mirror of
https://github.com/github/codeql.git
synced 2026-04-26 01:05:15 +02:00
Put QLDoc on data flow and taint tracking modules
We preserve all old QLDocs, but move them from the config to the Flow module. This makes more sense than the Config module, which is often private, and is generally not directly accessed.
This commit is contained in:
Owen Mansel-Chan
@@ -222,11 +222,6 @@ module StringOps {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A configuration for tracking flow from a call to `strings.NewReplacer` to
|
||||
* the receiver of a call to `strings.Replacer.Replace` or
|
||||
* `strings.Replacer.WriteString`.
|
||||
*/
|
||||
private module StringsNewReplacerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof StringsNewReplacerCall }
|
||||
|
||||
@@ -238,6 +233,10 @@ module StringOps {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from a call to `strings.NewReplacer` to the receiver of
|
||||
* a call to `strings.Replacer.Replace` or `strings.Replacer.WriteString`.
|
||||
*/
|
||||
private module StringsNewReplacerFlow = DataFlow::Global<StringsNewReplacerConfig>;
|
||||
|
||||
/**
|
||||
|
||||
@@ -14,7 +14,7 @@ module AllocationSizeOverflow {
|
||||
import AllocationSizeOverflowCustomizations::AllocationSizeOverflow
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use a copy of `FindLargeLensConfig` and `FindLargeLensFlow` instead.
|
||||
* DEPRECATED: Use copies of `FindLargeLensConfig` and `FindLargeLensFlow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for identifying `len(...)` calls whose argument may be large.
|
||||
*/
|
||||
@@ -40,6 +40,9 @@ module AllocationSizeOverflow {
|
||||
predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow to find `len(...)` calls whose argument may be large.
|
||||
*/
|
||||
private module FindLargeLensFlow = TaintTracking::Global<FindLargeLensConfig>;
|
||||
|
||||
private DataFlow::CallNode getALargeLenCall() {
|
||||
@@ -111,5 +114,6 @@ module AllocationSizeOverflow {
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks taint flow to find allocation-size overflows. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -89,5 +89,12 @@ module CleartextLogging {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow for reasoning about clear-text logging of sensitive
|
||||
* information, from `Source`s, which are sources of sensitive data, to
|
||||
* `Sink`s, which is an abstract class representing all the places sensitive
|
||||
* data may be stored in cleartext. Additional sources or sinks can be added
|
||||
* by extending the relevant class.
|
||||
*/
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -51,6 +51,10 @@ module CommandInjection {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about command-injection vulnerabilities
|
||||
* with sinks which are not sanitized by `--`.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
private class ArgumentArrayWithDoubleDash extends DataFlow::Node {
|
||||
@@ -129,5 +133,9 @@ module CommandInjection {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about command-injection vulnerabilities
|
||||
* with sinks which are sanitized by `--`.
|
||||
*/
|
||||
module DoubleDashSanitizingFlow = TaintTracking::Global<DoubleDashSanitizingConfig>;
|
||||
}
|
||||
|
||||
@@ -207,6 +207,9 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from `RemoteFlowSource`s to `ExternalApiDataNode`s.
|
||||
*/
|
||||
module UntrustedDataToExternalApiFlow = DataFlow::Global<UntrustedDataConfig>;
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
|
||||
@@ -234,6 +237,9 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from `RemoteFlowSource`s to `UnknownExternalApiDataNode`s.
|
||||
*/
|
||||
module UntrustedDataToUnknownExternalApiFlow =
|
||||
DataFlow::Global<UntrustedDataToUnknownExternalApiConfig>;
|
||||
|
||||
|
||||
@@ -257,6 +257,11 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from an integer obtained from parsing a string flows to a
|
||||
* type conversion to a smaller integer type, which could cause unexpected
|
||||
* values.
|
||||
*/
|
||||
module Flow = TaintTracking::GlobalWithState<ConversionWithoutBoundsCheckConfig>;
|
||||
|
||||
private predicate upperBoundCheckGuard(DataFlow::Node g, Expr e, boolean branch) {
|
||||
|
||||
@@ -46,5 +46,9 @@ module InsecureRandomness {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about random values that are not
|
||||
* cryptographically secure.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -33,9 +33,7 @@ module LogInjection {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about log injection vulnerabilities.
|
||||
*/
|
||||
/** Config for reasoning about log injection vulnerabilities. */
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
@@ -44,5 +42,6 @@ module LogInjection {
|
||||
predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about log injection vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -104,5 +104,6 @@ module OpenUrlRedirect {
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about unvalidated URL redirections. */
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -46,5 +46,6 @@ module ReflectedXss {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about XSS. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -67,5 +67,6 @@ module RequestForgery {
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about request forgery. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -67,5 +67,6 @@ module SafeUrlFlow {
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about safe URLs. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -51,5 +51,6 @@ module SqlInjection {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -54,5 +54,6 @@ module StoredCommand {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about command-injection vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -46,5 +46,6 @@ module StoredXss {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about XSS. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -49,5 +49,9 @@ module StringBreak {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about unsafe-quoting vulnerabilities,
|
||||
* parameterized with the type of quote being tracked.
|
||||
*/
|
||||
module Flow = TaintTracking::GlobalWithState<Config>;
|
||||
}
|
||||
|
||||
@@ -37,5 +37,6 @@ module TaintedPath {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about path-traversal vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -44,6 +44,10 @@ module UnsafeUnzipSymlink {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof EvalSymlinksInvalidator }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from archive header fields to
|
||||
* `path/filepath.EvalSymlinks` calls.
|
||||
*/
|
||||
private module EvalSymlinksFlow = TaintTracking::Global<EvalSymlinksConfig>;
|
||||
|
||||
/**
|
||||
@@ -90,5 +94,9 @@ module UnsafeUnzipSymlink {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from archive header fields to an `os.Symlink` call,
|
||||
* which never flow to a `path/filepath.EvalSymlinks` call.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -43,5 +43,9 @@ module XPathInjection {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about untrusted user input used in an
|
||||
* XPath expression.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -41,5 +41,6 @@ module ZipSlip {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about zip-slip vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -129,6 +129,10 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow for reasoning about which writable file handles resulting from calls to
|
||||
* `os.OpenFile` have `os.File.Close` called on them.
|
||||
*/
|
||||
module UnhandledFileCloseFlow = DataFlow::Global<UnhandledFileCloseConfig>;
|
||||
|
||||
import UnhandledFileCloseFlow::PathGraph
|
||||
|
||||
@@ -42,6 +42,10 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from strings containing suspicious escape sequences to a
|
||||
* use as a regular expression.
|
||||
*/
|
||||
module Flow = DataFlow::Global<SuspiciousCharacterInRegexpConfig>;
|
||||
|
||||
import Flow::PathGraph
|
||||
|
||||
@@ -43,10 +43,6 @@ class DebugStackFunction extends Function {
|
||||
DebugStackFunction() { this.hasQualifiedName("runtime/debug", "Stack") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration that looks for stack traces being written to
|
||||
* an HTTP response body without an intervening debug- or development-mode conditional.
|
||||
*/
|
||||
module StackTraceExposureConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.(DataFlow::PostUpdateNode).getPreUpdateNode() =
|
||||
@@ -68,6 +64,10 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about stack traces being written to an HTTP
|
||||
* response body without an intervening debug- or development-mode conditional.
|
||||
*/
|
||||
module StackTraceExposureFlow = TaintTracking::Global<StackTraceExposureConfig>;
|
||||
|
||||
import StackTraceExposureFlow::PathGraph
|
||||
|
||||
@@ -70,6 +70,10 @@ module Config implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow to identify `HostKeyCallbackFunc` instances that reach
|
||||
* `ClientConfig.HostKeyCallback` fields.
|
||||
*/
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
import Flow::PathGraph
|
||||
|
||||
@@ -27,6 +27,10 @@ module Config implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from an RSA key length to a calls to an RSA key generation
|
||||
* function.
|
||||
*/
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
import Flow::PathGraph
|
||||
|
||||
@@ -50,10 +50,6 @@ int getASecureTlsVersion() {
|
||||
*/
|
||||
int getATlsVersion() { result = getASecureTlsVersion() or isInsecureTlsVersion(result, _, _) }
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for tracking flow from TLS versions to the
|
||||
* `tls.Config.MinVersion` and `tls.Config.MaxVersion` fields.
|
||||
*/
|
||||
module TlsVersionFlowConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Holds if `source` is a TLS version source yielding value `val`.
|
||||
@@ -77,6 +73,10 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from TLS versions to the `tls.Config.MinVersion` and
|
||||
* `tls.Config.MaxVersion` fields.
|
||||
*/
|
||||
module TlsVersionFlow = TaintTracking::Global<TlsVersionFlowConfig>;
|
||||
|
||||
/**
|
||||
@@ -150,10 +150,6 @@ predicate isInsecureTlsVersionFlow(
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for tracking flow from insecure TLS cipher
|
||||
* suites into a `tls.Config` struct, to the `CipherSuites` field.
|
||||
*/
|
||||
module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
|
||||
/**
|
||||
* Holds if `source` reads an insecure TLS cipher suite named `suiteName`.
|
||||
@@ -207,6 +203,10 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from insecure TLS cipher suites into the `CipherSuites`
|
||||
* field of a `tls.Config` struct.
|
||||
*/
|
||||
module TlsInsecureCipherSuitesFlow = TaintTracking::Global<TlsInsecureCipherSuitesFlowConfig>;
|
||||
|
||||
/**
|
||||
|
||||
@@ -42,6 +42,10 @@ module ConstantStateFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow of a constant string value to a call to `AuthCodeURL` as
|
||||
* the `state` parameter.
|
||||
*/
|
||||
module Flow = DataFlow::Global<ConstantStateFlowConfig>;
|
||||
|
||||
import Flow::PathGraph
|
||||
@@ -108,6 +112,13 @@ module PrivateUrlFlowsToAuthCodeUrlCallConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from a URL indicating the OAuth redirect doesn't point to a publicly
|
||||
* accessible address to the receiver of an `AuthCodeURL` call.
|
||||
*
|
||||
* Note we accept localhost and 127.0.0.1 on the assumption this is probably a transient
|
||||
* listener; if it actually is a persistent server then that really is vulnerable to CSRF.
|
||||
*/
|
||||
module PrivateUrlFlowsToAuthCodeUrlCallFlow =
|
||||
DataFlow::Global<PrivateUrlFlowsToAuthCodeUrlCallConfig>;
|
||||
|
||||
|
||||
@@ -35,5 +35,6 @@ module EmailInjection {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about email-injection vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -119,4 +119,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` flows
|
||||
* into an argument or field that is vulnerable to LDAP injection.
|
||||
*/
|
||||
module LdapInjectionFlow = TaintTracking::Global<LdapInjectionConfig>;
|
||||
|
||||
@@ -100,6 +100,7 @@ private module NameToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks taint flow from sensitive names to `net/http.SetCookie`. */
|
||||
module NameToNetHttpCookieTrackingFlow = TaintTracking::Global<NameToNetHttpCookieTrackingConfig>;
|
||||
|
||||
/**
|
||||
@@ -142,6 +143,10 @@ private module BoolToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from a `bool` assigned to `HttpOnly` to
|
||||
* `net/http.SetCookie`.
|
||||
*/
|
||||
module BoolToNetHttpCookieTrackingFlow = TaintTracking::Global<BoolToNetHttpCookieTrackingConfig>;
|
||||
|
||||
/**
|
||||
@@ -182,6 +187,10 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from `HttpOnly` set to `false` to
|
||||
* `gin-gonic/gin.Context.SetCookie`.
|
||||
*/
|
||||
module BoolToGinSetCookieTrackingFlow = DataFlow::Global<BoolToGinSetCookieTrackingConfig>;
|
||||
|
||||
/**
|
||||
@@ -203,10 +212,6 @@ deprecated private class NameToGinSetCookieTrackingConfiguration extends DataFlo
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for tracking flow from sensitive names to
|
||||
* `gin-gonic/gin.Context.SetCookie`.
|
||||
*/
|
||||
private module NameToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }
|
||||
|
||||
@@ -218,6 +223,9 @@ private module NameToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from sensitive names to `gin-gonic/gin.Context.SetCookie`.
|
||||
*/
|
||||
private module NameToGinSetCookieTrackingFlow = DataFlow::Global<NameToGinSetCookieTrackingConfig>;
|
||||
|
||||
/**
|
||||
@@ -299,6 +307,10 @@ private module GorillaCookieStoreSaveTrackingConfig implements DataFlow::ConfigS
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks data flow from gorilla cookie store creation to
|
||||
* `gorilla/sessions.Session.Save`.
|
||||
*/
|
||||
module GorillaCookieStoreSaveTrackingFlow = DataFlow::Global<GorillaCookieStoreSaveTrackingConfig>;
|
||||
|
||||
/**
|
||||
@@ -347,6 +359,10 @@ private module GorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSi
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from session options to
|
||||
* `gorilla/sessions.Session.Save`.
|
||||
*/
|
||||
module GorillaSessionOptionsTrackingFlow =
|
||||
TaintTracking::Global<GorillaSessionOptionsTrackingConfig>;
|
||||
|
||||
@@ -401,5 +417,9 @@ private module BoolToGorillaSessionOptionsTrackingConfig implements DataFlow::Co
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from a `bool` assigned to `HttpOnly` to
|
||||
* `gorilla/sessions.Session.Save`.
|
||||
*/
|
||||
module BoolToGorillaSessionOptionsTrackingFlow =
|
||||
TaintTracking::Global<BoolToGorillaSessionOptionsTrackingConfig>;
|
||||
|
||||
@@ -384,5 +384,6 @@ module HardcodedKeys {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about JWT token signing vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -74,5 +74,9 @@ module WeakCryptoAlgorithm {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from sensitive information to weak cryptographic
|
||||
* algorithms.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -27,9 +27,6 @@ predicate divideByZeroSanitizerGuard(DataFlow::Node g, Expr e, boolean branch) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about division by zero, where divisor is user-controlled and unchecked.
|
||||
*/
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
|
||||
@@ -50,6 +47,10 @@ module Config implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about division by zero, where divisor is
|
||||
* user-controlled and unchecked.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
import Flow::PathGraph
|
||||
|
||||
@@ -43,6 +43,10 @@ private module DsnInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof RegexpCheckBarrier }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about Data Source Name injection
|
||||
* vulnerabilities.
|
||||
*/
|
||||
module DsnInjectionFlow = TaintTracking::Global<DsnInjectionConfig>;
|
||||
|
||||
/** A model of a function which decodes or unmarshals a tainted input, propagating taint from any argument to either the method receiver or return value. */
|
||||
|
||||
@@ -35,12 +35,6 @@ class PassthroughTypeName extends string {
|
||||
PassthroughTypeName() { this = ["HTML", "HTMLAttr", "JS", "JSStr", "CSS", "Srcset", "URL"] }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
|
||||
* is converted into a special "passthrough" type which will not be escaped by the template generator;
|
||||
* this allows the injection of arbitrary content (html, css, js) into the generated
|
||||
* output of the templates.
|
||||
*/
|
||||
module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
|
||||
@@ -58,6 +52,12 @@ module UntrustedToPassthroughTypeConversionConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` is
|
||||
* converted into a special "passthrough" type which will not be escaped by the
|
||||
* template generator; this allows the injection of arbitrary content (html,
|
||||
* css, js) into the generated output of the templates.
|
||||
*/
|
||||
module UntrustedToPassthroughTypeConversionFlow =
|
||||
TaintTracking::Global<UntrustedToPassthroughTypeConversionConfig>;
|
||||
|
||||
@@ -72,10 +72,6 @@ predicate flowsFromConversionToExec(
|
||||
targetType)
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about when the result of a conversion
|
||||
* to a PassthroughType flows to a template execution call.
|
||||
*/
|
||||
module PassthroughTypeConversionToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { isSourceConversionToPassthroughType(source, _) }
|
||||
|
||||
@@ -91,6 +87,10 @@ module PassthroughTypeConversionToTemplateExecutionCallConfig implements DataFlo
|
||||
predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when the result of a conversion to a
|
||||
* PassthroughType flows to a template execution call.
|
||||
*/
|
||||
module PassthroughTypeConversionToTemplateExecutionCallFlow =
|
||||
TaintTracking::Global<PassthroughTypeConversionToTemplateExecutionCallConfig>;
|
||||
|
||||
@@ -108,16 +108,16 @@ predicate isSinkToTemplateExec(DataFlow::Node sink, DataFlow::CallNode call) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
|
||||
* flows into a template executor call.
|
||||
*/
|
||||
module FromUntrustedToTemplateExecutionCallConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkToTemplateExec(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow from an `UntrustedFlowSource` into a template executor
|
||||
* call.
|
||||
*/
|
||||
module FromUntrustedToTemplateExecutionCallFlow =
|
||||
TaintTracking::Global<FromUntrustedToTemplateExecutionCallConfig>;
|
||||
|
||||
|
||||
@@ -88,4 +88,8 @@ private module Config implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about user-controlled bypassing of sensitive
|
||||
* actions.
|
||||
*/
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
@@ -12,9 +12,6 @@
|
||||
|
||||
import go
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about conditional bypass.
|
||||
*/
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof UntrustedFlowSource
|
||||
@@ -27,6 +24,7 @@ module Config implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about conditional bypass. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
from
|
||||
|
||||
@@ -63,6 +63,7 @@ module ServerSideRequestForgery {
|
||||
predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about request forgery vulnerabilities. */
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
/** A data flow source for request forgery vulnerabilities. */
|
||||
|
||||
@@ -51,10 +51,6 @@ class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
|
||||
AllowCredentialsHeaderWrite() { this.getHeaderName() = headerAllowCredentials() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
|
||||
* flows to a HeaderWrite that writes an `Access-Control-Allow-Origin` header's value.
|
||||
*/
|
||||
module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
|
||||
@@ -73,6 +69,10 @@ module UntrustedToAllowOriginHeaderConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isSinkHW(sink, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flowfor reasoning about when an `UntrustedFlowSource` flows to
|
||||
* a `HeaderWrite` that writes an `Access-Control-Allow-Origin` header's value.
|
||||
*/
|
||||
module UntrustedToAllowOriginHeaderFlow = TaintTracking::Global<UntrustedToAllowOriginHeaderConfig>;
|
||||
|
||||
/**
|
||||
@@ -122,10 +122,6 @@ class MapRead extends DataFlow::ElementReadNode {
|
||||
MapRead() { this.getBase().getType() instanceof MapType }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about when an UntrustedFlowSource
|
||||
* flows somewhere.
|
||||
*/
|
||||
module FromUntrustedConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
|
||||
|
||||
@@ -165,6 +161,10 @@ module FromUntrustedConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Tracks taint flow for reasoning about when an `UntrustedFlowSource` flows
|
||||
* somewhere.
|
||||
*/
|
||||
module FromUntrustedFlow = TaintTracking::Global<FromUntrustedConfig>;
|
||||
|
||||
/**
|
||||
|
||||
@@ -53,6 +53,7 @@ module UnsafeTypeCastingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { typeCastNodeIsSink(sink, _) }
|
||||
}
|
||||
|
||||
/** Tracks taint flow for reasoning about type casting from a `unsafe.Pointer`. */
|
||||
module UnsafeTypeCastingFlow = TaintTracking::Global<UnsafeTypeCastingConfig>;
|
||||
|
||||
import UnsafeTypeCastingFlow::PathGraph
|
||||
|
||||
Reference in New Issue
Block a user