hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port ImproperCodeSanitization

Browse Source
This commit is contained in:
Asger F
2023-10-05 09:19:50 +02:00
parent 8715c1b324
commit 9128722627
3 changed files with 45 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll
View File

@@ -13,7 +13,23 @@ import ImproperCodeSanitizationCustomizations::ImproperCodeSanitization
/**
* A taint-tracking configuration for reasoning about improper code sanitization vulnerabilities.
*/
class Configuration extends TaintTracking::Configuration {
module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/**
* Taint-tracking for reasoning about improper code sanitization vulnerabilities.
*/
module ImproperCodeSanitizationFlow = TaintTracking::Global<ImproperCodeSanitizationConfig>;
/**
* DEPRECATED. Use the `ImproperCodeSanitizationFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "ImproperCodeSanitization" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }

6
javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
View File

@@ -14,9 +14,9 @@
import javascript
import semmle.javascript.security.dataflow.ImproperCodeSanitizationQuery
import DataFlow::PathGraph
private import semmle.javascript.heuristics.HeuristicSinks
private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
import ImproperCodeSanitizationFlow::PathGraph
/**
* Gets a type-tracked instance of `RemoteFlowSource` using type-tracker `t`.
@@ -60,9 +60,9 @@ private DataFlow::Node endsInCodeInjectionSink() {
result = endsInCodeInjectionSink(DataFlow::TypeBackTracker::end())
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
from ImproperCodeSanitizationFlow::PathNode source, ImproperCodeSanitizationFlow::PathNode sink
where
cfg.hasFlowPath(source, sink) and
ImproperCodeSanitizationFlow::flowPath(source, sink) and
// Basic detection of duplicate results with `js/code-injection`.
not (
sink.getNode().(StringOps::ConcatenationLeaf).getRoot() = endsInCodeInjectionSink() and

85
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected
View File

@@ -1,69 +1,34 @@
nodes
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
| bad-code-sanitization.js:6:11:6:25 | statements |
| bad-code-sanitization.js:6:24:6:25 | [] |
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
| bad-code-sanitization.js:8:27:8:36 | statements |
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
| bad-code-sanitization.js:63:11:63:55 | assignment |
| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
| bad-code-sanitization.js:64:27:64:36 | assignment |
| bad-code-sanitization.js:64:27:64:36 | assignment |
edges
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
| bad-code-sanitization.js:6:11:6:25 | statements | bad-code-sanitization.js:8:27:8:36 | statements |
| bad-code-sanitization.js:6:24:6:25 | [] | bad-code-sanitization.js:6:11:6:25 | statements |
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | bad-code-sanitization.js:6:24:6:25 | [] |
| bad-code-sanitization.js:7:5:7:14 | [post update] statements | bad-code-sanitization.js:6:11:6:25 | statements |
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | bad-code-sanitization.js:7:5:7:14 | [post update] statements |
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) | bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` | bad-code-sanitization.js:63:11:63:55 | assignment |
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:11:63:55 | assignment |
nodes
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | semmle.label | /^[_$a- ... key)}]` |
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | semmle.label | JSON.stringify(key) |
| bad-code-sanitization.js:6:11:6:25 | statements | semmle.label | statements |
| bad-code-sanitization.js:7:5:7:14 | [post update] statements | semmle.label | [post update] statements |
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | semmle.label | `${name ... key])}` |
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) | semmle.label | safeProp(key) |
| bad-code-sanitization.js:8:27:8:36 | statements | semmle.label | statements |
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | semmle.label | statements.join(';') |
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | semmle.label | htmlescape(pathname) |
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | semmle.label | JSON.st ... bble")) |
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | semmle.label | JSON.st ... bble")) |
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | semmle.label | JSON.st ... (taint) |
| bad-code-sanitization.js:63:11:63:55 | assignment | semmle.label | assignment |
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | semmle.label | JSON.stringify(key) |
| bad-code-sanitization.js:64:27:64:36 | assignment | semmle.label | assignment |
subpaths
#select
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | Code construction depends on an $@. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | improperly sanitized value |
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Code construction depends on an $@. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | improperly sanitized value |