From d4f3f6516cc6a894a97e7dbde5fa49df99da4f68 Mon Sep 17 00:00:00 2001 From: Esben Sparre Andreasen Date: Wed, 30 Mar 2022 13:44:05 +0200 Subject: [PATCH] avoid using new feautes by default --- .../EndpointFeatures.qll | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll index ffc2aec231e..2387a82c185 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll @@ -16,7 +16,23 @@ private import FunctionBodyFeatures as FunctionBodyFeatures private string getTokenFeature(DataFlow::Node endpoint, string featureName) { // Performance optimization: Restrict feature extraction to endpoints we've explicitly asked to featurize. endpoint = any(FeaturizationConfig cfg).getAnEndpointToFeaturize() and - exists(EndpointFeature f | f.getName() = featureName and result = f.getValue(endpoint)) + exists(EndpointFeature f | f.getName() = featureName and result = f.getValue(endpoint)) and + isVettedFeature(featureName) +} + +predicate isVettedFeature(string featureName) { + // allowlist of vetted features that are permitted in production + featureName = + any(EndpointFeature f | + f instanceof EnclosingFunctionName or + f instanceof CalleeName or + f instanceof ReceiverName or + f instanceof ArgumentIndex or + f instanceof CalleeApiName or + f instanceof CalleeAccessPath or + f instanceof CalleeAccessPathWithStructuralInfo or + f instanceof EnclosingFunctionBody + ).getName() } /** @@ -190,7 +206,7 @@ private module FunctionNames { } /** Get a name of a supported generic token-based feature. */ -string getASupportedFeatureName() { result = any(EndpointFeature f).getName() } +string getASupportedFeatureName() { isVettedFeature(result) } /** * Generic token-based features for ATM.