hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-21 22:57:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

Give endpoint types more intuitive names and then use those names directly in composing the codex prompt.

Browse Source
This commit is contained in:
tiferet
2022-12-07 16:25:14 -08:00
parent 94676ed713
commit b130b2e82f
2 changed files with 38 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointTypes.qll
View File

@@ -29,35 +29,35 @@ abstract class EndpointType extends TEndpointType {
/** The `Negative` class that can be predicted by endpoint scoring models. */
class NegativeType extends EndpointType, TNegativeType {
override string getDescription() { result = "Negative" }
override string getDescription() { result = "non-sink" }
override int getEncoding() { result = 0 }
}
/** The `XssSink` class that can be predicted by endpoint scoring models. */
class XssSinkType extends EndpointType, TXssSinkType {
override string getDescription() { result = "XssSink" }
override string getDescription() { result = "xss sink" }
override int getEncoding() { result = 1 }
}
/** The `NosqlInjectionSink` class that can be predicted by endpoint scoring models. */
class NosqlInjectionSinkType extends EndpointType, TNosqlInjectionSinkType {
override string getDescription() { result = "NosqlInjectionSink" }
override string getDescription() { result = "nosql injection sink" }
override int getEncoding() { result = 2 }
}
/** The `SqlInjectionSink` class that can be predicted by endpoint scoring models. */
class SqlInjectionSinkType extends EndpointType, TSqlInjectionSinkType {
override string getDescription() { result = "SqlInjectionSink" }
override string getDescription() { result = "sql injection sink" }
override int getEncoding() { result = 3 }
}
/** The `TaintedPathSink` class that can be predicted by endpoint scoring models. */
class TaintedPathSinkType extends EndpointType, TTaintedPathSinkType {
override string getDescription() { result = "TaintedPathSink" }
override string getDescription() { result = "path injection sink" }
override int getEncoding() { result = 4 }
}

34
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ModelPrompt.qll
View File

@@ -1,4 +1,5 @@
import javascript
import EndpointTypes as EndpointTypes
module ModelPrompt {
string getPrompt(DataFlow::Node endpoint) {
@@ -14,7 +15,38 @@ module ModelPrompt {
*/
private string getTrainingSetPrompt() {
result =
"# Examples of security vulnerability sinks and non-sinks\n|Dataflow node|Neighborhood|Classification|\n|---|---|---|\n|`WPUrls.ajaxurl`|` dataType: json , type: POST , url: WPUrls.ajaxurl, data: data, complete: function( json ) {`|non-sink|\n|`[ handlebars ]`|` use strict ; if (typeof define === function && define.amd) { define([ handlebars ], function(Handlebars) { return factory(Handlebars.default Handlebars); });`|TaintedPathSink|\n|`url`|`} else { var matcher = new RegExp($.map(items.wanikanify_blackList, function(val) { return ( +val+ ) ;}).join( )); return matcher.test(url); } }`|non-sink|\n|`_.bind(connection.createGame, this, socket)`|`var connection = module.exports = function (socket) { socket.on( game:create , _.bind(connection.createGame, this, socket)); socket.on( game:spectate , _.bind(game.spectate, this, socket)); socket.on( register , _.bind(connection.register, this, socket));`|non-sink|\n|`sql`|` if (err) throw err; const sql = UPDATE customers SET address = Canyon 123 WHERE address = Valley 345 ; con.query(sql, function (err, result) { if (err) throw err; console.log(result.affectedRows + record(s) updated );`|SqlInjectionSink|\n|` <style type= text/css id= shapely-style- + sufix + /> `|` if ( ! style.length ) { style = $( head ).append( <style type= text/css id= shapely-style- + sufix + /> ).find( #shapely-style- + sufix ); }`|XssSink|\n|`content`|` textBoxEditor(content) { console.log(content); } ngOnInit() {`|non-sink|\n|`imageURL`|` <div id = mypost > <Link to ={ /post?id= + postId}> <img src={imageURL} alt= /> <div className= img_info > <div><i className= fas fa-heart ></i> <span id= likes >{this.state.like}</span></div>`|XssSink|\n|`{ roomId }`|` } const game = await Game.findOne({ roomId }); if (!game) {`|NosqlInjectionSink|\n|` SELECT owner, name, program FROM Programs WHERE name = + data + `|`app.get( /getProgram/:nombre , (request, response) => { var data = request.query.nombre; db.each( SELECT owner, name, program FROM Programs WHERE name = + data + , function(err, row) { response.json(row.program); });`|SqlInjectionSink|\n|`listenToServer`|` processCommand(cmd); } setTimeout(listenToServer, 0); } }`|non-sink|\n|`negativeYearString`|` return Date.prototype.toJSON && new Date(NaN).toJSON() === null && new Date(negativeDate).toJSON().indexOf(negativeYearString) !== -1 && Date.prototype.toJSON.call({ // generic toISOString: function () { return true; }`|non-sink|\n|`__dirname`|`fs .readdirSync(__dirname) .filter(function(file) { return (file.indexOf( . ) !== 0) && (file !== basename);`|TaintedPathSink|\n|`certificateId`|`app.get( /certificate/data/:id , (req, res) => { let certificateId = req.params.id; Certificates.findById(certificateId) .then(obj => { if (obj === null)`|NosqlInjectionSink|\n|`{encoding: utf8 }`|`function updateChangelog() { var filename = path.resolve(__dirname, ../CHANGELOG.md ) , changelog = fs.readFileSync(filename, {encoding: utf8 }) , entry = new RegExp( ### ( + version + )(?: \\((.+?)\\))\\n )`|non-sink|\n|`depth`|` }); const indent = .repeat(depth); let sep = indent; column_sizes.forEach((size) => {`|non-sink|\n"
"# Examples of security vulnerability sinks and non-sinks\n|Dataflow node|Neighborhood|Classification|\n|---|---|---|\n|`WPUrls.ajaxurl`|` dataType: json , type: POST , url: WPUrls.ajaxurl, data: data, complete: function( json ) {`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`[ handlebars ]`|` use strict ; if (typeof define === function && define.amd) { define([ handlebars ], function(Handlebars) { return factory(Handlebars.default Handlebars); });`|"
+ any(EndpointTypes::TaintedPathSinkType endpointType).getDescription() +
"|\n|`url`|`} else { var matcher = new RegExp($.map(items.wanikanify_blackList, function(val) { return ( +val+ ) ;}).join( )); return matcher.test(url); } }`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`_.bind(connection.createGame, this, socket)`|`var connection = module.exports = function (socket) { socket.on( game:create , _.bind(connection.createGame, this, socket)); socket.on( game:spectate , _.bind(game.spectate, this, socket)); socket.on( register , _.bind(connection.register, this, socket));`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`sql`|` if (err) throw err; const sql = UPDATE customers SET address = Canyon 123 WHERE address = Valley 345 ; con.query(sql, function (err, result) { if (err) throw err; console.log(result.affectedRows + record(s) updated );`|"
+ any(EndpointTypes::SqlInjectionSinkType endpointType).getDescription() +
"|\n|` <style type= text/css id= shapely-style- + sufix + /> `|` if ( ! style.length ) { style = $( head ).append( <style type= text/css id= shapely-style- + sufix + /> ).find( #shapely-style- + sufix ); }`|"
+ any(EndpointTypes::XssSinkType endpointType).getDescription() +
"|\n|`content`|` textBoxEditor(content) { console.log(content); } ngOnInit() {`|" +
any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`imageURL`|` <div id = mypost > <Link to ={ /post?id= + postId}> <img src={imageURL} alt= /> <div className= img_info > <div><i className= fas fa-heart ></i> <span id= likes >{this.state.like}</span></div>`|"
+ any(EndpointTypes::XssSinkType endpointType).getDescription() +
"|\n|`{ roomId }`|` } const game = await Game.findOne({ roomId }); if (!game) {`|" +
any(EndpointTypes::NosqlInjectionSinkType endpointType).getDescription() +
"|\n|` SELECT owner, name, program FROM Programs WHERE name = + data + `|`app.get( /getProgram/:nombre , (request, response) => { var data = request.query.nombre; db.each( SELECT owner, name, program FROM Programs WHERE name = + data + , function(err, row) { response.json(row.program); });`|"
+ any(EndpointTypes::SqlInjectionSinkType endpointType).getDescription() +
"|\n|`listenToServer`|` processCommand(cmd); } setTimeout(listenToServer, 0); } }`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`negativeYearString`|` return Date.prototype.toJSON && new Date(NaN).toJSON() === null && new Date(negativeDate).toJSON().indexOf(negativeYearString) !== -1 && Date.prototype.toJSON.call({ // generic toISOString: function () { return true; }`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`__dirname`|`fs .readdirSync(__dirname) .filter(function(file) { return (file.indexOf( . ) !== 0) && (file !== basename);`|"
+ any(EndpointTypes::TaintedPathSinkType endpointType).getDescription() +
"|\n|`certificateId`|`app.get( /certificate/data/:id , (req, res) => { let certificateId = req.params.id; Certificates.findById(certificateId) .then(obj => { if (obj === null)`|"
+ any(EndpointTypes::NosqlInjectionSinkType endpointType).getDescription() +
"|\n|`{encoding: utf8 }`|`function updateChangelog() { var filename = path.resolve(__dirname, ../CHANGELOG.md ) , changelog = fs.readFileSync(filename, {encoding: utf8 }) , entry = new RegExp( ### ( + version + )(?: \\((.+?)\\))\\n )`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() +
"|\n|`depth`|` }); const indent = .repeat(depth); let sep = indent; column_sizes.forEach((size) => {`|"
+ any(EndpointTypes::NegativeType endpointType).getDescription() + "|\n"
}
/**