From f423d312b52d7ebcef0986a4e4bbfedd84a9a488 Mon Sep 17 00:00:00 2001 From: annarailton Date: Mon, 28 Feb 2022 15:45:31 +0000 Subject: [PATCH] Add boosted and unboosted evaluation versions of `StoredXss` and `XssThroughDom` --- .../modelbuilding/evaluation/StoredXss.ql | 26 +++++++++++++++++ .../modelbuilding/evaluation/StoredXssATM.ql | 28 +++++++++++++++++++ .../modelbuilding/evaluation/XssThroughDom.ql | 26 +++++++++++++++++ .../evaluation/XssThroughDomATM.ql | 28 +++++++++++++++++++ 4 files changed, 108 insertions(+) create mode 100644 javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXss.ql create mode 100644 javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATM.ql create mode 100644 javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDom.ql create mode 100644 javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATM.ql diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXss.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXss.ql new file mode 100644 index 00000000000..40d82c29ffc --- /dev/null +++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXss.ql @@ -0,0 +1,26 @@ +/** + * Xss.ql + * + * Version of the standard stored XSS query with an output relation ready to plug into the evaluation + * pipeline. + * + * Standard query: javascript/ql/src/Security/CWE-079/StoredXss.ql + */ + +import semmle.javascript.security.dataflow.StoredXssQuery +import EndToEndEvaluation as EndToEndEvaluation + +from + DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink, + int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource, + int startLineSource, int endLineSource, int startColumnSource, int endColumnSource +where + cfg instanceof StoredXssQuery::Configuration and + cfg.hasFlow(source, sink) and + not EndToEndEvaluation::isFlowExcluded(source, sink) and + sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and + source + .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource, + endColumnSource) +select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATM.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATM.ql new file mode 100644 index 00000000000..aca1a5e80d1 --- /dev/null +++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/StoredXssATM.ql @@ -0,0 +1,28 @@ +/** + * XssATM.ql + * + * Version of the boosted stored XSS query with an output relation ready to plug into the evaluation + * pipeline. + */ + +import ATM::ResultsInfo +import EndToEndEvaluation as EndToEndEvaluation +import experimental.adaptivethreatmodeling.StoredXssATM + +from + DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink, + int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource, + int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score +where + cfg.hasFlow(source, sink) and + not EndToEndEvaluation::isFlowExcluded(source, sink) and + not isFlowLikelyInBaseQuery(source, sink) and + sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and + source + .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource, + endColumnSource) and + getScoreForFlow(source, sink) = score +select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by + score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDom.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDom.ql new file mode 100644 index 00000000000..20dd236adcb --- /dev/null +++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDom.ql @@ -0,0 +1,26 @@ +/** + * XssThroughDom.ql + * + * Version of the standard XSS through DOM query with an output relation ready to plug into the evaluation + * pipeline. + * + * Standard query: javascript/ql/src/Security/CWE-079/XssThroughDom.ql + */ + +import semmle.javascript.security.dataflow.XssThroughDomQuery +import EndToEndEvaluation as EndToEndEvaluation + +from + DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink, + int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource, + int startLineSource, int endLineSource, int startColumnSource, int endColumnSource +where + cfg instanceof XssThroughDomQuery::Configuration and + cfg.hasFlow(source, sink) and + not EndToEndEvaluation::isFlowExcluded(source, sink) and + sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and + source + .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource, + endColumnSource) +select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATM.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATM.ql new file mode 100644 index 00000000000..65792453f10 --- /dev/null +++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/XssThroughDomATM.ql @@ -0,0 +1,28 @@ +/** + * XssATM.ql + * + * Version of the boosted XSS through DOM query with an output relation ready to plug into the evaluation + * pipeline. + */ + +import ATM::ResultsInfo +import EndToEndEvaluation as EndToEndEvaluation +import experimental.adaptivethreatmodeling.XssThroughDom + +from + DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink, string filePathSink, + int startLineSink, int endLineSink, int startColumnSink, int endColumnSink, string filePathSource, + int startLineSource, int endLineSource, int startColumnSource, int endColumnSource, float score +where + cfg.hasFlow(source, sink) and + not EndToEndEvaluation::isFlowExcluded(source, sink) and + not isFlowLikelyInBaseQuery(source, sink) and + sink.hasLocationInfo(filePathSink, startLineSink, startColumnSink, endLineSink, endColumnSink) and + source + .hasLocationInfo(filePathSource, startLineSource, startColumnSource, endLineSource, + endColumnSource) and + getScoreForFlow(source, sink) = score +select source, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + sink, startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink, score order by + score desc, startLineSource, startColumnSource, endLineSource, endColumnSource, filePathSource, + startLineSink, startColumnSink, endLineSink, endColumnSink, filePathSink