JS: split StackTraceExposure.qll

2026-04-30 11:15:13 +02:00 · 2019-07-04 09:59:37 +02:00
parent f2b3fa57eb
commit c8a60f74f0
2 changed files with 47 additions and 28 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/StackTraceExposure.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/StackTraceExposure.qll
@@ -1,21 +1,21 @@
 /**
- * Provides a taint-tracking configuration for reasoning about stack trace
- * exposure problems.
+ * Provides a taint-tracking configuration for reasoning about stack
+ * trace exposure problems.
+ *
+ * Note, for performance reasons: only import this file if
+ * `StackTraceExposure::Configuration` is needed, otherwise
+ * `StackTraceExposureCustomizations` should be imported instead.
 */

 import javascript

 module StackTraceExposure {
-  /**
-   * A data flow source for stack trace exposure vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
+  import StackTraceExposureCustomizations::StackTraceExposure

  /**
-   * A data flow sink for stack trace exposure vulnerabilities.
+   * A taint-tracking configuration for reasoning about stack trace
+   * exposure problems.
   */
-  abstract class Sink extends DataFlow::Node { }
-
  class Configuration extends TaintTracking::Configuration {
    Configuration() { this = "StackTraceExposure" }

@@ -35,23 +35,4 @@ module StackTraceExposure {

    override predicate isSink(DataFlow::Node snk) { snk instanceof Sink }
  }
-
-  /**
-   * A read of the `stack` property of an exception, viewed as a data flow
-   * sink for stack trace exposure vulnerabilities.
-   */
-  class DefaultSource extends Source, DataFlow::Node {
-    DefaultSource() {
-      // any exception is a source
-      this = DataFlow::parameterNode(any(TryStmt try).getACatchClause().getAParameter())
-    }
-  }
-
-  /**
-   * An expression that can become part of an HTTP response body, viewed
-   * as a data flow sink for stack trace exposure vulnerabilities.
-   */
-  class DefaultSink extends Sink, DataFlow::ValueNode {
-    override HTTP::ResponseBody astNode;
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll
@@ -0,0 +1,38 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * stack trace exposure vulnerabilities, as well as extension points
+ * for adding your own.
+ */
+
+import javascript
+
+module StackTraceExposure {
+  /**
+   * A data flow source for stack trace exposure vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for stack trace exposure vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A read of the `stack` property of an exception, viewed as a data flow
+   * sink for stack trace exposure vulnerabilities.
+   */
+  class DefaultSource extends Source, DataFlow::Node {
+    DefaultSource() {
+      // any exception is a source
+      this = DataFlow::parameterNode(any(TryStmt try).getACatchClause().getAParameter())
+    }
+  }
+
+  /**
+   * An expression that can become part of an HTTP response body, viewed
+   * as a data flow sink for stack trace exposure vulnerabilities.
+   */
+  class DefaultSink extends Sink, DataFlow::ValueNode {
+    override HTTP::ResponseBody astNode;
+  }
+}