hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Flow Labels

Browse Source
This commit is contained in:
Maiky
2023-11-22 19:50:16 +01:00
parent acac534ed0
commit d661f7f482
3 changed files with 89 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll
View File

@@ -28,9 +28,28 @@ module CorsPermissiveConfiguration {
RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}
/** An overfly permissive value for `origin` */
class BadValues extends Source {
BadValues() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
/** A flow label representing `true` and `null` values. */
abstract class TrueAndNull extends DataFlow::FlowLabel {
TrueAndNull() { this = "TrueAndNull" }
}
TrueAndNull truenullLabel() { any() }
/** A flow label representing `*` value. */
abstract class Wildcard extends DataFlow::FlowLabel {
Wildcard() { this = "Wildcard" }
}
Wildcard wildcardLabel() { any() }
/** An overly permissive value for `origin` (Apollo) */
class TrueNullValue extends Source {
TrueNullValue() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
}
/** An overly permissive value for `origin` (Express) */
class WildcardValue extends Source {
WildcardValue() { this.mayHaveStringValue("*") }
}
/**

22
javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationQuery.qll
View File

@@ -17,12 +17,30 @@ import CorsPermissiveConfigurationCustomizations::CorsPermissiveConfiguration
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CorsPermissiveConfiguration" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
source instanceof TrueNullValue and label = truenullLabel()
or
source instanceof WildcardValue and label = wildcardLabel()
or
source instanceof RemoteFlowSource and label = DataFlow::FlowLabel::taint()
}
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
sink instanceof CorsApolloServer and label = [DataFlow::FlowLabel::taint(), truenullLabel()]
or
sink instanceof ExpressCors and label = [DataFlow::FlowLabel::taint(), wildcardLabel()]
}
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
}
}
private class WildcardActivated extends DataFlow::FlowLabel, Wildcard {
WildcardActivated() { this = this }
}
private class TrueAndNullActivated extends DataFlow::FlowLabel, TrueAndNull {
TrueAndNullActivated() { this = this }
}