Changed to more-modern Dataflow libraries

2026-04-26 17:25:19 +02:00 · 2024-06-19 10:11:06 +01:00
parent 81ef255a87
commit f4691b1919
1 changed files with 5 additions and 3 deletions
--- a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
+++ b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -13,16 +13,18 @@

 import semmle.javascript.frameworks.ExpressModules

-class HelmetProperty extends Property {
+class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
  ExpressLibraries::HelmetRouteHandler helmet;

  HelmetProperty() {
-    helmet.(DataFlow::CallNode).getAnArgument().asExpr().(ObjectExpr).getAProperty() = this
+    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
  }

  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }

-  predicate isFalse() { this.getInit().(BooleanLiteral).getBoolValue() = false }
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(true) }
+
+  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }

  predicate isImportantSecuritySetting() {
    this.getName() in ["frameguard", "contentSecurityPolicy"]