diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll deleted file mode 100644 index 55dca5ba6a8..00000000000 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll +++ /dev/null @@ -1,111 +0,0 @@ -/* - * For internal use only. - * - * Provides predicates that expose the knowledge of models - * in the core CodeQL JavaScript libraries. - */ - -private import javascript -private import semmle.javascript.security.dataflow.XxeCustomizations -private import semmle.javascript.security.dataflow.RemotePropertyInjectionCustomizations -private import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperingCustomizations -private import semmle.javascript.security.dataflow.ZipSlipCustomizations -private import semmle.javascript.security.dataflow.TaintedPathCustomizations -private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations -private import semmle.javascript.security.dataflow.XpathInjectionCustomizations -private import semmle.javascript.security.dataflow.Xss::Shared as Xss -private import semmle.javascript.security.dataflow.StackTraceExposureCustomizations -private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations -private import semmle.javascript.security.dataflow.CodeInjectionCustomizations -private import semmle.javascript.security.dataflow.RequestForgeryCustomizations -private import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsCustomizations -private import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentCustomizations -private import semmle.javascript.security.dataflow.DifferentKindsComparisonBypassCustomizations -private import semmle.javascript.security.dataflow.CommandInjectionCustomizations -private import semmle.javascript.security.dataflow.PrototypePollutionCustomizations -private import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCallCustomizations -private import semmle.javascript.security.dataflow.TaintedFormatStringCustomizations -private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations -private import semmle.javascript.security.dataflow.PostMessageStarCustomizations -private import semmle.javascript.security.dataflow.RegExpInjectionCustomizations -private import semmle.javascript.security.dataflow.SqlInjectionCustomizations -private import semmle.javascript.security.dataflow.InsecureRandomnessCustomizations -private import semmle.javascript.security.dataflow.XmlBombCustomizations -private import semmle.javascript.security.dataflow.InsufficientPasswordHashCustomizations -private import semmle.javascript.security.dataflow.HardcodedCredentialsCustomizations -private import semmle.javascript.security.dataflow.FileAccessToHttpCustomizations -private import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccessCustomizations -private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations -private import semmle.javascript.security.dataflow.HardcodedDataInterpretedAsCodeCustomizations -private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations -private import semmle.javascript.security.dataflow.IndirectCommandInjectionCustomizations -private import semmle.javascript.security.dataflow.ConditionalBypassCustomizations -private import semmle.javascript.security.dataflow.HttpToFileAccessCustomizations -private import semmle.javascript.security.dataflow.BrokenCryptoAlgorithmCustomizations -private import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations -private import semmle.javascript.security.dataflow.CleartextStorageCustomizations - -/** - * Holds if the node `n` is a known sink in a modeled library, or a sibling-argument of such a sink. - */ -predicate isArgumentToKnownLibrarySinkFunction(DataFlow::Node n) { - exists(DataFlow::InvokeNode invk, DataFlow::Node known | - invk.getAnArgument() = n and invk.getAnArgument() = known and isKnownLibrarySink(known) - ) -} - -/** - * Holds if the node `n` is a known sink for the external API security query. - * - * This corresponds to known sinks from security queries whose sources include remote flow and - * DOM-based sources. - */ -predicate isKnownExternalApiQuerySink(DataFlow::Node n) { - n instanceof Xxe::Sink or - n instanceof TaintedPath::Sink or - n instanceof XpathInjection::Sink or - n instanceof Xss::Sink or - n instanceof ClientSideUrlRedirect::Sink or - n instanceof CodeInjection::Sink or - n instanceof RequestForgery::Sink or - n instanceof CorsMisconfigurationForCredentials::Sink or - n instanceof CommandInjection::Sink or - n instanceof PrototypePollution::Sink or - n instanceof UnvalidatedDynamicMethodCall::Sink or - n instanceof TaintedFormatString::Sink or - n instanceof NosqlInjection::Sink or - n instanceof PostMessageStar::Sink or - n instanceof RegExpInjection::Sink or - n instanceof SqlInjection::Sink or - n instanceof XmlBomb::Sink or - n instanceof ZipSlip::Sink or - n instanceof UnsafeDeserialization::Sink or - n instanceof ServerSideUrlRedirect::Sink or - n instanceof CleartextStorage::Sink or - n instanceof HttpToFileAccess::Sink -} - -/** DEPRECATED: Alias for isKnownExternalApiQuerySink */ -deprecated predicate isKnownExternalAPIQuerySink = isKnownExternalApiQuerySink/1; - -/** - * Holds if the node `n` is a known sink in a modeled library. - */ -predicate isKnownLibrarySink(DataFlow::Node n) { - isKnownExternalApiQuerySink(n) or - n instanceof CleartextLogging::Sink or - n instanceof StackTraceExposure::Sink or - n instanceof ShellCommandInjectionFromEnvironment::Sink or - n instanceof InsecureRandomness::Sink or - n instanceof FileAccessToHttp::Sink or - n instanceof IndirectCommandInjection::Sink -} - -/** - * Holds if the node `n` is known as the predecessor in a modeled flow step. - */ -predicate isKnownStepSrc(DataFlow::Node n) { - TaintTracking::sharedTaintStep(n, _) or - DataFlow::SharedFlowStep::step(n, _) or - DataFlow::SharedFlowStep::step(n, _, _, _) -} diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index 5cb6ca753e3..d14b02bf5ab 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -7,10 +7,47 @@ private import semmle.javascript.security.dataflow.SqlInjectionCustomizations private import semmle.javascript.security.dataflow.DomBasedXssCustomizations private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations private import semmle.javascript.security.dataflow.TaintedPathCustomizations -private import CoreKnowledge as CoreKnowledge private import semmle.javascript.heuristics.SyntacticHeuristics private import semmle.javascript.filters.ClassifyFiles as ClassifyFiles private import StandardEndpointFilters as StandardEndpointFilters +private import semmle.javascript.security.dataflow.XxeCustomizations +private import semmle.javascript.security.dataflow.RemotePropertyInjectionCustomizations +private import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperingCustomizations +private import semmle.javascript.security.dataflow.ZipSlipCustomizations +private import semmle.javascript.security.dataflow.TaintedPathCustomizations +private import semmle.javascript.security.dataflow.CleartextLoggingCustomizations +private import semmle.javascript.security.dataflow.XpathInjectionCustomizations +private import semmle.javascript.security.dataflow.Xss::Shared as Xss +private import semmle.javascript.security.dataflow.StackTraceExposureCustomizations +private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations +private import semmle.javascript.security.dataflow.CodeInjectionCustomizations +private import semmle.javascript.security.dataflow.RequestForgeryCustomizations +private import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsCustomizations +private import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentCustomizations +private import semmle.javascript.security.dataflow.DifferentKindsComparisonBypassCustomizations +private import semmle.javascript.security.dataflow.CommandInjectionCustomizations +private import semmle.javascript.security.dataflow.PrototypePollutionCustomizations +private import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCallCustomizations +private import semmle.javascript.security.dataflow.TaintedFormatStringCustomizations +private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations +private import semmle.javascript.security.dataflow.PostMessageStarCustomizations +private import semmle.javascript.security.dataflow.RegExpInjectionCustomizations +private import semmle.javascript.security.dataflow.SqlInjectionCustomizations +private import semmle.javascript.security.dataflow.InsecureRandomnessCustomizations +private import semmle.javascript.security.dataflow.XmlBombCustomizations +private import semmle.javascript.security.dataflow.InsufficientPasswordHashCustomizations +private import semmle.javascript.security.dataflow.HardcodedCredentialsCustomizations +private import semmle.javascript.security.dataflow.FileAccessToHttpCustomizations +private import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccessCustomizations +private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations +private import semmle.javascript.security.dataflow.HardcodedDataInterpretedAsCodeCustomizations +private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations +private import semmle.javascript.security.dataflow.IndirectCommandInjectionCustomizations +private import semmle.javascript.security.dataflow.ConditionalBypassCustomizations +private import semmle.javascript.security.dataflow.HttpToFileAccessCustomizations +private import semmle.javascript.security.dataflow.BrokenCryptoAlgorithmCustomizations +private import semmle.javascript.security.dataflow.LoopBoundInjectionCustomizations +private import semmle.javascript.security.dataflow.CleartextStorageCustomizations /** * A set of characteristics that a particular endpoint might have. This set of characteristics is used to make decisions @@ -61,6 +98,63 @@ abstract class EndpointCharacteristic extends string { final float mediumConfidence() { result = 0.6 } } +/* + * Helper predicates. + */ + +/** + * Holds if the node `n` is a known sink for the external API security query. + * + * This corresponds to known sinks from security queries whose sources include remote flow and + * DOM-based sources. + */ +private predicate isKnownExternalApiQuerySink(DataFlow::Node n) { + n instanceof Xxe::Sink or + n instanceof TaintedPath::Sink or + n instanceof XpathInjection::Sink or + n instanceof Xss::Sink or + n instanceof ClientSideUrlRedirect::Sink or + n instanceof CodeInjection::Sink or + n instanceof RequestForgery::Sink or + n instanceof CorsMisconfigurationForCredentials::Sink or + n instanceof CommandInjection::Sink or + n instanceof PrototypePollution::Sink or + n instanceof UnvalidatedDynamicMethodCall::Sink or + n instanceof TaintedFormatString::Sink or + n instanceof NosqlInjection::Sink or + n instanceof PostMessageStar::Sink or + n instanceof RegExpInjection::Sink or + n instanceof SqlInjection::Sink or + n instanceof XmlBomb::Sink or + n instanceof ZipSlip::Sink or + n instanceof UnsafeDeserialization::Sink or + n instanceof ServerSideUrlRedirect::Sink or + n instanceof CleartextStorage::Sink or + n instanceof HttpToFileAccess::Sink +} + +/** + * Holds if the node `n` is a known sink in a modeled library. + */ +private predicate isKnownLibrarySink(DataFlow::Node n) { + isKnownExternalApiQuerySink(n) or + n instanceof CleartextLogging::Sink or + n instanceof StackTraceExposure::Sink or + n instanceof ShellCommandInjectionFromEnvironment::Sink or + n instanceof InsecureRandomness::Sink or + n instanceof FileAccessToHttp::Sink or + n instanceof IndirectCommandInjection::Sink +} + +/** + * Holds if the node `n` is known as the predecessor in a modeled flow step. + */ +private predicate isKnownStepSrc(DataFlow::Node n) { + TaintTracking::sharedTaintStep(n, _) or + DataFlow::SharedFlowStep::step(n, _) or + DataFlow::SharedFlowStep::step(n, _, _, _) +} + /* * Characteristics that are indicative of a sink. * NOTE: Initially each sink type has only one characteristic, which is that it's a sink of this type in the standard @@ -511,9 +605,9 @@ class IsArgumentToModeledFunctionCharacteristic extends StandardEndpointFilterCh invk.getAnArgument() = n and invk.getAnArgument() = known and ( - CoreKnowledge::isKnownLibrarySink(known) + isKnownLibrarySink(known) or - CoreKnowledge::isKnownStepSrc(known) + isKnownStepSrc(known) or exists(OtherModeledArgumentCharacteristic characteristic | characteristic.getEndpoints(known) @@ -614,10 +708,19 @@ private class DatabaseAccessCallHeuristicCharacteristic extends NosqlInjectionSi private class ModeledSinkCharacteristic extends NosqlInjectionSinkEndpointFilterCharacteristic { ModeledSinkCharacteristic() { this = "modeled sink" } + /** + * Holds if the node `n` is a known sink in a modeled library, or a sibling-argument of such a sink. + */ + predicate isArgumentToKnownLibrarySinkFunction(DataFlow::Node n) { + exists(DataFlow::InvokeNode invk, DataFlow::Node known | + invk.getAnArgument() = n and invk.getAnArgument() = known and isKnownLibrarySink(known) + ) + } + override predicate getEndpoints(DataFlow::Node n) { exists(DataFlow::CallNode call | n = call.getAnArgument() | // Remove modeled sinks - CoreKnowledge::isArgumentToKnownLibrarySinkFunction(n) + isArgumentToKnownLibrarySinkFunction(n) ) } } @@ -628,7 +731,7 @@ private class PredecessorInModeledFlowStepCharacteristic extends NosqlInjectionS override predicate getEndpoints(DataFlow::Node n) { exists(DataFlow::CallNode call | n = call.getAnArgument() | // Remove common kinds of unlikely sinks - CoreKnowledge::isKnownStepSrc(n) + isKnownStepSrc(n) ) } } diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll index 85b3d14d7e9..f03631bfdcf 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll @@ -8,7 +8,6 @@ import javascript private import semmle.javascript.heuristics.SyntacticHeuristics private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations import AdaptiveThreatModeling -private import CoreKnowledge as CoreKnowledge class NosqlInjectionAtmConfig extends AtmConfig { NosqlInjectionAtmConfig() { this = "NosqlInjectionATMConfig" } diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll index f52e1898667..14821404e6d 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll @@ -7,7 +7,6 @@ import semmle.javascript.heuristics.SyntacticHeuristics import semmle.javascript.security.dataflow.SqlInjectionCustomizations import AdaptiveThreatModeling -import CoreKnowledge as CoreKnowledge class SqlInjectionAtmConfig extends AtmConfig { SqlInjectionAtmConfig() { this = "SqlInjectionATMConfig" } diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll index e83938071df..302907820da 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll @@ -7,7 +7,6 @@ import semmle.javascript.heuristics.SyntacticHeuristics import semmle.javascript.security.dataflow.TaintedPathCustomizations import AdaptiveThreatModeling -import CoreKnowledge as CoreKnowledge class TaintedPathAtmConfig extends AtmConfig { TaintedPathAtmConfig() { this = "TaintedPathATMConfig" } diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll index 508cac4544f..2cc848a7ea9 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll @@ -7,7 +7,6 @@ private import semmle.javascript.heuristics.SyntacticHeuristics private import semmle.javascript.security.dataflow.DomBasedXssCustomizations import AdaptiveThreatModeling -import CoreKnowledge as CoreKnowledge class DomBasedXssAtmConfig extends AtmConfig { DomBasedXssAtmConfig() { this = "DomBasedXssATMConfig" }