hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port RequestForgery

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:33:25 +02:00
parent d7b4e0c206
commit b2216627be
3 changed files with 108 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
View File

@@ -12,23 +12,48 @@ import UrlConcatenation
import RequestForgeryCustomizations::RequestForgery
/**
* A taint tracking configuration for request forgery.
* A taint tracking configuration for server-side request forgery.
*/
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "RequestForgery" }
module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.(Source).isServerSide() }
override predicate isSource(DataFlow::Node source) { source.(Source).isServerSide() }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
}
predicate isBarrierOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
isAdditionalRequestForgeryStep(pred, succ)
}
}
/**
* Taint tracking for server-side request forgery.
*/
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
/**
* DEPRECATED. Use the `RequestForgeryFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "RequestForgery" }
override predicate isSource(DataFlow::Node source) { RequestForgeryConfig::isSource(source) }
override predicate isSink(DataFlow::Node sink) { RequestForgeryConfig::isSink(sink) }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node)
or
node instanceof Sanitizer
}
override predicate isSanitizerOut(DataFlow::Node node) {
RequestForgeryConfig::isBarrierOut(node)
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
RequestForgeryConfig::isAdditionalFlowStep(pred, succ)
}
}