 +274,8 @@ private module ExpressCookies {
|
||||
/**
|
||||
* A cookie set using `response.cookie` from `express` module (https://expressjs.com/en/api.html#res.cookie).
|
||||
*/
|
||||
private class InsecureExpressCookieResponse extends CookieWrites::CookieWrite instanceof Express::SetCookie {
|
||||
private class InsecureExpressCookieResponse extends CookieWrites::CookieWrite instanceof Express::SetCookie
|
||||
{
|
||||
override predicate isSecure() {
|
||||
// A cookie is secure if there are cookie options with the `secure` flag set to `true`.
|
||||
// The default is `false`.
|
||||
@@ -299,7 +303,8 @@ private module ExpressCookies {
|
||||
* A cookie set using the `express` module `cookie-session` (https://github.com/expressjs/cookie-session).
|
||||
*/
|
||||
class InsecureCookieSession extends ExpressLibraries::CookieSession::MiddlewareInstance,
|
||||
CookieWrites::CookieWrite {
|
||||
CookieWrites::CookieWrite
|
||||
{
|
||||
private DataFlow::Node getCookieFlagValue(string flag) {
|
||||
result = this.getOptionArgument(0, flag)
|
||||
}
|
||||
@@ -327,7 +332,8 @@ private module ExpressCookies {
|
||||
* A cookie set using the `express` module `express-session` (https://github.com/expressjs/session).
|
||||
*/
|
||||
class InsecureExpressSessionCookie extends ExpressLibraries::ExpressSession::MiddlewareInstance,
|
||||
CookieWrites::CookieWrite {
|
||||
CookieWrites::CookieWrite
|
||||
{
|
||||
private DataFlow::Node getCookieFlagValue(string flag) {
|
||||
result = this.getOption("cookie").getALocalSource().getAPropertyWrite(flag).getRhs()
|
||||
}
|
||||
|
||||
@@ -120,7 +120,8 @@ module Electron {
|
||||
* except that values can be returned through the `event.returnValue` property.
|
||||
*/
|
||||
class IpcSendRegistration extends EventRegistration::DefaultEventRegistration,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
override Process emitter;
|
||||
|
||||
IpcSendRegistration() { this = emitter.ref().getAMethodCall(EventEmitter::on()) }
|
||||
@@ -178,8 +179,8 @@ module Electron {
|
||||
/**
|
||||
* A Node.js-style HTTP or HTTPS request made using an Electron module.
|
||||
*/
|
||||
class ElectronClientRequest extends NodeJSLib::NodeJSClientRequest instanceof ElectronClientRequest::Range {
|
||||
}
|
||||
class ElectronClientRequest extends NodeJSLib::NodeJSClientRequest instanceof ElectronClientRequest::Range
|
||||
{ }
|
||||
|
||||
module ElectronClientRequest {
|
||||
/**
|
||||
|
||||
@@ -280,7 +280,8 @@ module Express {
|
||||
* The callback given to passport in PassportRouteSetup.
|
||||
*/
|
||||
private class PassportRouteHandler extends RouteHandler, Http::Servers::StandardRouteHandler,
|
||||
DataFlow::FunctionNode {
|
||||
DataFlow::FunctionNode
|
||||
{
|
||||
PassportRouteHandler() { this = any(PassportRouteSetup setup).getARouteHandler() }
|
||||
|
||||
override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
|
||||
@@ -496,7 +497,8 @@ module Express {
|
||||
* An Express route handler installed by a route setup.
|
||||
*/
|
||||
class StandardRouteHandler extends RouteHandler, Http::Servers::StandardRouteHandler,
|
||||
DataFlow::FunctionNode {
|
||||
DataFlow::FunctionNode
|
||||
{
|
||||
RouteSetup routeSetup;
|
||||
|
||||
StandardRouteHandler() { this = routeSetup.getARouteHandler() }
|
||||
@@ -1014,7 +1016,8 @@ module Express {
|
||||
|
||||
/** A call to `response.sendFile`, considered as a file system access. */
|
||||
private class ResponseSendFileAsFileSystemAccess extends FileSystemReadAccess,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
ResponseSendFileAsFileSystemAccess() {
|
||||
exists(string name | name = "sendFile" or name = "sendfile" |
|
||||
this.calls(any(ResponseNode res), name)
|
||||
@@ -1038,7 +1041,8 @@ module Express {
|
||||
* A function that flows to a route setup.
|
||||
*/
|
||||
private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler,
|
||||
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
|
||||
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode
|
||||
{
|
||||
RouteSetup routeSetup;
|
||||
|
||||
TrackedRouteHandlerCandidateWithSetup() { this = routeSetup.getARouteHandler() }
|
||||
@@ -1113,7 +1117,8 @@ module Express {
|
||||
* A call to the Express `res.render()` method, seen as a template instantiation.
|
||||
*/
|
||||
private class RenderCallAsTemplateInstantiation extends Templating::TemplateInstantiation::Range,
|
||||
DataFlow::CallNode {
|
||||
DataFlow::CallNode
|
||||
{
|
||||
ResponseSource res;
|
||||
|
||||
RenderCallAsTemplateInstantiation() { this = res.ref().getAMethodCall("render") }
|
||||
|
||||
@@ -18,7 +18,8 @@ module ExpressLibraries {
|
||||
/**
|
||||
* A header produced by a route handler of the "x-frame-options" module.
|
||||
*/
|
||||
class XFrameOptionsRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof XFrameOptionsRouteHandler {
|
||||
class XFrameOptionsRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof XFrameOptionsRouteHandler
|
||||
{
|
||||
override predicate defines(string headerName, string headerValue) {
|
||||
xFrameOptionsDefaultImplicitHeaderDefinition(headerName, headerValue)
|
||||
}
|
||||
@@ -43,7 +44,8 @@ module ExpressLibraries {
|
||||
/**
|
||||
* A header produced by a route handler of the "frameguard" module.
|
||||
*/
|
||||
class FrameGuardRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof FrameGuardRouteHandler {
|
||||
class FrameGuardRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof FrameGuardRouteHandler
|
||||
{
|
||||
override predicate defines(string headerName, string headerValue) {
|
||||
xFrameOptionsDefaultImplicitHeaderDefinition(headerName, headerValue)
|
||||
}
|
||||
@@ -66,7 +68,8 @@ module ExpressLibraries {
|
||||
/**
|
||||
* A header produced by a route handler of the "helmet" module.
|
||||
*/
|
||||
class HelmetRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof HelmetRouteHandler {
|
||||
class HelmetRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof HelmetRouteHandler
|
||||
{
|
||||
override predicate defines(string headerName, string headerValue) {
|
||||
xFrameOptionsDefaultImplicitHeaderDefinition(headerName, headerValue)
|
||||
}
|
||||
|
||||
@@ -168,7 +168,8 @@ module Fastify {
|
||||
}
|
||||
}
|
||||
|
||||
private class ShorthandRoutingTreeSetup extends Routing::RouteSetup::MethodCall instanceof RouteSetup {
|
||||
private class ShorthandRoutingTreeSetup extends Routing::RouteSetup::MethodCall instanceof RouteSetup
|
||||
{
|
||||
ShorthandRoutingTreeSetup() { not this.getMethodName() = "route" }
|
||||
|
||||
override string getRelativePath() { result = this.getArgument(0).getStringValue() }
|
||||
@@ -350,7 +351,8 @@ module Fastify {
|
||||
* An invocation that sets a single header of the HTTP response.
|
||||
*/
|
||||
private class SetOneHeader extends Http::Servers::StandardHeaderDefinition,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
RouteHandler rh;
|
||||
|
||||
SetOneHeader() {
|
||||
|
||||
@@ -216,7 +216,8 @@ module Firebase {
|
||||
* A function used as a route handler.
|
||||
*/
|
||||
private class RouteHandler extends Express::RouteHandler, Http::Servers::StandardRouteHandler,
|
||||
DataFlow::FunctionNode {
|
||||
DataFlow::FunctionNode
|
||||
{
|
||||
RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }
|
||||
|
||||
override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
|
||||
|
||||
@@ -436,7 +436,8 @@ module Http {
|
||||
* A standard header definition.
|
||||
*/
|
||||
abstract class StandardHeaderDefinition extends ExplicitHeaderDefinition,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
override predicate definesHeaderValue(string headerName, DataFlow::Node headerValue) {
|
||||
headerName = this.getNameNode().getStringValue().toLowerCase() and
|
||||
headerValue = this.getArgument(1)
|
||||
@@ -571,7 +572,8 @@ module Http {
|
||||
/**
|
||||
* An object that contains one or more potential route handlers.
|
||||
*/
|
||||
class RouteHandlerCandidateContainer extends DataFlow::Node instanceof RouteHandlerCandidateContainer::Range {
|
||||
class RouteHandlerCandidateContainer extends DataFlow::Node instanceof RouteHandlerCandidateContainer::Range
|
||||
{
|
||||
/**
|
||||
* Gets the route handler in this container that is accessed at `access`.
|
||||
*/
|
||||
@@ -671,7 +673,8 @@ module Http {
|
||||
* A collection that contains one or more route potential handlers.
|
||||
*/
|
||||
private class ContainerCollection extends Http::RouteHandlerCandidateContainer::Range,
|
||||
DataFlow::NewNode {
|
||||
DataFlow::NewNode
|
||||
{
|
||||
ContainerCollection() {
|
||||
this = DataFlow::globalVarRef("Map").getAnInstantiation() and // restrict to Map for now
|
||||
exists(DataFlow::Node use |
|
||||
|
||||
@@ -285,7 +285,8 @@ module Hapi {
|
||||
* A function that looks like a Hapi route handler and flows to a route setup.
|
||||
*/
|
||||
private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler,
|
||||
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
|
||||
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode
|
||||
{
|
||||
TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() }
|
||||
}
|
||||
|
||||
|
||||
@@ -470,7 +470,8 @@ module Koa {
|
||||
/**
|
||||
* An invocation of the `redirect` method of an HTTP response object.
|
||||
*/
|
||||
private class RedirectInvocation extends Http::RedirectInvocation instanceof DataFlow::MethodCallNode {
|
||||
private class RedirectInvocation extends Http::RedirectInvocation instanceof DataFlow::MethodCallNode
|
||||
{
|
||||
RouteHandler rh;
|
||||
|
||||
RedirectInvocation() { super.calls(rh.getAResponseOrContextNode(), "redirect") }
|
||||
|
||||
@@ -178,7 +178,8 @@ module LodashUnderscore {
|
||||
* still infer the ordinary abstract value.
|
||||
*/
|
||||
private class LodashCallbackAsPartialInvoke extends DataFlow::PartialInvokeNode::Range,
|
||||
DataFlow::CallNode {
|
||||
DataFlow::CallNode
|
||||
{
|
||||
int callbackIndex;
|
||||
int contextIndex;
|
||||
|
||||
|
||||
@@ -295,7 +295,8 @@ module NestJS {
|
||||
* as a source of untrusted data.
|
||||
*/
|
||||
private class NestJSRequestInputAsRequestInputAccess extends NestJSRequestInput,
|
||||
Http::RequestInputAccess {
|
||||
Http::RequestInputAccess
|
||||
{
|
||||
NestJSRequestInputAsRequestInputAccess() {
|
||||
not this.isSanitizedByPipe() and
|
||||
not this = any(CustomPipeClass cls).getAnAffectedParameter()
|
||||
@@ -316,7 +317,8 @@ module NestJS {
|
||||
}
|
||||
|
||||
private class NestJSHeaderAccess extends NestJSRequestInputAsRequestInputAccess,
|
||||
Http::RequestHeaderAccess {
|
||||
Http::RequestHeaderAccess
|
||||
{
|
||||
NestJSHeaderAccess() { decoratorName = "Headers" and decorator.getNumArgument() > 0 }
|
||||
|
||||
override string getAHeaderName() {
|
||||
|
||||
@@ -226,7 +226,8 @@ module NextJS {
|
||||
* and we therefore model the routehandler as an Express.js routehandler.
|
||||
*/
|
||||
class NextApiRouteHandler extends DataFlow::FunctionNode, Express::RouteHandler,
|
||||
Http::Servers::StandardRouteHandler {
|
||||
Http::Servers::StandardRouteHandler
|
||||
{
|
||||
NextApiRouteHandler() {
|
||||
exists(Module mod | mod.getFile().getParentContainer() = apiFolder() |
|
||||
this = mod.getAnExportedValue("default").getAFunctionValue()
|
||||
|
||||
@@ -840,7 +840,8 @@ module NodeJSLib {
|
||||
* A function that flows to a route setup.
|
||||
*/
|
||||
private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler,
|
||||
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
|
||||
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode
|
||||
{
|
||||
TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() }
|
||||
}
|
||||
|
||||
@@ -1163,7 +1164,8 @@ module NodeJSLib {
|
||||
* A registration of an event handler on a NodeJS EventEmitter instance.
|
||||
*/
|
||||
private class NodeJSEventRegistration extends EventRegistration::DefaultEventRegistration,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
override NodeJSEventEmitter emitter;
|
||||
|
||||
NodeJSEventRegistration() { this = emitter.ref().getAMethodCall(EventEmitter::on()) }
|
||||
@@ -1173,7 +1175,8 @@ module NodeJSLib {
|
||||
* A dispatch of an event on a NodeJS EventEmitter instance.
|
||||
*/
|
||||
private class NodeJSEventDispatch extends EventDispatch::DefaultEventDispatch,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
override NodeJSEventEmitter emitter;
|
||||
|
||||
NodeJSEventDispatch() { this = emitter.ref().getAMethodCall("emit") }
|
||||
@@ -1223,7 +1226,8 @@ module NodeJSLib {
|
||||
* A registration of an event handler on a NodeJS net server instance.
|
||||
*/
|
||||
private class NodeJSNetServerRegistration extends EventRegistration::DefaultEventRegistration,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
override NodeJSNetServerConnection emitter;
|
||||
|
||||
NodeJSNetServerRegistration() { this = emitter.ref().getAMethodCall(EventEmitter::on()) }
|
||||
|
||||
@@ -417,7 +417,8 @@ private class DefinitePreactComponent extends PreactComponent {
|
||||
* - has a `render` method that returns JSX or React elements.
|
||||
*/
|
||||
private class HeuristicReactPreactComponent extends ClassDefinition, PreactComponent,
|
||||
ES2015Component {
|
||||
ES2015Component
|
||||
{
|
||||
HeuristicReactPreactComponent() {
|
||||
any(DataFlow::GlobalVarRefNode c | c.getName() = "Component").flowsToExpr(getSuperClass()) and
|
||||
alwaysReturnsJsxOrReactElements(ClassDefinition.super.getInstanceMethod("render"))
|
||||
@@ -528,7 +529,8 @@ private class FactoryDefinition extends ReactElementDefinition {
|
||||
* that binds `this` of a callback.
|
||||
*/
|
||||
private class ReactCallbackPartialInvoke extends DataFlow::PartialInvokeNode::Range,
|
||||
DataFlow::CallNode {
|
||||
DataFlow::CallNode
|
||||
{
|
||||
ReactCallbackPartialInvoke() {
|
||||
exists(string name |
|
||||
// React.Children.map or React.Children.forEach
|
||||
|
||||
@@ -138,7 +138,8 @@ module Restify {
|
||||
/**
|
||||
* An access to a header on a Restify request.
|
||||
*/
|
||||
private class RequestHeaderAccess extends Http::RequestHeaderAccess instanceof DataFlow::MethodCallNode {
|
||||
private class RequestHeaderAccess extends Http::RequestHeaderAccess instanceof DataFlow::MethodCallNode
|
||||
{
|
||||
RouteHandler rh;
|
||||
|
||||
RequestHeaderAccess() {
|
||||
@@ -175,7 +176,8 @@ module Restify {
|
||||
* An invocation that sets any number of headers of the HTTP response.
|
||||
*/
|
||||
private class MultipleHeaderDefinitions extends Http::ExplicitHeaderDefinition,
|
||||
DataFlow::MethodCallNode {
|
||||
DataFlow::MethodCallNode
|
||||
{
|
||||
MultipleHeaderDefinitions() {
|
||||
// res.set({'Cache-Control': 'no-cache'})
|
||||
this.getReceiver() instanceof ResponseNode and
|
||||
@@ -416,7 +418,8 @@ module Restify {
|
||||
* A header produced by a formatter
|
||||
*/
|
||||
private class FormatterContentTypeHeader extends Http::ImplicitHeaderDefinition,
|
||||
DataFlow::FunctionNode instanceof FormatterHandler {
|
||||
DataFlow::FunctionNode instanceof FormatterHandler
|
||||
{
|
||||
string contentType;
|
||||
|
||||
FormatterContentTypeHeader() {
|
||||
@@ -437,7 +440,8 @@ module Restify {
|
||||
* A header produced by a route handler with no explicit declaration of a Content-Type.
|
||||
*/
|
||||
private class ContentTypeRouteHandlerHeader extends Http::ImplicitHeaderDefinition,
|
||||
DataFlow::FunctionNode instanceof RouteHandler {
|
||||
DataFlow::FunctionNode instanceof RouteHandler
|
||||
{
|
||||
override predicate defines(string headerName, string headerValue) {
|
||||
headerName = "content-type" and headerValue = "application/json"
|
||||
}
|
||||
|
||||
@@ -193,7 +193,8 @@ module Spife {
|
||||
/**
|
||||
* An access to a user-controlled Spife context input.
|
||||
*/
|
||||
private class ContextInputAccess extends Http::RequestInputAccess instanceof DataFlow::MethodCallNode {
|
||||
private class ContextInputAccess extends Http::RequestInputAccess instanceof DataFlow::MethodCallNode
|
||||
{
|
||||
ContextSource request;
|
||||
string kind;
|
||||
|
||||
@@ -276,7 +277,8 @@ module Spife {
|
||||
/**
|
||||
* An invocation that sets any number of headers of the HTTP response.
|
||||
*/
|
||||
private class MultipleHeaderDefinitions extends Http::ExplicitHeaderDefinition instanceof ReplyCall {
|
||||
private class MultipleHeaderDefinitions extends Http::ExplicitHeaderDefinition instanceof ReplyCall
|
||||
{
|
||||
MultipleHeaderDefinitions() {
|
||||
(
|
||||
// reply.header(RESPONSE, {'Cache-Control': 'no-cache'})
|
||||
@@ -312,7 +314,8 @@ module Spife {
|
||||
/**
|
||||
* A header produced by a route handler with no explicit declaration of a Content-Type.
|
||||
*/
|
||||
private class ContentTypeRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof RouteHandler {
|
||||
private class ContentTypeRouteHandlerHeader extends Http::ImplicitHeaderDefinition instanceof RouteHandler
|
||||
{
|
||||
override predicate defines(string headerName, string headerValue) {
|
||||
headerName = "content-type" and headerValue = "application/json"
|
||||
}
|
||||
|
||||
@@ -11,19 +11,21 @@ private import semmle.javascript.frameworks.ConnectExpressShared
|
||||
* Add `NodeJSLib::RouteHandlerCandidate` to the extent of `NodeJSLib::RouteHandler`.
|
||||
*/
|
||||
private class PromotedNodeJSLibCandidate extends NodeJSLib::RouteHandler,
|
||||
Http::Servers::StandardRouteHandler instanceof NodeJSLib::RouteHandlerCandidate { }
|
||||
Http::Servers::StandardRouteHandler instanceof NodeJSLib::RouteHandlerCandidate
|
||||
{ }
|
||||
|
||||
/**
|
||||
* Add `Hapi::RouteHandlerCandidate` to the extent of `Hapi::RouteHandler`.
|
||||
*/
|
||||
private class PromotedHapiCandidate extends Hapi::RouteHandler, Http::Servers::StandardRouteHandler instanceof Hapi::RouteHandlerCandidate {
|
||||
}
|
||||
private class PromotedHapiCandidate extends Hapi::RouteHandler, Http::Servers::StandardRouteHandler instanceof Hapi::RouteHandlerCandidate
|
||||
{ }
|
||||
|
||||
/**
|
||||
* Add `ConnectExpressShared::RouteHandlerCandidate` to the extent of `Express::RouteHandler`.
|
||||
*/
|
||||
private class PromotedExpressCandidate extends Express::RouteHandler,
|
||||
Http::Servers::StandardRouteHandler instanceof ConnectExpressShared::RouteHandlerCandidate {
|
||||
Http::Servers::StandardRouteHandler instanceof ConnectExpressShared::RouteHandlerCandidate
|
||||
{
|
||||
override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
|
||||
result = ConnectExpressShared::getRouteHandlerParameter(this, kind)
|
||||
}
|
||||
@@ -33,7 +35,8 @@ private class PromotedExpressCandidate extends Express::RouteHandler,
|
||||
* Add `ConnectExpressShared::RouteHandlerCandidate` to the extent of `Connect::RouteHandler`.
|
||||
*/
|
||||
private class PromotedConnectCandidate extends Connect::RouteHandler,
|
||||
Http::Servers::StandardRouteHandler instanceof ConnectExpressShared::RouteHandlerCandidate {
|
||||
Http::Servers::StandardRouteHandler instanceof ConnectExpressShared::RouteHandlerCandidate
|
||||
{
|
||||
override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
|
||||
result = ConnectExpressShared::getRouteHandlerParameter(this, kind)
|
||||
}
|
||||
@@ -43,7 +46,8 @@ private class PromotedConnectCandidate extends Connect::RouteHandler,
|
||||
* Add `Restify::RouteHandlerCandidate` to the extent of `Restify::RouteHandler`.
|
||||
*/
|
||||
private class PromotedRestifyCandidate extends Restify::RouteHandler,
|
||||
Http::Servers::StandardRouteHandler {
|
||||
Http::Servers::StandardRouteHandler
|
||||
{
|
||||
PromotedRestifyCandidate() { this instanceof Restify::RouteHandlerCandidate }
|
||||
}
|
||||
|
||||
@@ -51,6 +55,7 @@ private class PromotedRestifyCandidate extends Restify::RouteHandler,
|
||||
* Add `Spife::RouteHandlerCandidate` to the extent of `Spife::RouteHandler`.
|
||||
*/
|
||||
private class PromotedSpifeCandidate extends Spife::RouteHandler,
|
||||
Http::Servers::StandardRouteHandler {
|
||||
Http::Servers::StandardRouteHandler
|
||||
{
|
||||
PromotedSpifeCandidate() { this instanceof Spife::RouteHandlerCandidate }
|
||||
}
|
||||
|
||||
@@ -22,7 +22,8 @@ private import HeuristicSinks as Sinks
|
||||
class HeuristicSink = Sinks::HeuristicSink;
|
||||
|
||||
private class HeuristicCodeInjectionSink extends Sinks::HeuristicCodeInjectionSink,
|
||||
CodeInjection::Sink { }
|
||||
CodeInjection::Sink
|
||||
{ }
|
||||
|
||||
private class HeuristicCommandInjectionSink extends HeuristicSink, CommandInjection::Sink {
|
||||
HeuristicCommandInjectionSink() {
|
||||
|
||||
@@ -27,7 +27,8 @@ private class RemoteFlowPassword extends HeuristicSource, RemoteFlowSource {
|
||||
* since it does not properly escape single quotes and dollar symbols.
|
||||
*/
|
||||
private class JsonStringifyAsCommandInjectionSource extends HeuristicSource,
|
||||
CommandInjection::Source instanceof JsonStringifyCall {
|
||||
CommandInjection::Source instanceof JsonStringifyCall
|
||||
{
|
||||
override string getSourceType() { result = "a string from JSON.stringify" }
|
||||
}
|
||||
|
||||
|
||||
@@ -120,7 +120,8 @@ module HtmlSanitization {
|
||||
/**
|
||||
* An incomplete sanitizer for HTML-relevant characters.
|
||||
*/
|
||||
class IncompleteSanitizer extends IncompleteBlacklistSanitizer instanceof StringReplaceCallSequence {
|
||||
class IncompleteSanitizer extends IncompleteBlacklistSanitizer instanceof StringReplaceCallSequence
|
||||
{
|
||||
string unsanitized;
|
||||
|
||||
IncompleteSanitizer() {
|
||||
|
||||
@@ -282,8 +282,8 @@ module DomBasedXss {
|
||||
|
||||
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
|
||||
|
||||
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
|
||||
}
|
||||
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer
|
||||
{ }
|
||||
|
||||
private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
|
||||
|
||||
@@ -335,7 +335,8 @@ module DomBasedXss {
|
||||
/**
|
||||
* A sanitizer that blocks the `PrefixString` label when the start of the string is being tested as being of a particular prefix.
|
||||
*/
|
||||
abstract class PrefixStringSanitizer extends TaintTracking::LabeledSanitizerGuardNode instanceof StringOps::StartsWith {
|
||||
abstract class PrefixStringSanitizer extends TaintTracking::LabeledSanitizerGuardNode instanceof StringOps::StartsWith
|
||||
{
|
||||
override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
|
||||
e = super.getBaseString().asExpr() and
|
||||
label = prefixLabel() and
|
||||
|
||||
@@ -126,7 +126,8 @@ class Configuration extends TaintTracking::Configuration {
|
||||
}
|
||||
|
||||
private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode,
|
||||
PrefixStringSanitizer {
|
||||
PrefixStringSanitizer
|
||||
{
|
||||
PrefixStringSanitizerActivated() { this = this }
|
||||
}
|
||||
|
||||
@@ -138,6 +139,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -78,7 +78,8 @@ module IncompleteHtmlAttributeSanitization {
|
||||
* vulnerabilities.
|
||||
*/
|
||||
class HtmlAttributeConcatenationAsSink extends Sink, DataFlow::ValueNode,
|
||||
HtmlAttributeConcatenation {
|
||||
HtmlAttributeConcatenation
|
||||
{
|
||||
override string getADangerousCharacter() {
|
||||
this.isInterpretedAsJavaScript() and result = "&"
|
||||
or
|
||||
|
||||
@@ -28,8 +28,8 @@ module IndirectCommandInjection {
|
||||
/**
|
||||
* A source of user input from the command-line, considered as a flow source for command injection.
|
||||
*/
|
||||
private class CommandLineArgumentsArrayAsSource extends Source instanceof CommandLineArgumentsArray {
|
||||
}
|
||||
private class CommandLineArgumentsArrayAsSource extends Source instanceof CommandLineArgumentsArray
|
||||
{ }
|
||||
|
||||
/**
|
||||
* An array of command-line arguments.
|
||||
|
||||
@@ -190,7 +190,8 @@ module LoopBoundInjection {
|
||||
* A sanitizer that blocks taint flow if the array is checked to be an array using an `X instanceof Array` check.
|
||||
*/
|
||||
class InstanceofArraySanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode,
|
||||
DataFlow::ValueNode {
|
||||
DataFlow::ValueNode
|
||||
{
|
||||
override BinaryExpr astNode;
|
||||
|
||||
InstanceofArraySanitizerGuard() {
|
||||
@@ -211,7 +212,8 @@ module LoopBoundInjection {
|
||||
* Also implicitly makes sure that only the first DoS-prone loop is selected by the query (as the .length test has outcome=false when exiting the loop).
|
||||
*/
|
||||
class LengthCheckSanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode,
|
||||
DataFlow::ValueNode {
|
||||
DataFlow::ValueNode
|
||||
{
|
||||
override RelationalComparison astNode;
|
||||
DataFlow::PropRead propRead;
|
||||
|
||||
|
||||
@@ -90,7 +90,8 @@ class FileSystemAccessAsExpensiveAction extends ExpensiveAction instanceof FileS
|
||||
}
|
||||
|
||||
/** A system command execution, considered as an expensive action. */
|
||||
class SystemCommandExecutionAsExpensiveAction extends ExpensiveAction instanceof SystemCommandExecution {
|
||||
class SystemCommandExecutionAsExpensiveAction extends ExpensiveAction instanceof SystemCommandExecution
|
||||
{
|
||||
override string describe() { result = "a system command" }
|
||||
}
|
||||
|
||||
@@ -200,8 +201,8 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
|
||||
/**
|
||||
* A route-handler expression that is rate-limited by the `rate-limiter-flexible` package.
|
||||
*/
|
||||
class RouteHandlerLimitedByRateLimiterFlexible extends RateLimitingMiddleware instanceof RateLimiterFlexibleRateLimiter {
|
||||
}
|
||||
class RouteHandlerLimitedByRateLimiterFlexible extends RateLimitingMiddleware instanceof RateLimiterFlexibleRateLimiter
|
||||
{ }
|
||||
|
||||
private class FastifyRateLimiter extends RateLimitingMiddleware {
|
||||
FastifyRateLimiter() { this = DataFlow::moduleImport("fastify-rate-limit") }
|
||||
|
||||
@@ -168,7 +168,8 @@ private predicate isPropertyPresentOnObjectPrototype(string prop) {
|
||||
|
||||
/** A check of form `e.prop` where `prop` is not present on `Object.prototype`. */
|
||||
private class PropertyPresenceCheck extends TaintTracking::LabeledSanitizerGuardNode,
|
||||
DataFlow::ValueNode {
|
||||
DataFlow::ValueNode
|
||||
{
|
||||
override PropAccess astNode;
|
||||
|
||||
PropertyPresenceCheck() {
|
||||
|
||||
@@ -143,8 +143,8 @@ module ReflectedXss {
|
||||
|
||||
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
|
||||
|
||||
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
|
||||
}
|
||||
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer
|
||||
{ }
|
||||
|
||||
private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
|
||||
|
||||
|
||||
@@ -32,6 +32,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -190,7 +190,8 @@ module SecondOrderCommandInjection {
|
||||
/**
|
||||
* A sanitizer that blocks flow when a string is tested to start with a certain prefix.
|
||||
*/
|
||||
class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode instanceof StringOps::StartsWith {
|
||||
class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode instanceof StringOps::StartsWith
|
||||
{
|
||||
override predicate sanitizes(boolean outcome, Expr e) {
|
||||
e = super.getBaseString().asExpr() and
|
||||
outcome = super.getPolarity()
|
||||
@@ -200,7 +201,8 @@ module SecondOrderCommandInjection {
|
||||
/**
|
||||
* A sanitizer that blocks flow when a string does not start with "--"
|
||||
*/
|
||||
class DoubleDashSanitizer extends TaintTracking::SanitizerGuardNode instanceof StringOps::StartsWith {
|
||||
class DoubleDashSanitizer extends TaintTracking::SanitizerGuardNode instanceof StringOps::StartsWith
|
||||
{
|
||||
DoubleDashSanitizer() { super.getSubstring().mayHaveStringValue("--") }
|
||||
|
||||
override predicate sanitizes(boolean outcome, Expr e) {
|
||||
|
||||
@@ -59,7 +59,8 @@ module SqlInjection {
|
||||
* For simplicity it's used as a sanitizer for all of `js/sql-injection`.
|
||||
*/
|
||||
class LdapStringSanitizer extends Sanitizer,
|
||||
IncompleteBlacklistSanitizer::StringReplaceCallSequence {
|
||||
IncompleteBlacklistSanitizer::StringReplaceCallSequence
|
||||
{
|
||||
LdapStringSanitizer() {
|
||||
forall(string char | char = ["*", "(", ")", "\\", "/"] |
|
||||
this.getAMember().getAReplacedString() = char
|
||||
|
||||
@@ -30,8 +30,8 @@ module StoredXss {
|
||||
class FileNameSourceAsSource extends Source instanceof FileNameSource { }
|
||||
|
||||
/** An instance of user-controlled torrent information, considered as a flow source for stored XSS. */
|
||||
class UserControlledTorrentInfoAsSource extends Source instanceof ParseTorrent::UserControlledTorrentInfo {
|
||||
}
|
||||
class UserControlledTorrentInfoAsSource extends Source instanceof ParseTorrent::UserControlledTorrentInfo
|
||||
{ }
|
||||
|
||||
/**
|
||||
* A regexp replacement involving an HTML meta-character, viewed as a sanitizer for
|
||||
@@ -44,8 +44,8 @@ module StoredXss {
|
||||
|
||||
private class UriEncodingSanitizer extends Sanitizer, Shared::UriEncodingSanitizer { }
|
||||
|
||||
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer {
|
||||
}
|
||||
private class SerializeJavascriptSanitizer extends Sanitizer, Shared::SerializeJavascriptSanitizer
|
||||
{ }
|
||||
|
||||
private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
|
||||
}
|
||||
|
||||
@@ -32,6 +32,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -71,6 +71,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -35,7 +35,8 @@ module UnsafeJQueryPlugin {
|
||||
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
|
||||
*/
|
||||
class AmbiguousHtmlOrSelectorArgument extends DataFlow::Node,
|
||||
DomBasedXss::JQueryHtmlOrSelectorArgument {
|
||||
DomBasedXss::JQueryHtmlOrSelectorArgument
|
||||
{
|
||||
AmbiguousHtmlOrSelectorArgument() {
|
||||
// any fixed prefix makes the call unambiguous
|
||||
not exists(getAPrefix())
|
||||
@@ -175,7 +176,8 @@ module UnsafeJQueryPlugin {
|
||||
/**
|
||||
* An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
|
||||
*/
|
||||
class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink instanceof AmbiguousHtmlOrSelectorArgument {
|
||||
class AmbiguousHtmlOrSelectorArgumentAsSink extends Sink instanceof AmbiguousHtmlOrSelectorArgument
|
||||
{
|
||||
AmbiguousHtmlOrSelectorArgumentAsSink() { not isLikelyIntentionalHtmlSink(this) }
|
||||
}
|
||||
|
||||
|
||||
@@ -68,7 +68,8 @@ class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNo
|
||||
private import semmle.javascript.security.dataflow.Xss::Shared as Shared
|
||||
|
||||
private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
|
||||
DomBasedXss::PrefixStringSanitizer {
|
||||
DomBasedXss::PrefixStringSanitizer
|
||||
{
|
||||
PrefixStringSanitizer() { this = this }
|
||||
}
|
||||
|
||||
@@ -80,6 +81,7 @@ private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::Quot
|
||||
QuoteGuard() { this = this }
|
||||
}
|
||||
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
|
||||
private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
|
||||
{
|
||||
ContainsHtmlGuard() { this = this }
|
||||
}
|
||||
|
||||
@@ -17,7 +17,8 @@ private import codeql.regex.MissingRegExpAnchor as MissingRegExpAnchor
|
||||
private import semmle.javascript.security.regexp.RegExpTreeView::RegExpTreeView as TreeImpl
|
||||
|
||||
private module Impl implements
|
||||
MissingRegExpAnchor::MissingRegExpAnchorSig<TreeImpl, HostnameRegexp::Impl> {
|
||||
MissingRegExpAnchor::MissingRegExpAnchorSig<TreeImpl, HostnameRegexp::Impl>
|
||||
{
|
||||
predicate isUsedAsReplace(RegExpPatternSource pattern) {
|
||||
// is used for capture or replace
|
||||
exists(DataFlow::MethodCallNode mcn, string name | name = mcn.getMethodName() |
|
||||
|
||||
Reference in New Issue
Block a user