JS: split UnsafeDynamicMethodAccess.qll

2026-04-28 02:05:14 +02:00 · 2019-07-04 08:47:53 +02:00
parent bb452bea45
commit ee6003655a
2 changed files with 77 additions and 59 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
@@ -1,49 +1,18 @@
 /**
 * Provides a taint-tracking configuration for reasoning about method invocations
 * with a user-controlled method name on objects with unsafe methods.
+ *
+ * Note, for performance reasons: only import this file if
+ * `UnsafeDynamicMethodAccess::Configuration` is needed, otherwise
+ * `UnsafeDynamicMethodAccessCustomizations` should be imported instead.
 */

 import javascript
-import semmle.javascript.frameworks.Express
 import PropertyInjectionShared

 module UnsafeDynamicMethodAccess {
  private import DataFlow::FlowLabel
-
-  /**
-   * A data flow source for unsafe dynamic method access.
-   */
-  abstract class Source extends DataFlow::Node {
-    /**
-     * Gets the flow label relevant for this source.
-     */
-    DataFlow::FlowLabel getFlowLabel() { result = data() }
-  }
-
-  /**
-   * A data flow sink for unsafe dynamic method access.
-   */
-  abstract class Sink extends DataFlow::Node {
-    /**
-     * Gets the flow label relevant for this sink
-     */
-    abstract DataFlow::FlowLabel getFlowLabel();
-  }
-
-  /**
-   * A sanitizer for unsafe dynamic method access.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
-
-  /**
-   * Gets the flow label describing values that may refer to an unsafe
-   * function as a result of an attacker-controlled property name.
-   */
-  UnsafeFunction unsafeFunction() { any() }
-
-  private class UnsafeFunction extends DataFlow::FlowLabel {
-    UnsafeFunction() { this = "UnsafeFunction" }
-  }
+  import UnsafeDynamicMethodAccessCustomizations::UnsafeDynamicMethodAccess

  /**
   * A taint-tracking configuration for reasoning about unsafe dynamic method access.
@@ -98,27 +67,4 @@ module UnsafeDynamicMethodAccess {
      )
    }
  }
-
-  /**
-   * A source of remote user input, considered as a source for unsafe dynamic method access.
-   */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * The page URL considered as a flow source for unsafe dynamic method access.
-   */
-  class DocumentUrlAsSource extends Source {
-    DocumentUrlAsSource() { this = DOM::locationSource() }
-  }
-
-  /**
-   * A function invocation of an unsafe function, as a sink for remote unsafe dynamic method access.
-   */
-  class CalleeAsSink extends Sink {
-    CalleeAsSink() { this = any(DataFlow::InvokeNode node).getCalleeNode() }
-
-    override DataFlow::FlowLabel getFlowLabel() { result = unsafeFunction() }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll
@@ -0,0 +1,72 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * method invocations with a user-controlled method name on objects
+ * with unsafe methods, as well as extension points for adding your
+ * own.
+ */
+
+import javascript
+import semmle.javascript.frameworks.Express
+import PropertyInjectionShared
+
+module UnsafeDynamicMethodAccess {
+  private import DataFlow::FlowLabel
+
+  /**
+   * A data flow source for unsafe dynamic method access.
+   */
+  abstract class Source extends DataFlow::Node {
+    /**
+     * Gets the flow label relevant for this source.
+     */
+    DataFlow::FlowLabel getFlowLabel() { result = data() }
+  }
+
+  /**
+   * A data flow sink for unsafe dynamic method access.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the flow label relevant for this sink
+     */
+    abstract DataFlow::FlowLabel getFlowLabel();
+  }
+
+  /**
+   * A sanitizer for unsafe dynamic method access.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * Gets the flow label describing values that may refer to an unsafe
+   * function as a result of an attacker-controlled property name.
+   */
+  UnsafeFunction unsafeFunction() { any() }
+
+  private class UnsafeFunction extends DataFlow::FlowLabel {
+    UnsafeFunction() { this = "UnsafeFunction" }
+  }
+
+  /**
+   * A source of remote user input, considered as a source for unsafe dynamic method access.
+   */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * The page URL considered as a flow source for unsafe dynamic method access.
+   */
+  class DocumentUrlAsSource extends Source {
+    DocumentUrlAsSource() { this = DOM::locationSource() }
+  }
+
+  /**
+   * A function invocation of an unsafe function, as a sink for remote unsafe dynamic method access.
+   */
+  class CalleeAsSink extends Sink {
+    CalleeAsSink() { this = any(DataFlow::InvokeNode node).getCalleeNode() }
+
+    override DataFlow::FlowLabel getFlowLabel() { result = unsafeFunction() }
+  }
+}