hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-03 04:40:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

add assignedToPropName feature to try to reduce FPs from assignments to obj.innerHTML

Browse Source
This commit is contained in:
Stephan Brandauer
2022-05-10 11:11:08 +02:00
parent 2021ac48a0
commit d5cc4cce7e
2 changed files with 41 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll
View File

@@ -236,7 +236,8 @@ private newtype TEndpointFeature =
TInputAccessPathFromCallee() or
TInputArgumentIndex() or
TContextFunctionInterfaces() or
TContextSurroundingFunctionParameters()
TContextSurroundingFunctionParameters() or
TAssignedToPropName()
/**
* An implementation of an endpoint feature: produces feature names and values for used in ML.
@@ -472,6 +473,25 @@ class ContextSurroundingFunctionParameters extends EndpointFeature,
}
}
/**
* The feature that gives the name an endpoint is assigned to (if any).
*
* ### Example
* ```javascript
* const div = document.createElement('div');
* div.innerHTML = endpoint; // feature value is 'innerHTML'
* ```
*/
class AssignedToPropName extends EndpointFeature, TAssignedToPropName {
override string getName() { result = "assignedToPropName" }
override string getValue(DataFlow::Node endpoint) {
exists(DataFlow::PropWrite w | w.getRhs().asExpr().getUnderlyingValue().flow() = endpoint |
result = w.getPropertyName()
)
}
}
/**
* The feature for the imports used in the callee of an invocation.
*

36
javascript/ql/experimental/adaptivethreatmodeling/test/generic_feature_testing/FeatureValue.expected
View File

@@ -4,7 +4,7 @@
| test.html:2:61:2:68 | endpoint | calleeAccessPath | |
| test.html:2:61:2:68 | endpoint | calleeAccessPathWithStructuralInfo | |
| test.html:2:61:2:68 | endpoint | calleeName | item |
| test.html:2:61:2:68 | endpoint | contextFunctionInterfacesInFile | |
| test.html:2:61:2:68 | endpoint | contextFunctionInterfaces | |
| test.html:2:61:2:68 | endpoint | contextSurroundingFunctionParameters | |
| test.html:2:61:2:68 | endpoint | fileImports | |
| test.js:6:7:6:14 | endpoint | Callee_AccessPath | f |
@@ -15,7 +15,7 @@
| test.js:6:7:6:14 | endpoint | calleeApiName | lib3 |
| test.js:6:7:6:14 | endpoint | calleeImports | ? lib3 |
| test.js:6:7:6:14 | endpoint | calleeName | f |
| test.js:6:7:6:14 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:6:7:6:14 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:6:7:6:14 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:6:7:6:14 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:6:7:6:14 | endpoint | enclosingFunctionName | |
@@ -23,10 +23,11 @@
| test.js:7:11:7:18 | endpoint | Callee_AccessPath | f |
| test.js:7:11:7:18 | endpoint | Input_AccessPathFromCallee | 0.p |
| test.js:7:11:7:18 | endpoint | Input_ArgumentIndex | 0 |
| test.js:7:11:7:18 | endpoint | assignedToPropName | p |
| test.js:7:11:7:18 | endpoint | calleeAccessPath | |
| test.js:7:11:7:18 | endpoint | calleeAccessPathWithStructuralInfo | |
| test.js:7:11:7:18 | endpoint | calleeImports | ? lib3 |
| test.js:7:11:7:18 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:7:11:7:18 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:7:11:7:18 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:7:11:7:18 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:7:11:7:18 | endpoint | enclosingFunctionName | |
@@ -34,10 +35,11 @@
| test.js:8:15:8:22 | endpoint | Callee_AccessPath | f |
| test.js:8:15:8:22 | endpoint | Input_AccessPathFromCallee | 0.p.q |
| test.js:8:15:8:22 | endpoint | Input_ArgumentIndex | 0 |
| test.js:8:15:8:22 | endpoint | assignedToPropName | q |
| test.js:8:15:8:22 | endpoint | calleeAccessPath | |
| test.js:8:15:8:22 | endpoint | calleeAccessPathWithStructuralInfo | |
| test.js:8:15:8:22 | endpoint | calleeImports | ? lib3 |
| test.js:8:15:8:22 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:8:15:8:22 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:8:15:8:22 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:8:15:8:22 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:8:15:8:22 | endpoint | enclosingFunctionName | |
@@ -50,7 +52,7 @@
| test.js:9:9:9:16 | endpoint | calleeApiName | lib2 |
| test.js:9:9:9:16 | endpoint | calleeImports | ? lib2 |
| test.js:9:9:9:16 | endpoint | calleeName | m |
| test.js:9:9:9:16 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:9:9:9:16 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:9:9:9:16 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:9:9:9:16 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:9:9:9:16 | endpoint | enclosingFunctionName | |
@@ -59,10 +61,11 @@
| test.js:10:13:10:20 | endpoint | Callee_AccessPath | o.m |
| test.js:10:13:10:20 | endpoint | Input_AccessPathFromCallee | 0.p |
| test.js:10:13:10:20 | endpoint | Input_ArgumentIndex | 0 |
| test.js:10:13:10:20 | endpoint | assignedToPropName | p |
| test.js:10:13:10:20 | endpoint | calleeAccessPath | |
| test.js:10:13:10:20 | endpoint | calleeAccessPathWithStructuralInfo | |
| test.js:10:13:10:20 | endpoint | calleeImports | ? lib2 |
| test.js:10:13:10:20 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:10:13:10:20 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:10:13:10:20 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:10:13:10:20 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:10:13:10:20 | endpoint | enclosingFunctionName | |
@@ -70,10 +73,11 @@
| test.js:11:17:11:24 | endpoint | Callee_AccessPath | o.m |
| test.js:11:17:11:24 | endpoint | Input_AccessPathFromCallee | 0.p.q |
| test.js:11:17:11:24 | endpoint | Input_ArgumentIndex | 0 |
| test.js:11:17:11:24 | endpoint | assignedToPropName | q |
| test.js:11:17:11:24 | endpoint | calleeAccessPath | |
| test.js:11:17:11:24 | endpoint | calleeAccessPathWithStructuralInfo | |
| test.js:11:17:11:24 | endpoint | calleeImports | ? lib2 |
| test.js:11:17:11:24 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:11:17:11:24 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:11:17:11:24 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:11:17:11:24 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:11:17:11:24 | endpoint | enclosingFunctionName | |
@@ -83,7 +87,7 @@
| test.js:12:11:12:18 | endpoint | calleeAccessPath | |
| test.js:12:11:12:18 | endpoint | calleeAccessPathWithStructuralInfo | |
| test.js:12:11:12:18 | endpoint | calleeImports | lib1 |
| test.js:12:11:12:18 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:12:11:12:18 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:12:11:12:18 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:12:11:12:18 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:12:11:12:18 | endpoint | enclosingFunctionName | |
@@ -96,7 +100,7 @@
| test.js:13:17:13:24 | endpoint | calleeApiName | lib2 |
| test.js:13:17:13:24 | endpoint | calleeImports | ? lib2 |
| test.js:13:17:13:24 | endpoint | calleeName | m |
| test.js:13:17:13:24 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:13:17:13:24 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:13:17:13:24 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:13:17:13:24 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:13:17:13:24 | endpoint | enclosingFunctionName | |
@@ -108,7 +112,7 @@
| test.js:14:9:14:16 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn instanceorreturn |
| test.js:14:9:14:16 | endpoint | calleeApiName | lib3 |
| test.js:14:9:14:16 | endpoint | calleeImports | ? lib3 |
| test.js:14:9:14:16 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:14:9:14:16 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:14:9:14:16 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:14:9:14:16 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:14:9:14:16 | endpoint | enclosingFunctionName | |
@@ -121,7 +125,7 @@
| test.js:15:12:15:19 | endpoint | calleeApiName | lib2 |
| test.js:15:12:15:19 | endpoint | calleeImports | ? lib2 |
| test.js:15:12:15:19 | endpoint | calleeName | m |
| test.js:15:12:15:19 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:15:12:15:19 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:15:12:15:19 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:15:12:15:19 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:15:12:15:19 | endpoint | enclosingFunctionName | |
@@ -134,7 +138,7 @@
| test.js:16:16:16:23 | endpoint | calleeApiName | lib2 |
| test.js:16:16:16:23 | endpoint | calleeImports | ? lib2 |
| test.js:16:16:16:23 | endpoint | calleeName | m |
| test.js:16:16:16:23 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:16:16:16:23 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:16:16:16:23 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:16:16:16:23 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:16:16:16:23 | endpoint | enclosingFunctionName | |
@@ -146,7 +150,7 @@
| test.js:17:15:17:22 | endpoint | calleeAccessPathWithStructuralInfo | lib1 member p instanceorreturn |
| test.js:17:15:17:22 | endpoint | calleeApiName | lib1 |
| test.js:17:15:17:22 | endpoint | calleeImports | lib1 |
| test.js:17:15:17:22 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:17:15:17:22 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:17:15:17:22 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:17:15:17:22 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:17:15:17:22 | endpoint | enclosingFunctionName | |
@@ -159,7 +163,7 @@
| test.js:18:27:18:34 | endpoint | calleeApiName | foo |
| test.js:18:27:18:34 | endpoint | calleeImports | foo |
| test.js:18:27:18:34 | endpoint | calleeName | baz |
| test.js:18:27:18:34 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:18:27:18:34 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:18:27:18:34 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:18:27:18:34 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:18:27:18:34 | endpoint | enclosingFunctionName | |
@@ -172,7 +176,7 @@
| test.js:20:13:20:20 | endpoint | calleeApiName | lib1 |
| test.js:20:13:20:20 | endpoint | calleeImports | lib1 |
| test.js:20:13:20:20 | endpoint | calleeName | bar |
| test.js:20:13:20:20 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:20:13:20:20 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:20:13:20:20 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:20:13:20:20 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:20:13:20:20 | endpoint | enclosingFunctionName | |
@@ -183,7 +187,7 @@
| test.js:22:21:22:28 | endpoint | calleeAccessPathWithStructuralInfo | lib3 instanceorreturn |
| test.js:22:21:22:28 | endpoint | calleeApiName | lib3 |
| test.js:22:21:22:28 | endpoint | calleeImports | ? lib2 lib3 |
| test.js:22:21:22:28 | endpoint | contextFunctionInterfacesInFile | f(?)\nfoo()\ng()\nm() |
| test.js:22:21:22:28 | endpoint | contextFunctionInterfaces | f(?)\nfoo()\ng()\nm() |
| test.js:22:21:22:28 | endpoint | contextSurroundingFunctionParameters | () |
| test.js:22:21:22:28 | endpoint | enclosingFunctionBody | f endpoint 12 f p endpoint f p q endpoint o m endpoint o m p endpoint o m p q endpoint F endpoint o m m m endpoint f endpoint o x m endpoint o m x p m endpoint p endpoint foo bar baz endpoint foo bar endpoint f f o m endpoint |
| test.js:22:21:22:28 | endpoint | enclosingFunctionName | |