JS: split UnsafeDeserialization.qll

2026-05-11 09:49:26 +02:00 · 2019-07-04 08:39:10 +02:00
parent 626f3fa598
commit bb452bea45
2 changed files with 58 additions and 42 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserialization.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserialization.qll
@@ -1,25 +1,16 @@
 /**
 * Provides a taint-tracking configuration for reasoning about unsafe deserialization.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeDeserialization::Configuration` is needed, otherwise
+ * `UnsafeDeserializationCustomizations` should be imported instead.
 */

 import javascript
 import semmle.javascript.security.dataflow.RemoteFlowSources

 module UnsafeDeserialization {
-  /**
-   * A data flow source for unsafe deserialization vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for unsafe deserialization vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for unsafe deserialization vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import UnsafeDeserializationCustomizations::UnsafeDeserialization

  /**
   * A taint-tracking configuration for reasoning about unsafe deserialization.
@@ -36,32 +27,4 @@ module UnsafeDeserialization {
      node instanceof Sanitizer
    }
  }
-
-  /** A source of remote user input, considered as a flow source for unsafe deserialization. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * An expression passed to one of the unsafe load functions of the `js-yaml` package.
-   */
-  class JsYamlUnsafeLoad extends Sink {
-    JsYamlUnsafeLoad() {
-      exists(DataFlow::ModuleImportNode mi | mi.getPath() = "js-yaml" |
-        // the first argument to a call to `load` or `loadAll`
-        exists(string n | n = "load" or n = "loadAll" | this = mi.getAMemberCall(n).getArgument(0))
-        or
-        // the first argument to a call to `safeLoad` or `safeLoadAll` where
-        // the schema is specified to be `DEFAULT_FULL_SCHEMA`
-        exists(string n, DataFlow::CallNode c, DataFlow::Node fullSchema |
-          n = "safeLoad" or n = "safeLoadAll"
-        |
-          c = mi.getAMemberCall(n) and
-          this = c.getArgument(0) and
-          fullSchema = c.getOptionArgument(c.getNumArgument() - 1, "schema") and
-          mi.getAPropertyRead("DEFAULT_FULL_SCHEMA").flowsTo(fullSchema)
-        )
-      )
-    }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll
@@ -0,0 +1,53 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * unsafe deserialization, as well as extension points for
+ * adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.RemoteFlowSources
+
+module UnsafeDeserialization {
+  /**
+   * A data flow source for unsafe deserialization vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for unsafe deserialization vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for unsafe deserialization vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for unsafe deserialization. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * An expression passed to one of the unsafe load functions of the `js-yaml` package.
+   */
+  class JsYamlUnsafeLoad extends Sink {
+    JsYamlUnsafeLoad() {
+      exists(DataFlow::ModuleImportNode mi | mi.getPath() = "js-yaml" |
+        // the first argument to a call to `load` or `loadAll`
+        exists(string n | n = "load" or n = "loadAll" | this = mi.getAMemberCall(n).getArgument(0))
+        or
+        // the first argument to a call to `safeLoad` or `safeLoadAll` where
+        // the schema is specified to be `DEFAULT_FULL_SCHEMA`
+        exists(string n, DataFlow::CallNode c, DataFlow::Node fullSchema |
+          n = "safeLoad" or n = "safeLoadAll"
+        |
+          c = mi.getAMemberCall(n) and
+          this = c.getArgument(0) and
+          fullSchema = c.getOptionArgument(c.getNumArgument() - 1, "schema") and
+          mi.getAPropertyRead("DEFAULT_FULL_SCHEMA").flowsTo(fullSchema)
+        )
+      )
+    }
+  }
+}