hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Adjust ConditionalBypass query.

Browse Source
This commit is contained in:
Max Schaefer
2018-11-08 13:15:25 +00:00
parent 11d6259dbf
commit d5af008e31
1 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
View File

@@ -67,18 +67,19 @@ class SensitiveActionGuardComparisonOperand extends Sink {
* If flow from `source` taints `sink`, then an attacker can
* control if `action` should be executed or not.
*/
predicate isTaintedGuardForSensitiveAction(Sink sink, DataFlow::Node source, SensitiveAction action) {
action = sink.getAction() and
predicate isTaintedGuardForSensitiveAction(DataFlow::PathNode sink, DataFlow::PathNode source, SensitiveAction action) {
action = sink.getNode().(Sink).getAction() and
// exclude the intermediary sink
not sink instanceof SensitiveActionGuardComparisonOperand and
not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and
exists (Configuration cfg |
// ordinary taint tracking to a guard
cfg.hasFlow(source, sink) or
cfg.hasPathFlow(source, sink) or
// taint tracking to both operands of a guard comparison
exists (SensitiveActionGuardComparison cmp, DataFlow::Node lSource, DataFlow::Node rSource |
sink = cmp.getGuard() and
cfg.hasFlow(lSource, DataFlow::valueNode(cmp.getLeftOperand())) and
cfg.hasFlow(rSource, DataFlow::valueNode(cmp.getRightOperand())) |
exists (SensitiveActionGuardComparison cmp, DataFlow::PathNode lSource, DataFlow::PathNode rSource,
DataFlow::PathNode lSink, DataFlow::PathNode rSink |
sink.getNode() = cmp.getGuard() and
cfg.hasPathFlow(lSource, lSink) and lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and
cfg.hasPathFlow(rSource, rSink) and rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand()) |
source = lSource or
source = rSource
)
@@ -90,10 +91,10 @@ predicate isTaintedGuardForSensitiveAction(Sink sink, DataFlow::Node source, Sen
*
* Example: `if (e) return; action(x)`.
*/
predicate isEarlyAbortGuard(Sink e, SensitiveAction action) {
predicate isEarlyAbortGuard(DataFlow::PathNode e, SensitiveAction action) {
exists (IfStmt guard |
// `e` is in the condition of an if-statement ...
e.asExpr().getParentExpr*() = guard.getCondition() and
e.getNode().(Sink).asExpr().getParentExpr*() = guard.getCondition() and
// ... where the then-branch always throws or returns
exists (Stmt abort |
abort instanceof ThrowStmt or
@@ -108,9 +109,9 @@ predicate isEarlyAbortGuard(Sink e, SensitiveAction action) {
)
}
from DataFlow::Node source, DataFlow::Node sink, SensitiveAction action
from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveAction action
where isTaintedGuardForSensitiveAction(sink, source, action) and
not isEarlyAbortGuard(sink, action)
select sink, "This condition guards a sensitive $@, but $@ controls it.",
select sink.getNode(), "This condition guards a sensitive $@, but $@ controls it.",
action, "action",
source, "a user-provided value"