diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll index 918ef0663c8..84053319d02 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll @@ -11,7 +11,41 @@ import DeepObjectResourceExhaustionCustomizations::DeepObjectResourceExhaustion * A taint tracking configuration for reasoning about DoS attacks due to inefficient handling * of user-controlled objects. */ -class Configuration extends TaintTracking::Configuration { +module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig { + class FlowState = DataFlow::FlowLabel; + + predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { + source.(Source).getAFlowLabel() = label + } + + predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) { + sink instanceof Sink and label = TaintedObject::label() + } + + predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) { + node = TaintedObject::SanitizerGuard::getABarrierNode(label) + } + + predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate isAdditionalFlowStep( + DataFlow::Node src, DataFlow::FlowLabel inlbl, DataFlow::Node trg, DataFlow::FlowLabel outlbl + ) { + TaintedObject::step(src, trg, inlbl, outlbl) + } +} + +/** + * Taint tracking for reasoning about DoS attacks due to inefficient handling + * of user-controlled objects. + */ +module DeepObjectResourceExhaustionFlow = + TaintTracking::GlobalWithState; + +/** + * DEPRECATED. Use the `DeepObjectResourceExhaustionFlow` module instead. + */ +deprecated class Configuration extends TaintTracking::Configuration { Configuration() { this = "DeepObjectResourceExhaustion" } override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) { diff --git a/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql b/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql index a9ea46c4510..066c3f148d5 100644 --- a/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql +++ b/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql @@ -11,14 +11,13 @@ */ import javascript -import DataFlow::PathGraph import semmle.javascript.security.dataflow.DeepObjectResourceExhaustionQuery +import DataFlow::DeduplicatePathGraph -from - Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node link, - string reason +from PathNode source, PathNode sink, DataFlow::Node link, string reason where - cfg.hasFlowPath(source, sink) and + DeepObjectResourceExhaustionFlow::flowPath(source.getAnOriginalPathNode(), + sink.getAnOriginalPathNode()) and sink.getNode().(Sink).hasReason(link, reason) select sink, source, sink, "Denial of service caused by processing $@ with $@.", source.getNode(), "user input", link, reason diff --git a/javascript/ql/test/query-tests/Security/CWE-400/DeepObjectResourceExhaustion/DeepObjectResourceExhaustion.expected b/javascript/ql/test/query-tests/Security/CWE-400/DeepObjectResourceExhaustion/DeepObjectResourceExhaustion.expected index 1b6796f21c4..5c3caed8152 100644 --- a/javascript/ql/test/query-tests/Security/CWE-400/DeepObjectResourceExhaustion/DeepObjectResourceExhaustion.expected +++ b/javascript/ql/test/query-tests/Security/CWE-400/DeepObjectResourceExhaustion/DeepObjectResourceExhaustion.expected @@ -1,8 +1,6 @@ nodes -| tst.js:9:29:9:36 | req.body | -| tst.js:9:29:9:36 | req.body | -| tst.js:9:29:9:36 | req.body | +| tst.js:9:29:9:36 | req.body | semmle.label | req.body | edges -| tst.js:9:29:9:36 | req.body | tst.js:9:29:9:36 | req.body | +subpaths #select | tst.js:9:29:9:36 | req.body | tst.js:9:29:9:36 | req.body | tst.js:9:29:9:36 | req.body | Denial of service caused by processing $@ with $@. | tst.js:9:29:9:36 | req.body | user input | tst.js:4:21:4:35 | allErrors: true | allErrors: true |