add new Xss queries to extraction code

2026-05-20 14:17:11 +02:00 · 2022-03-09 13:19:15 +00:00
parent e5bfb94403
commit afd4fbbcc0
3 changed files with 31 additions and 3 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
@@ -16,8 +16,10 @@ import experimental.adaptivethreatmodeling.EndpointTypes
 import experimental.adaptivethreatmodeling.FilteringReasons
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomATM
 import Labels
 import NoFeaturizationRestrictionsConfig
 import Queries
@@ -29,9 +31,13 @@ AtmConfig getAtmCfg(Query query) {
  or
  query instanceof SqlInjectionQuery and result instanceof SqlInjectionATM::SqlInjectionAtmConfig
  or
-  query instanceof TaintedPathQuery and result instanceof TaintedPathATM::TaintedPathAtmConfig
+  query instanceof StoredXssQuery and result instanceof StoredXssATM::StoredXssATMConfig
  or
-  query instanceof XssQuery and result instanceof XssATM::DomBasedXssAtmConfig
+  query instanceof TaintedPathQuery and result instanceof TaintedPathATM::TaintedPathATMConfig
+  or
+  query instanceof XssQuery and result instanceof XssATM::DomBasedXssATMConfig
+  or
+  query instanceof XssThroughDomQuery and result instanceof XssThroughDomATM::XssThroughDOMATMConfig
 }

 /** DEPRECATED: Alias for getAtmCfg */
@@ -46,6 +52,10 @@ DataFlow::Configuration getDataFlowCfg(Query query) {
  query instanceof TaintedPathQuery and result instanceof TaintedPathATM::Configuration
  or
  query instanceof XssQuery and result instanceof XssATM::Configuration
+  or
+  query instanceof StoredXssQuery and result instanceof StoredXssATM::Configuration
+  or
+  query instanceof XssThroughDomQuery and result instanceof XssThroughDomATM::Configuration
 }

 /** Gets a known sink for the specified query. */
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql
@@ -8,6 +8,8 @@ import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomATM
 import experimental.adaptivethreatmodeling.AdaptiveThreatModeling

 from string queryName, AtmConfig c, EndpointType e
@@ -23,6 +25,12 @@ where
    c instanceof TaintedPathATM::TaintedPathAtmConfig
    or
    queryName = "XssATM.ql" and c instanceof XssATM::DomBasedXssAtmConfig
+    or
+    queryName = "StoredXssATM.ql" and
+    c instanceof StoredXssATM::StoredXssATMConfig
+    or
+    queryName = "XssThroughDomATM.ql" and
+    c instanceof XssThroughDomATM::XssThroughDOMATMConfig
  ) and
  e = c.getASinkEndpointType()
 select queryName, e.getEncoding() as endpointTypeEncoded
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/Queries.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/Queries.qll
@@ -8,7 +8,9 @@ newtype TQuery =
  TNosqlInjectionQuery() or
  TSqlInjectionQuery() or
  TTaintedPathQuery() or
-  TXssQuery()
+  TXssQuery() or
+  TStoredXssQuery() or
+  TXssThroughDomQuery()

 abstract class Query extends TQuery {
  abstract string getName();
@@ -24,6 +26,10 @@ class SqlInjectionQuery extends Query, TSqlInjectionQuery {
  override string getName() { result = "SqlInjection" }
 }

+class StoredXssQuery extends Query, TStoredXssQuery {
+  override string getName() { result = "StoredXss" }
+}
+
 class TaintedPathQuery extends Query, TTaintedPathQuery {
  override string getName() { result = "TaintedPath" }
 }
@@ -31,3 +37,7 @@ class TaintedPathQuery extends Query, TTaintedPathQuery {
 class XssQuery extends Query, TXssQuery {
  override string getName() { result = "Xss" }
 }
+
+class XssThroughDomQuery extends Query, TXssThroughDomQuery {
+  override string getName() { result = "XssThroughDom" }
+}