Generalize the definition of a known sink:

If the list of reasons includes positive indicators with maximal confidence for this class, it's a known sink for the class. This negates the need for each query config to define the isKnownSink predicate individually.
2026-05-01 11:45:14 +02:00 · 2022-10-28 14:55:12 -07:00
parent 08bbe596a2
commit a4939b91e7
5 changed files with 9 additions and 9 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
@@ -6,6 +6,7 @@

 private import javascript as JS
 import EndpointTypes
+import ClassificationReasons

 /**
 * EXPERIMENTAL. This API may change in the future.
@@ -44,7 +45,14 @@ abstract class AtmConfig extends string {
   *
   * Holds if `sink` is a known sink of flow.
   */
-  predicate isKnownSink(JS::DataFlow::Node sink) { none() }
+  predicate isKnownSink(JS::DataFlow::Node sink) {
+    // If the list of reasons includes positive indicators with maximal confidence for this class, it's a known sink for
+    // the class.
+    exists(ClassificationReason reason |
+      reason.getEndpoints(sink) and
+      reason.getImplications(this.getASinkEndpointType(), true, 1.0)
+    )
+  }

  /**
   * EXPERIMENTAL. This API may change in the future.
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll
@@ -93,8 +93,6 @@ class NosqlInjectionAtmConfig extends AtmConfig {
    source instanceof NosqlInjection::Source or TaintedObject::isSource(source, _)
  }

-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof NosqlInjection::Sink }
-
  override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
    not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
  }
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/SqlInjectionATM.qll
@@ -65,8 +65,6 @@ class SqlInjectionAtmConfig extends AtmConfig {

  override predicate isKnownSource(DataFlow::Node source) { source instanceof SqlInjection::Source }

-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
-
  override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
    not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
  }
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll
@@ -64,8 +64,6 @@ class TaintedPathAtmConfig extends AtmConfig {

  override predicate isKnownSource(DataFlow::Node source) { source instanceof TaintedPath::Source }

-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof TaintedPath::Sink }
-
  override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
    not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
  }
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll
@@ -65,8 +65,6 @@ class DomBasedXssAtmConfig extends AtmConfig {

  override predicate isKnownSource(DataFlow::Node source) { source instanceof DomBasedXss::Source }

-  override predicate isKnownSink(DataFlow::Node sink) { sink instanceof DomBasedXss::Sink }
-
  override predicate isEffectiveSink(DataFlow::Node sinkCandidate) {
    not exists(SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate))
  }