JS: split DifferentKindsComparisonBypass.qll

2026-04-30 03:05:15 +02:00 · 2019-07-04 09:06:08 +02:00
parent 56172317ed
commit b85d3756b0
2 changed files with 63 additions and 45 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DifferentKindsComparisonBypass.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DifferentKindsComparisonBypass.qll
@@ -1,30 +1,18 @@
 /**
- * Provides classes for reasoning about comparisons that relies on different kinds of HTTP request data.
+ * Provides classes for reasoning about comparisons that relies on
+ * different kinds of HTTP request data.
+ *
+ * Note, for performance reasons: only import this file if
+ * `DifferentKindsComparisonBypass::Configuration` is needed,
+ * otherwise `DifferentKindsComparisonBypassCustomizations` should be
+ * imported instead.
 */

 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources

 module DifferentKindsComparisonBypass {
-  /**
-   * A data flow source for comparisons that relies on different kinds of HTTP request data.
-   */
-  abstract class Source extends DataFlow::Node {
-    /**
-     * Holds if it suspicious to compare this source with `other`.
-     */
-    abstract predicate isSuspiciousToCompareWith(Source other);
-  }
-
-  /**
-   * A data flow sink for comparisons that relies on different kinds of HTTP request data.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for comparisons that relies on different kinds of HTTP request data.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import DifferentKindsComparisonBypassCustomizations::DifferentKindsComparisonBypass

  /**
   * A taint tracking configuration for comparisons that relies on different kinds of HTTP request data.
@@ -42,31 +30,6 @@ module DifferentKindsComparisonBypass {
    }
  }

-  /**
-   * A HTTP request input that is suspicious to compare with another HTTP request input of a different kind.
-   */
-  class RequestInputComparisonSource extends Source {
-    HTTP::RequestInputAccess input;
-
-    RequestInputComparisonSource() { input = this }
-
-    override predicate isSuspiciousToCompareWith(Source other) {
-      input.getKind() != other.(RequestInputComparisonSource).getInput().getKind()
-    }
-
-    /**
-     * Gets the HTTP request input of this source.
-     */
-    private HTTP::RequestInputAccess getInput() { result = input }
-  }
-
-  /**
-   * A data flow sink for a potential suspicious comparisons.
-   */
-  private class ComparisonOperandSink extends Sink {
-    ComparisonOperandSink() { asExpr() = any(Comparison c).getAnOperand() }
-  }
-
  /**
   * A comparison that relies on different kinds of HTTP request data.
   */
--- a/javascript/ql/src/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassCustomizations.qll
@@ -0,0 +1,55 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * comparisons that relies on different kinds of HTTP request data, as
+ * well as extension points for adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module DifferentKindsComparisonBypass {
+  /**
+   * A data flow source for comparisons that relies on different kinds of HTTP request data.
+   */
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Holds if it suspicious to compare this source with `other`.
+     */
+    abstract predicate isSuspiciousToCompareWith(Source other);
+  }
+
+  /**
+   * A data flow sink for comparisons that relies on different kinds of HTTP request data.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for comparisons that relies on different kinds of HTTP request data.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A HTTP request input that is suspicious to compare with another HTTP request input of a different kind.
+   */
+  class RequestInputComparisonSource extends Source {
+    HTTP::RequestInputAccess input;
+
+    RequestInputComparisonSource() { input = this }
+
+    override predicate isSuspiciousToCompareWith(Source other) {
+      input.getKind() != other.(RequestInputComparisonSource).getInput().getKind()
+    }
+
+    /**
+     * Gets the HTTP request input of this source.
+     */
+    private HTTP::RequestInputAccess getInput() { result = input }
+  }
+
+  /**
+   * A data flow sink for a potential suspicious comparisons.
+   */
+  private class ComparisonOperandSink extends Sink {
+    ComparisonOperandSink() { asExpr() = any(Comparison c).getAnOperand() }
+  }
+}