JS: Migrate CorsPermissiveConfiguration

2026-04-23 15:55:18 +02:00 · 2024-12-13 12:39:50 +01:00
parent d83ddfabaa
commit ebe596f227
2 changed files with 56 additions and 16 deletions
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
@@ -10,6 +10,45 @@ import Apollo::Apollo

 /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
 module CorsPermissiveConfiguration {
+  private newtype TFlowState =
+    TTaint() or
+    TTrueOrNull() or
+    TWildcard()
+
+  /** A flow state to asociate with a tracked value. */
+  class FlowState extends TFlowState {
+    /** Gets a string representation of this flow state. */
+    string toString() {
+      this = TTaint() and result = "taint"
+      or
+      this = TTrueOrNull() and result = "true-or-null"
+      or
+      this = TWildcard() and result = "wildcard"
+    }
+
+    deprecated DataFlow::FlowLabel toFlowLabel() {
+      this = TTaint() and result.isTaint()
+      or
+      this = TTrueOrNull() and result instanceof TrueAndNull
+      or
+      this = TWildcard() and result instanceof Wildcard
+    }
+  }
+
+  /** Predicates for working with flow states. */
+  module FlowState {
+    deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
+
+    /** A tainted value. */
+    FlowState taint() { result = TTaint() }
+
+    /** A `true` or `null` value. */
+    FlowState trueOrNull() { result = TTrueOrNull() }
+
+    /** A `"*"` value. */
+    FlowState wildcard() { result = TWildcard() }
+  }
+
  /**
   * A data flow source for permissive CORS configuration.
   */
@@ -38,18 +77,18 @@ module CorsPermissiveConfiguration {
  }

  /** A flow label representing `true` and `null` values. */
-  abstract class TrueAndNull extends DataFlow::FlowLabel {
+  abstract deprecated class TrueAndNull extends DataFlow::FlowLabel {
    TrueAndNull() { this = "TrueAndNull" }
  }

-  TrueAndNull truenullLabel() { any() }
+  deprecated TrueAndNull truenullLabel() { any() }

  /** A flow label representing `*` value. */
-  abstract class Wildcard extends DataFlow::FlowLabel {
+  abstract deprecated class Wildcard extends DataFlow::FlowLabel {
    Wildcard() { this = "Wildcard" }
  }

-  Wildcard wildcardLabel() { any() }
+  deprecated Wildcard wildcardLabel() { any() }

  /** An overly permissive value for `origin` (Apollo) */
  class TrueNullValue extends Source {
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationQuery.qll
@@ -10,25 +10,26 @@

 import javascript
 import CorsPermissiveConfigurationCustomizations::CorsPermissiveConfiguration
+private import CorsPermissiveConfigurationCustomizations::CorsPermissiveConfiguration as CorsPermissiveConfiguration

 /**
 * A data flow configuration for overly permissive CORS configuration.
 */
 module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  class FlowState = CorsPermissiveConfiguration::FlowState;

-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source instanceof TrueNullValue and label = truenullLabel()
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof TrueNullValue and state = FlowState::trueOrNull()
    or
-    source instanceof WildcardValue and label = wildcardLabel()
+    source instanceof WildcardValue and state = FlowState::wildcard()
    or
-    source instanceof RemoteFlowSource and label = DataFlow::FlowLabel::taint()
+    source instanceof RemoteFlowSource and state = FlowState::taint()
  }

-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink instanceof CorsApolloServer and label = [DataFlow::FlowLabel::taint(), truenullLabel()]
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof CorsApolloServer and state = [FlowState::taint(), FlowState::trueOrNull()]
    or
-    sink instanceof ExpressCors and label = [DataFlow::FlowLabel::taint(), wildcardLabel()]
+    sink instanceof ExpressCors and state = [FlowState::taint(), FlowState::wildcard()]
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
@@ -44,11 +45,11 @@ deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "CorsPermissiveConfiguration" }

  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    CorsPermissiveConfigurationConfig::isSource(source, label)
+    CorsPermissiveConfigurationConfig::isSource(source, FlowState::fromFlowLabel(label))
  }

  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    CorsPermissiveConfigurationConfig::isSink(sink, label)
+    CorsPermissiveConfigurationConfig::isSink(sink, FlowState::fromFlowLabel(label))
  }

  override predicate isSanitizer(DataFlow::Node node) {
@@ -57,10 +58,10 @@ deprecated class Configuration extends TaintTracking::Configuration {
  }
 }

-private class WildcardActivated extends DataFlow::FlowLabel, Wildcard {
+deprecated private class WildcardActivated extends DataFlow::FlowLabel, Wildcard {
  WildcardActivated() { this = this }
 }

-private class TrueAndNullActivated extends DataFlow::FlowLabel, TrueAndNull {
+deprecated private class TrueAndNullActivated extends DataFlow::FlowLabel, TrueAndNull {
  TrueAndNullActivated() { this = this }
 }