From da3826f85a7e4ef4614c2a15fe88ac8b2ebd01f7 Mon Sep 17 00:00:00 2001 From: annarailton Date: Mon, 28 Feb 2022 15:34:48 +0000 Subject: [PATCH] Add ATMLite versions of `StoredXss` and `XssThroughDom` --- .../evaluation/StoredXssATMLite.ql | 30 +++++++++++++++++++ .../evaluation/XssThroughDomATMLite.ql | 30 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATMLite.ql create mode 100644 javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATMLite.ql diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATMLite.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATMLite.ql new file mode 100644 index 00000000000..ae777f820a1 --- /dev/null +++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATMLite.ql @@ -0,0 +1,30 @@ +/** + * XssATMLite.ql + * + * Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into + * the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters, + * and (b) as a baseline to compare the model against. + */ + +import javascript +import ATM::ResultsInfo +import EndToEndEvaluation as EndToEndEvaluation +import experimental.adaptivethreatmodeling.StoredXssATM + +from + DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink, + int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource, + int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score +where + cfg.hasFlow(source, sink) and + not EndToEndEvaluation::isFlowExcluded(source, sink) and + not isFlowLikelyInBaseQuery(source, sink) and + sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and + source + .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource, + endColumnSource) and + score = 0 +select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by + score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATMLite.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATMLite.ql new file mode 100644 index 00000000000..a679666ef22 --- /dev/null +++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATMLite.ql @@ -0,0 +1,30 @@ +/** + * XssATMLite.ql + * + * Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into + * the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters, + * and (b) as a baseline to compare the model against. + */ + +import javascript +import ATM::ResultsInfo +import EndToEndEvaluation as EndToEndEvaluation +import experimental.adaptivethreatmodeling.XssThroughDomATM + +from + DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink, + int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource, + int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score +where + cfg.hasFlow(source, sink) and + not EndToEndEvaluation::isFlowExcluded(source, sink) and + not isFlowLikelyInBaseQuery(source, sink) and + sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and + source + .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource, + endColumnSource) and + score = 0 +select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by + score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink