Add ATMLite versions of StoredXss and XssThroughDom

2026-05-27 17:41:24 +02:00 · 2022-02-28 15:34:48 +00:00
parent 66ea3a1548
commit da3826f85a
2 changed files with 60 additions and 0 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATMLite.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATMLite.ql
@@ -0,0 +1,30 @@
+/**
+ * XssATMLite.ql
+ *
+ * Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into
+ * the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters,
+ * and (b) as a baseline to compare the model against.
+ */
+
+import javascript
+import ATM::ResultsInfo
+import EndToEndEvaluation as EndToEndEvaluation
+import experimental.adaptivethreatmodeling.StoredXssATM
+
+from
+  DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
+  int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
+  int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
+where
+  cfg.hasFlow(source, sink) and
+  not EndToEndEvaluation::isFlowExcluded(source, sink) and
+  not isFlowLikelyInBaseQuery(source, sink) and
+  sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
+  source
+      .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
+        endColumnSource) and
+  score = 0
+select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
+  sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
+    score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
+    startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATMLite.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATMLite.ql
@@ -0,0 +1,30 @@
+/**
+ * XssATMLite.ql
+ *
+ * Arbitrarily ranked version of the boosted XSS query with an output relation ready to plug into
+ * the evaluation pipeline. This is useful (a) for evaluating the performance of endpoint filters,
+ * and (b) as a baseline to compare the model against.
+ */
+
+import javascript
+import ATM::ResultsInfo
+import EndToEndEvaluation as EndToEndEvaluation
+import experimental.adaptivethreatmodeling.XssThroughDomATM
+
+from
+  DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink,
+  int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource,
+  int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score
+where
+  cfg.hasFlow(source, sink) and
+  not EndToEndEvaluation::isFlowExcluded(source, sink) and
+  not isFlowLikelyInBaseQuery(source, sink) and
+  sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and
+  source
+      .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource,
+        endColumnSource) and
+  score = 0
+select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
+  sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by
+    score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource,
+    startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink