JS: Migrate InsecureDownload

2026-04-26 01:05:15 +02:00 · 2024-12-13 11:10:14 +01:00
parent 4e25036cdc
commit bcc1669f4c
2 changed files with 61 additions and 19 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadCustomizations.qll
@@ -10,14 +10,52 @@ import javascript
 * Classes and predicates for reasoning about download of sensitive file through insecure connection vulnerabilities.
 */
 module InsecureDownload {
+  private newtype TFlowState =
+    TSensitiveInsecureUrl() or
+    TInsecureUrl()
+
+  /** A flow state to associate with a tracked value. */
+  class FlowState extends TFlowState {
+    /** Gets a string representation fo this flow state */
+    string toString() {
+      this = TSensitiveInsecureUrl() and result = "sensitive-insecure-url"
+      or
+      this = TInsecureUrl() and result = "insecure-url"
+    }
+
+    deprecated DataFlow::FlowLabel toFlowLabel() {
+      this = TSensitiveInsecureUrl() and result instanceof Label::SensitiveInsecureUrl
+      or
+      this = TInsecureUrl() and result instanceof Label::InsecureUrl
+    }
+  }
+
+  /** Predicates for working with flow states. */
+  module FlowState {
+    deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
+
+    /**
+     * A file URL that is both sensitive and downloaded over an insecure connection.
+     */
+    FlowState sensitiveInsecureUrl() { result = TSensitiveInsecureUrl() }
+
+    /**
+     * A URL that is downloaded over an insecure connection.
+     */
+    FlowState insecureUrl() { result = TInsecureUrl() }
+  }
+
  /**
   * A data flow source for download of sensitive file through insecure connection.
   */
  abstract class Source extends DataFlow::Node {
    /**
-     * Gets a flow-label for this source.
+     * Gets a flow state for this source.
     */
-    abstract DataFlow::FlowLabel getALabel();
+    FlowState getAFlowState() { result = FlowState::insecureUrl() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated DataFlow::FlowLabel getALabel() { result = this.getAFlowState().toFlowLabel() }
  }

  /**
@@ -30,9 +68,14 @@ module InsecureDownload {
    abstract DataFlow::Node getDownloadCall();

    /**
-     * Gets a flow-label where this sink is vulnerable.
+     * Gets a flow state where this sink is vulnerable.
     */
-    abstract DataFlow::FlowLabel getALabel();
+    FlowState getAFlowState() {
+      result = [FlowState::insecureUrl(), FlowState::sensitiveInsecureUrl()]
+    }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated DataFlow::FlowLabel getALabel() { result = this.getAFlowState().toFlowLabel() }
  }

  /**
@@ -71,11 +114,11 @@ module InsecureDownload {
      str.regexpMatch("http://.*|ftp://.*")
    }

-    override DataFlow::FlowLabel getALabel() {
-      result instanceof Label::InsecureUrl
+    override FlowState getAFlowState() {
+      result = FlowState::insecureUrl()
      or
      hasUnsafeExtension(str) and
-      result instanceof Label::SensitiveInsecureUrl
+      result = FlowState::sensitiveInsecureUrl()
    }
  }

@@ -113,11 +156,11 @@ module InsecureDownload {

    override DataFlow::Node getDownloadCall() { result = request }

-    override DataFlow::FlowLabel getALabel() {
-      result instanceof Label::SensitiveInsecureUrl
+    override FlowState getAFlowState() {
+      result = FlowState::sensitiveInsecureUrl()
      or
      hasUnsafeExtension(request.getASavePath().getStringValue()) and
-      result instanceof Label::InsecureUrl
+      result = FlowState::insecureUrl()
    }
  }

@@ -145,7 +188,7 @@ module InsecureDownload {
      )
    }

-    override DataFlow::FlowLabel getALabel() { result instanceof Label::InsecureUrl }
+    override FlowState getAFlowState() { result = FlowState::insecureUrl() }

    override DataFlow::Node getDownloadCall() { result = request }
  }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll
@@ -8,20 +8,19 @@

 import javascript
 import InsecureDownloadCustomizations::InsecureDownload
+private import InsecureDownloadCustomizations::InsecureDownload as InsecureDownload

 /**
 * A taint tracking configuration for download of sensitive file through insecure connection.
 */
 module InsecureDownloadConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  class FlowState = InsecureDownload::FlowState;

-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Source).getALabel() = label
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source.(Source).getAFlowState() = state
  }

-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink.(Sink).getALabel() = label
-  }
+  predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 }
@@ -38,11 +37,11 @@ deprecated class Configuration extends DataFlow::Configuration {
  Configuration() { this = "InsecureDownload" }

  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    InsecureDownloadConfig::isSource(source, label)
+    InsecureDownloadConfig::isSource(source, FlowState::fromFlowLabel(label))
  }

  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    InsecureDownloadConfig::isSink(sink, label)
+    InsecureDownloadConfig::isSink(sink, FlowState::fromFlowLabel(label))
  }

  override predicate isBarrier(DataFlow::Node node) {