hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Remove references to localFieldStep

Browse Source 
These are tracked in https://github.com/github/codeql-javascript-team/issues/456
This commit is contained in:
Asger F
2025-01-09 09:26:53 +01:00
parent 7766f97232
commit b29ee2acde
6 changed files with 1 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll
View File

@@ -99,11 +99,6 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
state2 = FlowState::objectPrototype()
)
or
// TODO: local field step becomes a jump step, resulting in FPs (closure-lib)
// TODO: localFieldStep is too expensive with dataflow2
// DataFlow::localFieldStep(pred, succ)
none()
or
state1 = FlowState::taint() and
TaintTracking::defaultTaintStep(node1, node2) and
state1 = state2

4
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll
View File

@@ -29,10 +29,6 @@ module UnsafeCodeConstruction {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// HTML sanitizers are insufficient protection against code injection
node1 = node2.(HtmlSanitizerCall).getInput()
or
none()
// TODO: localFieldStep is too expensive with dataflow2
// DataFlow::localFieldStep(pred, succ)
}
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }

6
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
View File

@@ -47,12 +47,6 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
predicate isAdditionalFlowStep(
DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
) {
// TODO: localFieldStep is too expensive with dataflow2
// DataFlow::localFieldStep(pred, succ) and
// inlbl.isTaint() and
// outlbl.isTaint()
none()
or
TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
or
// property read from a tainted object is considered tainted

5
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
View File

@@ -23,11 +23,6 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node sink) {
// jQuery plugins tend to be implemented as classes that store data in fields initialized by the constructor.
// TODO: localFieldStep is too expensive with dataflow2
// DataFlow::localFieldStep(pred, succ)
none()
or
aliasPropertyPresenceStep(node1, sink)
}

6
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll
View File

@@ -26,12 +26,6 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
none()
// TODO: localFieldStep is too expensive with dataflow2
// DataFlow::localFieldStep(pred, succ)
}
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
}

6
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll
View File

@@ -22,11 +22,7 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
none()
// TODO: localFieldStep is too expensive with dataflow2
// DataFlow::localFieldStep(pred, succ)
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects
}