hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #21336 from owen-mc/js/accept-mad-sanitizers

Browse Source 
JS: Accept MaD sanitizers for queries with MaD sinks
This commit is contained in:
Owen Mansel-Chan
2026-02-23 13:44:54 +00:00
committed by GitHub
parent 99de5d4238 05f9b4124d
commit ada9c452f0
16 changed files with 70 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml
View File

@@ -8,9 +8,3 @@ extensions:
- ['global', 'Member[process].Member[stdin].Member[on,addListener].WithStringArgument[0=data].Argument[1].Parameter[0]', 'stdin']
- ['readline', 'Member[createInterface].ReturnValue.Member[question].Argument[1].Parameter[0]', 'stdin']
- ['readline', 'Member[createInterface].ReturnValue.Member[on,addListener].WithStringArgument[0=line].Argument[1].Parameter[0]', 'stdin']
- addsTo:
pack: codeql/javascript-all
extensible: barrierModel
data:
- ['global', 'Member[encodeURIComponent,encodeURI].ReturnValue', 'request-forgery']

4
javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
View File

@@ -82,4 +82,8 @@ module CorsPermissiveConfiguration {
)
}
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
View File

@@ -270,4 +270,8 @@ module ClientSideUrlRedirect {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
View File

@@ -438,4 +438,8 @@ module CodeInjection {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
View File

@@ -58,4 +58,8 @@ module CommandInjection {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll
View File

@@ -421,4 +421,8 @@ module DomBasedXss {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
}
}

10
javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll
View File

@@ -44,4 +44,14 @@ module HardcodedCredentials {
not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile()))
}
}
/**
* Note that a sanitizer with kind `credentials-key` will sanitize flow to
* all sinks, not just sinks with the same kind.
*/
private class CredentialSanitizerFromModel extends Sanitizer {
CredentialSanitizerFromModel() {
exists(string kind | ModelOutput::barrierNode(this, "credentials-" + kind))
}
}
}

10
javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll
View File

@@ -101,7 +101,13 @@ module IncompleteHtmlAttributeSanitization {
}
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
/**
* An encoder for potentially malicious characters, as a sanitizer
* for incomplete HTML sanitization vulnerabilities.
*/
class EncodingSanitizer extends Sanitizer {
EncodingSanitizer() {
this = DataFlow::globalVarRef(["encodeURIComponent", "encodeURI"]).getACall()
}
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
View File

@@ -88,3 +88,7 @@ class JsonStringifySanitizer extends Sanitizer {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
View File

@@ -47,4 +47,8 @@ module NosqlInjection {
/** An expression interpreted as a NoSql query, viewed as a sink. */
class NosqlQuerySink extends Sink instanceof NoSql::Query { }
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "nosql-injection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
View File

@@ -147,4 +147,8 @@ module ReflectedXss {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
View File

@@ -114,4 +114,8 @@ module RequestForgery {
class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer {
UriEncodingSanitizer() { this.encodesPathSeparators() }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
View File

@@ -66,4 +66,8 @@ module ServerSideUrlRedirect {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
View File

@@ -74,4 +74,8 @@ module SqlInjection {
)
}
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "sql-injection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
View File

@@ -1124,4 +1124,8 @@ module TaintedPath {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "path-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "path-injection") }
}
}

4
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
View File

@@ -69,4 +69,8 @@ module UnsafeDeserialization {
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "unsafe-deserialization") }
}
}