hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port DifferentKindsComparisonBypass

Browse Source
This commit is contained in:
Asger F
2023-10-05 09:14:14 +02:00
parent d324e554f3
commit abd937a49d
1 changed files with 13 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassQuery.qll
View File

@@ -14,19 +14,20 @@ import DifferentKindsComparisonBypassCustomizations::DifferentKindsComparisonByp
/**
* A taint tracking configuration for comparisons that relies on different kinds of HTTP request data.
*/
private class Configuration extends TaintTracking::Configuration {
Configuration() { this = "DifferentKindsComparisonBypass" }
private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
}
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/**
* Taint tracking for comparisons that relies on different kinds of HTTP request data.
*/
private module DifferentKindsComparisonBypassFlow =
TaintTracking::Global<DifferentKindsComparisonBypassConfig>;
/**
* A comparison that relies on different kinds of HTTP request data.
*/
@@ -35,11 +36,9 @@ class DifferentKindsComparison extends Comparison {
Source rSource;
DifferentKindsComparison() {
exists(Configuration cfg |
cfg.hasFlow(lSource, DataFlow::valueNode(this.getLeftOperand())) and
cfg.hasFlow(rSource, DataFlow::valueNode(this.getRightOperand())) and
lSource.isSuspiciousToCompareWith(rSource)
)
DifferentKindsComparisonBypassFlow::flow(lSource, DataFlow::valueNode(this.getLeftOperand())) and
DifferentKindsComparisonBypassFlow::flow(rSource, DataFlow::valueNode(this.getRightOperand())) and
lSource.isSuspiciousToCompareWith(rSource)
}
/** Gets the left operand source of this comparison. */