hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port example queries

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:31:23 +02:00
parent 449ec72dbe
commit ccd6d3dcd7
9 changed files with 93 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
javascript/ql/examples/queries/dataflow/InformationDisclosure/InformationDisclosure.ql
View File

@@ -9,8 +9,6 @@
*/
import javascript
import DataFlow
import DataFlow::PathGraph
/**
* A dataflow configuration that tracks authentication tokens ("authKey")
@@ -26,33 +24,37 @@ import DataFlow::PathGraph
* }), '*');
* ```
*/
class AuthKeyTracking extends DataFlow::Configuration {
AuthKeyTracking() { this = "AuthKeyTracking" }
module AuthKeyTrackingConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
node.(DataFlow::PropRead).getPropertyName() = "authKey"
}
override predicate isSource(Node node) { node.(PropRead).getPropertyName() = "authKey" }
override predicate isSink(Node node) {
exists(MethodCallNode call |
predicate isSink(DataFlow::Node node) {
exists(DataFlow::MethodCallNode call |
call.getMethodName() = "postMessage" and
call.getArgument(1).getStringValue() = "*" and // no restriction on target origin
call.getArgument(0) = node
)
}
override predicate isAdditionalFlowStep(Node pred, Node succ) {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
// Step into objects: x -> { f: x }
succ.(SourceNode).getAPropertyWrite().getRhs() = pred
succ.(DataFlow::SourceNode).getAPropertyWrite().getRhs() = pred
or
// Step through JSON serialization: x -> JSON.stringify(x)
// Note: TaintTracking::Configuration includes this step by default, but not DataFlow::Configuration
exists(CallNode call |
call = globalVarRef("JSON").getAMethodCall("stringify") and
exists(DataFlow::CallNode call |
call = DataFlow::globalVarRef("JSON").getAMethodCall("stringify") and
pred = call.getArgument(0) and
succ = call
)
}
}
from AuthKeyTracking cfg, PathNode source, PathNode sink
where cfg.hasFlowPath(source, sink)
module AuthKeyTracking = DataFlow::Global<AuthKeyTrackingConfig>;
import AuthKeyTracking::PathGraph
from AuthKeyTracking::PathNode source, AuthKeyTracking::PathNode sink
where AuthKeyTracking::flowPath(source, sink)
select sink.getNode(), source, sink, "Message leaks the authKey from $@.", source.getNode(), "here"