mirror of
https://github.com/github/codeql.git
synced 2026-04-27 09:45:15 +02:00
JS: Autoformat
This commit is contained in:
Asger Feldthaus
@@ -313,26 +313,26 @@ module TaintTracking {
|
||||
cached
|
||||
private module Cached {
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge, which doesn't fit into a more specific category.
|
||||
*/
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge, which doesn't fit into a more specific category.
|
||||
*/
|
||||
cached
|
||||
predicate genericStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).step(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge, contribued by the heuristics library.
|
||||
*/
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge, contribued by the heuristics library.
|
||||
*/
|
||||
cached
|
||||
predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).heuristicStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is an edge contributed by an `AdditionalTaintStep` instance.
|
||||
*/
|
||||
* Holds if `pred -> succ` is an edge contributed by an `AdditionalTaintStep` instance.
|
||||
*/
|
||||
cached
|
||||
predicate legacyAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(AdditionalTaintStep step).step(pred, succ)
|
||||
@@ -344,96 +344,97 @@ module TaintTracking {
|
||||
cached
|
||||
module Public {
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through a URI library function.
|
||||
*/
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through a URI library function.
|
||||
*/
|
||||
cached
|
||||
predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).uriStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through persistent storage.
|
||||
*/
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through persistent storage.
|
||||
*/
|
||||
cached
|
||||
predicate persistentStorageStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).persistentStorageStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through the heap.
|
||||
*/
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through the heap.
|
||||
*/
|
||||
cached
|
||||
predicate heapStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).heapStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through an array.
|
||||
*/
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through an array.
|
||||
*/
|
||||
cached
|
||||
predicate arrayStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).arrayStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through the
|
||||
* properties of a view compenent, such as the `state` or `props` of a React component.
|
||||
*/
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through the
|
||||
* properties of a view compenent, such as the `state` or `props` of a React component.
|
||||
*/
|
||||
cached
|
||||
predicate viewComponentStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).viewComponentStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through string
|
||||
* concatenation.
|
||||
*/
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through string
|
||||
* concatenation.
|
||||
*/
|
||||
cached
|
||||
predicate stringConcatenationStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).stringConcatenationStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through string manipulation
|
||||
* (other than concatenation).
|
||||
*/
|
||||
* Holds if `pred -> succ` is a taint propagating data flow edge through string manipulation
|
||||
* (other than concatenation).
|
||||
*/
|
||||
cached
|
||||
predicate stringManipulationStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).stringManipulationStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through data serialization, such as `JSON.stringify`.
|
||||
*/
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through data serialization, such as `JSON.stringify`.
|
||||
*/
|
||||
cached
|
||||
predicate serializeStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).serializeStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through data deserialization, such as `JSON.parse`.
|
||||
*/
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through data deserialization, such as `JSON.parse`.
|
||||
*/
|
||||
cached
|
||||
predicate deserializeStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).deserializeStep(pred, succ)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through a promise.
|
||||
*
|
||||
* These steps consider a promise object to tainted if it can resolve to
|
||||
* a tainted value.
|
||||
*/
|
||||
* Holds if `pred` → `succ` should be considered a taint-propagating
|
||||
* data flow edge through a promise.
|
||||
*
|
||||
* These steps consider a promise object to tainted if it can resolve to
|
||||
* a tainted value.
|
||||
*/
|
||||
cached
|
||||
predicate promiseStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
any(SharedTaintStep step).promiseStep(pred, succ)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
import Cached::Public
|
||||
|
||||
/**
|
||||
|
||||
@@ -168,12 +168,14 @@ module AsyncPackage {
|
||||
*/
|
||||
private class IterationOutputTaintStep extends TaintTracking::SharedTaintStep {
|
||||
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
exists(DataFlow::FunctionNode iteratee, DataFlow::FunctionNode final, int i, IterationCall call |
|
||||
exists(
|
||||
DataFlow::FunctionNode iteratee, DataFlow::FunctionNode final, int i, IterationCall call
|
||||
|
|
||||
iteratee = call.getIteratorCallback().getALocalSource() and
|
||||
final = call.getFinalCallback() and // Require a closure to avoid spurious call/return mismatch.
|
||||
pred = getLastParameter(iteratee).getACall().getArgument(i) and
|
||||
succ = final.getParameter(i) and
|
||||
exists (string name | name = call.getName() |
|
||||
exists(string name | name = call.getName() |
|
||||
name = "concat" or
|
||||
name = "map" or
|
||||
name = "reduce" or
|
||||
|
||||
@@ -9,7 +9,8 @@ import javascript
|
||||
*
|
||||
* A taint propagating data flow edge arising from an operation in a URI library.
|
||||
*/
|
||||
deprecated abstract class UriLibraryStep extends DataFlow::ValueNode, TaintTracking::AdditionalTaintStep { }
|
||||
abstract deprecated class UriLibraryStep extends DataFlow::ValueNode,
|
||||
TaintTracking::AdditionalTaintStep { }
|
||||
|
||||
/**
|
||||
* Provides classes for working with [urijs](http://medialize.github.io/URI.js/) code.
|
||||
@@ -298,7 +299,9 @@ private module ClosureLibraryUri {
|
||||
*/
|
||||
private class ArgumentStep extends TaintTracking::SharedTaintStep {
|
||||
override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
exists(DataFlow::InvokeNode invoke, int arg | pred = invoke.getArgument(arg) and succ = invoke |
|
||||
exists(DataFlow::InvokeNode invoke, int arg |
|
||||
pred = invoke.getArgument(arg) and succ = invoke
|
||||
|
|
||||
// goog.Uri constructor
|
||||
invoke = Closure::moduleImport("goog.Uri").getAnInstantiation() and arg = 0
|
||||
or
|
||||
|
||||
@@ -12,9 +12,7 @@ import javascript
|
||||
* The target of a heuristic additional flow step in a security query.
|
||||
*/
|
||||
deprecated class HeuristicAdditionalTaintStep extends DataFlow::Node {
|
||||
HeuristicAdditionalTaintStep() {
|
||||
any(TaintTracking::SharedTaintStep step).heuristicStep(_, this)
|
||||
}
|
||||
HeuristicAdditionalTaintStep() { any(TaintTracking::SharedTaintStep step).heuristicStep(_, this) }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -338,7 +338,7 @@ module DomBasedXss {
|
||||
/**
|
||||
* A Vue `v-html` attribute, viewed as an XSS sink.
|
||||
*/
|
||||
class VHtmlSink extends Vue::VHtmlAttribute, DomBasedXss::Sink {}
|
||||
class VHtmlSink extends Vue::VHtmlAttribute, DomBasedXss::Sink { }
|
||||
|
||||
/**
|
||||
* A property read from a safe property is considered a sanitizer.
|
||||
|
||||
Reference in New Issue
Block a user