mirror of
https://github.com/github/codeql.git
synced 2026-05-01 03:35:13 +02:00
JS: Migrate to *Query.qll convention
This commit is contained in:
Asger Feldthaus
@@ -9,7 +9,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedData::ExternalAPIUsedWithUntrustedData
|
||||
import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedDataQuery
|
||||
|
||||
from ExternalAPIUsedWithUntrustedData externalAPI
|
||||
select externalAPI, count(externalAPI.getUntrustedDataNode()) as numberOfUses,
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedData::ExternalAPIUsedWithUntrustedData
|
||||
import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedDataQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
|
||||
import semmle.javascript.security.dataflow.TaintedPathQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ZipSlip::ZipSlip
|
||||
import semmle.javascript.security.dataflow.ZipSlipQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.TemplateObjectInjection::TemplateObjectInjection
|
||||
import semmle.javascript.security.dataflow.TemplateObjectInjectionQuery
|
||||
|
||||
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.CommandInjection::CommandInjection
|
||||
import semmle.javascript.security.dataflow.CommandInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.IndirectCommandInjection::IndirectCommandInjection
|
||||
import semmle.javascript.security.dataflow.IndirectCommandInjectionQuery
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight
|
||||
where
|
||||
|
||||
@@ -15,7 +15,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironment::ShellCommandInjectionFromEnvironment
|
||||
import semmle.javascript.security.dataflow.ShellCommandInjectionFromEnvironmentQuery
|
||||
|
||||
from
|
||||
Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight,
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.UnsafeShellCommandConstruction::UnsafeShellCommandConstruction
|
||||
import semmle.javascript.security.dataflow.UnsafeShellCommandConstructionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ExceptionXss::ExceptionXss
|
||||
import semmle.javascript.security.dataflow.ExceptionXssQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ReflectedXss::ReflectedXss
|
||||
import semmle.javascript.security.dataflow.ReflectedXssQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.StoredXss::StoredXss
|
||||
import semmle.javascript.security.dataflow.StoredXssQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.UnsafeHtmlConstruction::UnsafeHtmlConstruction
|
||||
import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery
|
||||
|
||||
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode
|
||||
where cfg.hasFlowPath(source, sink) and sink.getNode() = sinkNode
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.UnsafeJQueryPlugin::UnsafeJQueryPlugin
|
||||
import semmle.javascript.security.dataflow.UnsafeJQueryPluginQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.DomBasedXss::DomBasedXss
|
||||
import semmle.javascript.security.dataflow.DomBasedXssQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.XssThroughDom::XssThroughDom
|
||||
import semmle.javascript.security.dataflow.XssThroughDomQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.CodeInjection::CodeInjection
|
||||
import semmle.javascript.security.dataflow.CodeInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ImproperCodeSanitization::ImproperCodeSanitization
|
||||
import semmle.javascript.security.dataflow.ImproperCodeSanitizationQuery
|
||||
import DataFlow::PathGraph
|
||||
private import semmle.javascript.heuristics.HeuristicSinks
|
||||
private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccess::UnsafeDynamicMethodAccess
|
||||
import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccessQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitization::IncompleteHtmlAttributeSanitization
|
||||
import semmle.javascript.security.dataflow.IncompleteHtmlAttributeSanitizationQuery
|
||||
import semmle.javascript.security.IncompleteBlacklistSanitizer
|
||||
|
||||
/**
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.LogInjection::LogInjection
|
||||
import semmle.javascript.security.dataflow.LogInjectionQuery
|
||||
|
||||
from LogInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where config.hasFlowPath(source, sink)
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.TaintedFormatString::TaintedFormatString
|
||||
import semmle.javascript.security.dataflow.TaintedFormatStringQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.FileAccessToHttp::FileAccessToHttp
|
||||
import semmle.javascript.security.dataflow.FileAccessToHttpQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.PostMessageStar::PostMessageStar
|
||||
import semmle.javascript.security.dataflow.PostMessageStarQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.StackTraceExposure::StackTraceExposure
|
||||
import semmle.javascript.security.dataflow.StackTraceExposureQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.BuildArtifactLeak::BuildArtifactLeak
|
||||
import semmle.javascript.security.dataflow.BuildArtifactLeakQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.CleartextLogging::CleartextLogging
|
||||
import semmle.javascript.security.dataflow.CleartextLoggingQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
/**
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.CleartextStorage::CleartextStorage
|
||||
import semmle.javascript.security.dataflow.CleartextStorageQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.BrokenCryptoAlgorithm::BrokenCryptoAlgorithm
|
||||
import semmle.javascript.security.dataflow.BrokenCryptoAlgorithmQuery
|
||||
import semmle.javascript.security.SensitiveActions
|
||||
import DataFlow::PathGraph
|
||||
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.InsecureRandomness::InsecureRandomness
|
||||
import semmle.javascript.security.dataflow.InsecureRandomnessQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentials::CorsMisconfigurationForCredentials
|
||||
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
|
||||
import javascript
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.security.dataflow.DeepObjectResourceExhaustion::DeepObjectResourceExhaustion
|
||||
import semmle.javascript.security.dataflow.DeepObjectResourceExhaustionQuery
|
||||
|
||||
from
|
||||
Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node link,
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RemotePropertyInjection::RemotePropertyInjection
|
||||
import semmle.javascript.security.dataflow.RemotePropertyInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.UnsafeDeserialization::UnsafeDeserialization
|
||||
import semmle.javascript.security.dataflow.UnsafeDeserializationQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.HardcodedDataInterpretedAsCode::HardcodedDataInterpretedAsCode
|
||||
import semmle.javascript.security.dataflow.HardcodedDataInterpretedAsCodeQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ClientSideUrlRedirect::ClientSideUrlRedirect
|
||||
import semmle.javascript.security.dataflow.ClientSideUrlRedirectQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ServerSideUrlRedirect::ServerSideUrlRedirect
|
||||
import semmle.javascript.security.dataflow.ServerSideUrlRedirectQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.Xxe::Xxe
|
||||
import semmle.javascript.security.dataflow.XxeQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.HostHeaderPoisoningInEmailGeneration::HostHeaderPoisoningInEmailGeneration
|
||||
import semmle.javascript.security.dataflow.HostHeaderPoisoningInEmailGenerationQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.XpathInjection::XpathInjection
|
||||
import semmle.javascript.security.dataflow.XpathInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RegExpInjection::RegExpInjection
|
||||
import semmle.javascript.security.dataflow.RegExpInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCall::UnvalidatedDynamicMethodCall
|
||||
import semmle.javascript.security.dataflow.UnvalidatedDynamicMethodCallQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -13,7 +13,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.XmlBomb::XmlBomb
|
||||
import semmle.javascript.security.dataflow.XmlBombQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
private import semmle.javascript.security.dataflow.HardcodedCredentials::HardcodedCredentials
|
||||
import semmle.javascript.security.dataflow.HardcodedCredentialsQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string value
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.ConditionalBypass::ConditionalBypass
|
||||
import semmle.javascript.security.dataflow.ConditionalBypassQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
/**
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.DifferentKindsComparisonBypass::DifferentKindsComparisonBypass
|
||||
import semmle.javascript.security.dataflow.DifferentKindsComparisonBypassQuery
|
||||
|
||||
from DifferentKindsComparison cmp, DataFlow::Node lSource, DataFlow::Node rSource
|
||||
where
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.InsecureDownload::InsecureDownload
|
||||
import semmle.javascript.security.dataflow.InsecureDownloadQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.LoopBoundInjection::LoopBoundInjection
|
||||
import semmle.javascript.security.dataflow.LoopBoundInjectionQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTampering::TypeConfusionThroughParameterTampering
|
||||
import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperingQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -12,7 +12,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.HttpToFileAccess::HttpToFileAccess
|
||||
import semmle.javascript.security.dataflow.HttpToFileAccessQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.PrototypePollutingAssignment::PrototypePollutingAssignment
|
||||
import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.PrototypePollution::PrototypePollution
|
||||
import semmle.javascript.security.dataflow.PrototypePollutionQuery
|
||||
import DataFlow::PathGraph
|
||||
import semmle.javascript.dependencies.Dependencies
|
||||
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.InsufficientPasswordHash::InsufficientPasswordHash
|
||||
import semmle.javascript.security.dataflow.InsufficientPasswordHashQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RequestForgery::RequestForgery
|
||||
import semmle.javascript.security.dataflow.RequestForgeryQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
|
||||
|
||||
@@ -1,36 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* sensitive information in broken or weak cryptographic algorithms.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `BrokenCryptoAlgorithm::Configuration` is needed, otherwise
|
||||
* `BrokenCryptoAlgorithmCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `BrokenCryptoAlgorithmQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import BrokenCryptoAlgorithmQuery as BrokenCryptoAlgorithmQuery // ignore-query-import
|
||||
|
||||
module BrokenCryptoAlgorithm {
|
||||
import BrokenCryptoAlgorithmCustomizations::BrokenCryptoAlgorithm
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for sensitive information in broken or weak cryptographic algorithms.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may used in broken or weak cryptographic algorithms. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "BrokenCryptoAlgorithm" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `BrokenCryptoAlgorithmQuery` instead. */
|
||||
deprecated module BrokenCryptoAlgorithm = BrokenCryptoAlgorithmQuery;
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* sensitive information in broken or weak cryptographic algorithms.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `BrokenCryptoAlgorithm::Configuration` is needed, otherwise
|
||||
* `BrokenCryptoAlgorithmCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import BrokenCryptoAlgorithmCustomizations::BrokenCryptoAlgorithm
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for sensitive information in broken or weak cryptographic algorithms.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may used in broken or weak cryptographic algorithms. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "BrokenCryptoAlgorithm" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
}
|
||||
@@ -1,45 +1,7 @@
|
||||
/**
|
||||
* Provides a dataflow tracking configuration for reasoning about
|
||||
* storage of sensitive information in build artifact.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CleartextLogging::Configuration` is needed, otherwise
|
||||
* `CleartextLoggingCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `BuildArtifactLeakQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import BuildArtifactLeakQuery as BuildArtifactLeakQuery // ignore-query-import
|
||||
|
||||
/**
|
||||
* Classes and predicates for storage of sensitive information in build artifact query.
|
||||
*/
|
||||
module BuildArtifactLeak {
|
||||
import BuildArtifactLeakCustomizations::BuildArtifactLeak
|
||||
import CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for storage of sensitive information in build artifact.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "BuildArtifactLeak" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(CleartextLogging::Source).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
|
||||
sink.(Sink).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
node instanceof CleartextLogging::Barrier
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
CleartextLogging::isSanitizerEdge(pred, succ)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
CleartextLogging::isAdditionalTaintStep(src, trg)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `BuildArtifactLeakQuery` instead. */
|
||||
deprecated module BuildArtifactLeak = BuildArtifactLeakQuery;
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
/**
|
||||
* Provides a dataflow tracking configuration for reasoning about
|
||||
* storage of sensitive information in build artifact.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CleartextLogging::Configuration` is needed, otherwise
|
||||
* `CleartextLoggingCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import BuildArtifactLeakCustomizations::BuildArtifactLeak
|
||||
import CleartextLoggingCustomizations::CleartextLogging as CleartextLogging
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for storage of sensitive information in build artifact.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "BuildArtifactLeak" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(CleartextLogging::Source).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
|
||||
sink.(Sink).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
CleartextLogging::isSanitizerEdge(pred, succ)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
CleartextLogging::isAdditionalTaintStep(src, trg)
|
||||
}
|
||||
}
|
||||
@@ -1,45 +1,7 @@
|
||||
/**
|
||||
* Provides a dataflow tracking configuration for reasoning about
|
||||
* clear-text logging of sensitive information.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CleartextLogging::Configuration` is needed, otherwise
|
||||
* `CleartextLoggingCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import CleartextLoggingQuery as CleartextLoggingQuery // ignore-query-import
|
||||
|
||||
module CleartextLogging {
|
||||
import CleartextLoggingCustomizations::CleartextLogging
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for clear-text logging of sensitive information.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may be stored in clear-text. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CleartextLogging" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(Source).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
|
||||
sink.(Sink).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
CleartextLogging::isSanitizerEdge(pred, succ)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
CleartextLogging::isAdditionalTaintStep(src, trg)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `CleartextLoggingQuery` instead. */
|
||||
deprecated module CleartextLogging = CleartextLoggingQuery;
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
/**
|
||||
* Provides a dataflow tracking configuration for reasoning about
|
||||
* clear-text logging of sensitive information.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CleartextLogging::Configuration` is needed, otherwise
|
||||
* `CleartextLoggingCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import CleartextLoggingCustomizations::CleartextLogging
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for clear-text logging of sensitive information.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may be stored in clear-text. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CleartextLogging" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(Source).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
|
||||
sink.(Sink).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
CleartextLogging::isSanitizerEdge(pred, succ)
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
CleartextLogging::isAdditionalTaintStep(src, trg)
|
||||
}
|
||||
}
|
||||
@@ -1,33 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* cleartext storage of sensitive information.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CleartextStorage::Configuration` is needed, otherwise
|
||||
* `CleartextStorageCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `CleartextStorageQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import CleartextStorageQuery as CleartextStorageQuery // ignore-query-import
|
||||
|
||||
module CleartextStorage {
|
||||
import CleartextStorageCustomizations::CleartextStorage
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for cleartext storage of sensitive information.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may be stored in cleartext. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ClearTextStorage" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `CleartextStorageQuery` instead. */
|
||||
deprecated module CleartextStorage = CleartextStorageQuery;
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* cleartext storage of sensitive information.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CleartextStorage::Configuration` is needed, otherwise
|
||||
* `CleartextStorageCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import CleartextStorageCustomizations::CleartextStorage
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for cleartext storage of sensitive information.
|
||||
*
|
||||
* This configuration identifies flows from `Source`s, which are sources of
|
||||
* sensitive data, to `Sink`s, which is an abstract class representing all
|
||||
* the places sensitive data may be stored in cleartext. Additional sources or sinks can be
|
||||
* added either by extending the relevant class, or by subclassing this configuration itself,
|
||||
* and amending the sources and sinks.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ClearTextStorage" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
@@ -1,71 +1,9 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about
|
||||
* unvalidated URL redirection problems on the client side.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ClientSideUrlRedirect::Configuration` is needed, otherwise
|
||||
* `ClientSideUrlRedirectCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `ClientSideUrlRedirectQuery` instead. */
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RemoteFlowSources
|
||||
import UrlConcatenation
|
||||
private import ClientSideUrlRedirectQuery as ClientSideUrlRedirectQuery // ignore-query-import
|
||||
|
||||
module ClientSideUrlRedirect {
|
||||
import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect
|
||||
|
||||
// Materialize flow labels
|
||||
private class ConcreteDocumentUrl extends DocumentUrl {
|
||||
ConcreteDocumentUrl() { this = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ClientSideUrlRedirect" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(Source).getAFlowLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
|
||||
hostnameSanitizingPrefixEdge(source, sink)
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel f, DataFlow::FlowLabel g
|
||||
) {
|
||||
untrustedUrlSubstring(pred, succ) and
|
||||
f instanceof DocumentUrl and
|
||||
g.isTaint()
|
||||
or
|
||||
// preserve document.url label in step from `location` to `location.href`
|
||||
f instanceof DocumentUrl and
|
||||
g instanceof DocumentUrl and
|
||||
succ.(DataFlow::PropRead).accesses(pred, "href")
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof HostnameSanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Improper use of openExternal can be leveraged to compromise the user's host.
|
||||
* When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.
|
||||
*/
|
||||
class ElectronShellOpenExternalSink extends Sink {
|
||||
ElectronShellOpenExternalSink() {
|
||||
this =
|
||||
DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `ClientSideUrlRedirectQuery` instead. */
|
||||
deprecated module ClientSideUrlRedirect = ClientSideUrlRedirectQuery;
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about
|
||||
* unvalidated URL redirection problems on the client side.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ClientSideUrlRedirect::Configuration` is needed, otherwise
|
||||
* `ClientSideUrlRedirectCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RemoteFlowSources
|
||||
import UrlConcatenation
|
||||
import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect
|
||||
|
||||
// Materialize flow labels
|
||||
private class ConcreteDocumentUrl extends DocumentUrl {
|
||||
ConcreteDocumentUrl() { this = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ClientSideUrlRedirect" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(Source).getAFlowLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
|
||||
hostnameSanitizingPrefixEdge(source, sink)
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel f, DataFlow::FlowLabel g
|
||||
) {
|
||||
untrustedUrlSubstring(pred, succ) and
|
||||
f instanceof DocumentUrl and
|
||||
g.isTaint()
|
||||
or
|
||||
// preserve document.url label in step from `location` to `location.href`
|
||||
f instanceof DocumentUrl and
|
||||
g instanceof DocumentUrl and
|
||||
succ.(DataFlow::PropRead).accesses(pred, "href")
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof HostnameSanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Improper use of openExternal can be leveraged to compromise the user's host.
|
||||
* When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.
|
||||
*/
|
||||
class ElectronShellOpenExternalSink extends Sink {
|
||||
ElectronShellOpenExternalSink() {
|
||||
this = DataFlow::moduleMember("electron", "shell").getAMemberCall("openExternal").getArgument(0)
|
||||
}
|
||||
}
|
||||
@@ -1,35 +1,7 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about code
|
||||
* injection vulnerabilities.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CodeInjection::Configuration` is needed, otherwise
|
||||
* `CodeInjectionCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import CodeInjectionQuery as CodeInjectionQuery // ignore-query-import
|
||||
|
||||
module CodeInjection {
|
||||
import CodeInjectionCustomizations::CodeInjection
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about code injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CodeInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
// HTML sanitizers are insufficient protection against code injection
|
||||
src = trg.(HtmlSanitizerCall).getInput()
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `CodeInjectionQuery` instead. */
|
||||
deprecated module CodeInjection = CodeInjectionQuery;
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about code
|
||||
* injection vulnerabilities.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CodeInjection::Configuration` is needed, otherwise
|
||||
* `CodeInjectionCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import CodeInjectionCustomizations::CodeInjection
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about code injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CodeInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
// HTML sanitizers are insufficient protection against code injection
|
||||
src = trg.(HtmlSanitizerCall).getInput()
|
||||
}
|
||||
}
|
||||
@@ -1,38 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* command-injection vulnerabilities (CWE-078).
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CommandInjection::Configuration` is needed, otherwise
|
||||
* `CommandInjectionCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import CommandInjectionQuery as CommandInjectionQuery // ignore-query-import
|
||||
|
||||
module CommandInjection {
|
||||
import CommandInjectionCustomizations::CommandInjection
|
||||
import IndirectCommandArgument
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CommandInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a data flow sink for command-injection vulnerabilities, and
|
||||
* the alert should be placed at the node `highlight`.
|
||||
*/
|
||||
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
|
||||
sink instanceof Sink and highlight = sink
|
||||
or
|
||||
isIndirectCommandArgument(sink, highlight)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `CommandInjectionQuery` instead. */
|
||||
deprecated module CommandInjection = CommandInjectionQuery;
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* command-injection vulnerabilities (CWE-078).
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CommandInjection::Configuration` is needed, otherwise
|
||||
* `CommandInjectionCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import CommandInjectionCustomizations::CommandInjection
|
||||
import IndirectCommandArgument
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CommandInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a data flow sink for command-injection vulnerabilities, and
|
||||
* the alert should be placed at the node `highlight`.
|
||||
*/
|
||||
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
|
||||
sink instanceof Sink and highlight = sink
|
||||
or
|
||||
isIndirectCommandArgument(sink, highlight)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
@@ -1,35 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about bypass of sensitive action guards.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ConditionalBypass::Configuration` is needed, otherwise
|
||||
* `ConditionalBypassCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `ConditionalBypassQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import semmle.javascript.security.SensitiveActions
|
||||
private import ConditionalBypassQuery as ConditionalBypassQuery // ignore-query-import
|
||||
|
||||
module ConditionalBypass {
|
||||
import ConditionalBypassCustomizations::ConditionalBypass
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for bypass of sensitive action guards.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ConditionalBypass" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
|
||||
// comparing a tainted expression against a constant gives a tainted result
|
||||
dst.asExpr().(Comparison).hasOperands(src.asExpr(), any(ConstantExpr c))
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `ConditionalBypassQuery` instead. */
|
||||
deprecated module ConditionalBypass = ConditionalBypassQuery;
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about bypass of sensitive action guards.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ConditionalBypass::Configuration` is needed, otherwise
|
||||
* `ConditionalBypassCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
private import semmle.javascript.security.SensitiveActions
|
||||
import ConditionalBypassCustomizations::ConditionalBypass
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for bypass of sensitive action guards.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ConditionalBypass" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
|
||||
// comparing a tainted expression against a constant gives a tainted result
|
||||
dst.asExpr().(Comparison).hasOperands(src.asExpr(), any(ConstantExpr c))
|
||||
}
|
||||
}
|
||||
@@ -1,35 +1,7 @@
|
||||
/**
|
||||
* Provides a dataflow taint tracking configuration for reasoning
|
||||
* about CORS misconfiguration for credentials transfer.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CorsMisconfigurationForCredentials::Configuration` is needed,
|
||||
* otherwise `CorsMisconfigurationForCredentialsCustomizations` should
|
||||
* be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `CorsMisconfigurationForCredentialsQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import CorsMisconfigurationForCredentialsQuery as CorsMisconfigurationForCredentialsQuery // ignore-query-import
|
||||
|
||||
module CorsMisconfigurationForCredentials {
|
||||
import CorsMisconfigurationForCredentialsCustomizations::CorsMisconfigurationForCredentials
|
||||
|
||||
/**
|
||||
* A data flow configuration for CORS misconfiguration for credentials transfer.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CorsMisconfigurationForCredentials" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `CorsMisconfigurationForCredentialsQuery` instead. */
|
||||
deprecated module CorsMisconfigurationForCredentials = CorsMisconfigurationForCredentialsQuery;
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
/**
|
||||
* Provides a dataflow taint tracking configuration for reasoning
|
||||
* about CORS misconfiguration for credentials transfer.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `CorsMisconfigurationForCredentials::Configuration` is needed,
|
||||
* otherwise `CorsMisconfigurationForCredentialsCustomizations` should
|
||||
* be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import CorsMisconfigurationForCredentialsCustomizations::CorsMisconfigurationForCredentials
|
||||
|
||||
/**
|
||||
* A data flow configuration for CORS misconfiguration for credentials transfer.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "CorsMisconfigurationForCredentials" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
|
||||
}
|
||||
}
|
||||
@@ -1,41 +1,8 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about DoS attacks
|
||||
* due to inefficient handling of user-controlled objects.
|
||||
*/
|
||||
/** DEPRECATED. Import `DeepObjectResourceExhaustionQuery` instead. */
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.TaintedObject
|
||||
private import DeepObjectResourceExhaustionQuery as DeepObjectResourceExhaustionQuery // ignore-query-import
|
||||
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about DoS attacks
|
||||
* due to inefficient handling of user-controlled objects.
|
||||
*/
|
||||
module DeepObjectResourceExhaustion {
|
||||
import DeepObjectResourceExhaustionCustomizations::DeepObjectResourceExhaustion
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for reasoning about DoS attacks due to inefficient handling
|
||||
* of user-controlled objects.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "DeepObjectResourceExhaustion" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
source.(Source).getAFlowLabel() = label
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink instanceof Sink and label = TaintedObject::label()
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof TaintedObject::SanitizerGuard
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
TaintedObject::step(src, trg, inlbl, outlbl)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `DeepObjectResourceExhaustionQuery` instead. */
|
||||
deprecated module DeepObjectResourceExhaustion = DeepObjectResourceExhaustionQuery;
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about DoS attacks
|
||||
* due to inefficient handling of user-controlled objects.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.TaintedObject
|
||||
import DeepObjectResourceExhaustionCustomizations::DeepObjectResourceExhaustion
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for reasoning about DoS attacks due to inefficient handling
|
||||
* of user-controlled objects.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "DeepObjectResourceExhaustion" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
source.(Source).getAFlowLabel() = label
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink instanceof Sink and label = TaintedObject::label()
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof TaintedObject::SanitizerGuard
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
TaintedObject::step(src, trg, inlbl, outlbl)
|
||||
}
|
||||
}
|
||||
@@ -1,54 +1,8 @@
|
||||
/**
|
||||
* Provides classes for reasoning about comparisons that relies on
|
||||
* different kinds of HTTP request data.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `DifferentKindsComparisonBypass::Configuration` is needed,
|
||||
* otherwise `DifferentKindsComparisonBypassCustomizations` should be
|
||||
* imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `DifferentKindsComparisonBypassQuery` instead. */
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RemoteFlowSources
|
||||
private import DifferentKindsComparisonBypassQuery as DifferentKindsComparisonBypassQuery // ignore-query-import
|
||||
|
||||
module DifferentKindsComparisonBypass {
|
||||
import DifferentKindsComparisonBypassCustomizations::DifferentKindsComparisonBypass
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for comparisons that relies on different kinds of HTTP request data.
|
||||
*/
|
||||
private class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "DifferentKindsComparisonBypass" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A comparison that relies on different kinds of HTTP request data.
|
||||
*/
|
||||
class DifferentKindsComparison extends Comparison {
|
||||
Source lSource;
|
||||
Source rSource;
|
||||
|
||||
DifferentKindsComparison() {
|
||||
exists(Configuration cfg |
|
||||
cfg.hasFlow(lSource, DataFlow::valueNode(getLeftOperand())) and
|
||||
cfg.hasFlow(rSource, DataFlow::valueNode(getRightOperand())) and
|
||||
lSource.isSuspiciousToCompareWith(rSource)
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets the left operand source of this comparison. */
|
||||
Source getLSource() { result = lSource }
|
||||
|
||||
/** Gets the right operand source of this comparison. */
|
||||
Source getRSource() { result = rSource }
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `DifferentKindsComparisonBypassQuery` instead. */
|
||||
deprecated module DifferentKindsComparisonBypass = DifferentKindsComparisonBypassQuery;
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
/**
|
||||
* Provides classes for reasoning about comparisons that relies on
|
||||
* different kinds of HTTP request data.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `DifferentKindsComparisonBypass::Configuration` is needed,
|
||||
* otherwise `DifferentKindsComparisonBypassCustomizations` should be
|
||||
* imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import semmle.javascript.security.dataflow.RemoteFlowSources
|
||||
import DifferentKindsComparisonBypassCustomizations::DifferentKindsComparisonBypass
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for comparisons that relies on different kinds of HTTP request data.
|
||||
*/
|
||||
private class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "DifferentKindsComparisonBypass" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A comparison that relies on different kinds of HTTP request data.
|
||||
*/
|
||||
class DifferentKindsComparison extends Comparison {
|
||||
Source lSource;
|
||||
Source rSource;
|
||||
|
||||
DifferentKindsComparison() {
|
||||
exists(Configuration cfg |
|
||||
cfg.hasFlow(lSource, DataFlow::valueNode(getLeftOperand())) and
|
||||
cfg.hasFlow(rSource, DataFlow::valueNode(getRightOperand())) and
|
||||
lSource.isSuspiciousToCompareWith(rSource)
|
||||
)
|
||||
}
|
||||
|
||||
/** Gets the left operand source of this comparison. */
|
||||
Source getLSource() { result = lSource }
|
||||
|
||||
/** Gets the right operand source of this comparison. */
|
||||
Source getRSource() { result = rSource }
|
||||
}
|
||||
@@ -1,96 +1,7 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about DOM-based
|
||||
* cross-site scripting vulnerabilities.
|
||||
*/
|
||||
/** DEPRECATED. Import `DomBasedXssQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import semmle.javascript.security.TaintedUrlSuffix
|
||||
private import DomBasedXssQuery as DomBasedXssQuery // ignore-query-import
|
||||
|
||||
module DomBasedXss {
|
||||
import DomBasedXssCustomizations::DomBasedXss
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `HtmlInjectionConfiguration` or `JQueryHtmlOrSelectorInjectionConfiguration`.
|
||||
*/
|
||||
deprecated class Configuration = HtmlInjectionConfiguration;
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `Vue::VHtmlSourceWrite` instead.
|
||||
*/
|
||||
deprecated class VHtmlSourceWrite = Vue::VHtmlSourceWrite;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about XSS.
|
||||
*/
|
||||
class HtmlInjectionConfiguration extends TaintTracking::Configuration {
|
||||
HtmlInjectionConfiguration() { this = "HtmlInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof Sink and
|
||||
not sink instanceof JQueryHtmlOrSelectorSink // Handled by JQueryHtmlOrSelectorInjectionConfiguration below
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node)
|
||||
or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
DomBasedXss::isOptionallySanitizedEdge(pred, succ)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about injection into the jQuery `$` function
|
||||
* or similar, where the interpretation of the input string depends on its first character.
|
||||
*
|
||||
* Values are only considered tainted if they can start with the `<` character.
|
||||
*/
|
||||
class JQueryHtmlOrSelectorInjectionConfiguration extends TaintTracking::Configuration {
|
||||
JQueryHtmlOrSelectorInjectionConfiguration() { this = "JQueryHtmlOrSelectorInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
// Reuse any source not derived from location
|
||||
source instanceof Source and
|
||||
not source = [DOM::locationRef(), DOM::locationRef().getAPropertyRead()] and
|
||||
label.isTaint()
|
||||
or
|
||||
source = [DOM::locationSource(), DOM::locationRef().getAPropertyRead(["hash", "search"])] and
|
||||
label = TaintedUrlSuffix::label()
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink instanceof JQueryHtmlOrSelectorSink and label.isTaint()
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node)
|
||||
or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
TaintedUrlSuffix::step(src, trg, inlbl, outlbl)
|
||||
or
|
||||
exists(DataFlow::Node operator |
|
||||
StringConcatenation::taintStep(src, trg, operator, _) and
|
||||
StringConcatenation::getOperand(operator, 0).getStringValue() = "<" + any(string s) and
|
||||
inlbl = TaintedUrlSuffix::label() and
|
||||
outlbl.isTaint()
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `DomBasedXssQuery` instead. */
|
||||
deprecated module DomBasedXss = DomBasedXssQuery;
|
||||
|
||||
@@ -0,0 +1,93 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about DOM-based
|
||||
* cross-site scripting vulnerabilities.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
private import semmle.javascript.security.TaintedUrlSuffix
|
||||
import DomBasedXssCustomizations::DomBasedXss
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `HtmlInjectionConfiguration` or `JQueryHtmlOrSelectorInjectionConfiguration`.
|
||||
*/
|
||||
deprecated class Configuration = HtmlInjectionConfiguration;
|
||||
|
||||
/**
|
||||
* DEPRECATED. Use `Vue::VHtmlSourceWrite` instead.
|
||||
*/
|
||||
deprecated class VHtmlSourceWrite = Vue::VHtmlSourceWrite;
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about XSS.
|
||||
*/
|
||||
class HtmlInjectionConfiguration extends TaintTracking::Configuration {
|
||||
HtmlInjectionConfiguration() { this = "HtmlInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof Sink and
|
||||
not sink instanceof JQueryHtmlOrSelectorSink // Handled by JQueryHtmlOrSelectorInjectionConfiguration below
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node)
|
||||
or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
DomBasedXss::isOptionallySanitizedEdge(pred, succ)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about injection into the jQuery `$` function
|
||||
* or similar, where the interpretation of the input string depends on its first character.
|
||||
*
|
||||
* Values are only considered tainted if they can start with the `<` character.
|
||||
*/
|
||||
class JQueryHtmlOrSelectorInjectionConfiguration extends TaintTracking::Configuration {
|
||||
JQueryHtmlOrSelectorInjectionConfiguration() { this = "JQueryHtmlOrSelectorInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
// Reuse any source not derived from location
|
||||
source instanceof Source and
|
||||
not source = [DOM::locationRef(), DOM::locationRef().getAPropertyRead()] and
|
||||
label.isTaint()
|
||||
or
|
||||
source = [DOM::locationSource(), DOM::locationRef().getAPropertyRead(["hash", "search"])] and
|
||||
label = TaintedUrlSuffix::label()
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink instanceof JQueryHtmlOrSelectorSink and label.isTaint()
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node)
|
||||
or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
TaintedUrlSuffix::step(src, trg, inlbl, outlbl)
|
||||
or
|
||||
exists(DataFlow::Node operator |
|
||||
StringConcatenation::taintStep(src, trg, operator, _) and
|
||||
StringConcatenation::getOperand(operator, 0).getStringValue() = "<" + any(string s) and
|
||||
inlbl = TaintedUrlSuffix::label() and
|
||||
outlbl.isTaint()
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1,162 +1,7 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about cross-site
|
||||
* scripting vulnerabilities where the taint-flow passes through a thrown
|
||||
* exception.
|
||||
*/
|
||||
/** DEPRECATED. Import `ExceptionXssQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import ExceptionXssQuery as ExceptionXssQuery // ignore-query-import
|
||||
|
||||
module ExceptionXss {
|
||||
import DomBasedXssCustomizations::DomBasedXss as DomBasedXssCustom
|
||||
import ReflectedXssCustomizations::ReflectedXss as ReflectedXssCustom
|
||||
import Xss as Xss
|
||||
import Xss::ExceptionXss
|
||||
private import semmle.javascript.dataflow.InferredTypes
|
||||
|
||||
/**
|
||||
* Gets the name of a method that does not leak taint from its arguments if an exception is thrown by the method.
|
||||
*/
|
||||
private string getAnUnlikelyToThrowMethodName() {
|
||||
result = "getElementById" or // document.getElementById
|
||||
result = "indexOf" or // String.prototype.indexOf
|
||||
result = "assign" or // Object.assign
|
||||
result = "pick" or // _.pick
|
||||
result = getAStandardLoggerMethodName() or // log.info etc.
|
||||
result = "val" or // $.val
|
||||
result = "parse" or // JSON.parse
|
||||
result = "stringify" or // JSON.stringify
|
||||
result = "test" or // RegExp.prototype.test
|
||||
result = "setItem" or // localStorage.setItem
|
||||
result = "existsSync" or
|
||||
// the "fs" methods are a mix of "this is safe" and "you have bigger problems".
|
||||
exists(ExternalMemberDecl decl | decl.hasQualifiedName("fs", result)) or
|
||||
// Array methods are generally exception safe.
|
||||
exists(ExternalMemberDecl decl | decl.hasQualifiedName("Array", result))
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node` is unlikely to cause an exception containing sensitive information to be thrown.
|
||||
*/
|
||||
private predicate isUnlikelyToThrowSensitiveInformation(DataFlow::Node node) {
|
||||
node =
|
||||
any(DataFlow::CallNode call | call.getCalleeName() = getAnUnlikelyToThrowMethodName())
|
||||
.getAnArgument()
|
||||
or
|
||||
node = DataFlow::globalVarRef("console").getAMemberCall(_).getAnArgument()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `t` is `null` or `undefined`.
|
||||
*/
|
||||
private predicate isNullOrUndefined(InferredType t) {
|
||||
t = TTNull() or
|
||||
t = TTUndefined()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node` can possibly cause an exception containing sensitive information to be thrown.
|
||||
*/
|
||||
predicate canThrowSensitiveInformation(DataFlow::Node node) {
|
||||
not isUnlikelyToThrowSensitiveInformation(node) and
|
||||
not node instanceof Xss::Shared::Sink and // removes duplicates from js/xss.
|
||||
(
|
||||
// in the case of reflective calls the below ensures that both InvokeNodes have no known callee.
|
||||
forex(DataFlow::InvokeNode call | call.getAnArgument() = node | not exists(call.getACallee()))
|
||||
or
|
||||
node.asExpr().getEnclosingStmt() instanceof ThrowStmt
|
||||
or
|
||||
exists(DataFlow::PropRef prop |
|
||||
node = DataFlow::valueNode(prop.getPropertyNameExpr()) and
|
||||
forex(InferredType t | t = prop.getBase().analyze().getAType() | isNullOrUndefined(t))
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
// Materialize flow labels
|
||||
private class ConcreteNotYetThrown extends Xss::ExceptionXss::NotYetThrown {
|
||||
ConcreteNotYetThrown() { this = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A callback that is the last argument to some call, and the callback has the form:
|
||||
* `function (err, value) {if (err) {...} ... }`
|
||||
*/
|
||||
class Callback extends DataFlow::FunctionNode {
|
||||
DataFlow::ParameterNode errorParameter;
|
||||
|
||||
Callback() {
|
||||
exists(DataFlow::CallNode call | call.getLastArgument().getAFunctionValue() = this) and
|
||||
this.getNumParameter() = 2 and
|
||||
errorParameter = this.getParameter(0) and
|
||||
exists(IfStmt ifStmt |
|
||||
ifStmt = this.getFunction().getBodyStmt(0) and
|
||||
errorParameter.flowsToExpr(ifStmt.getCondition())
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the parameter in the callback that contains an error.
|
||||
* In the current implementation this is always the first parameter.
|
||||
*/
|
||||
DataFlow::Node getErrorParam() { result = errorParameter }
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the error parameter for a callback that is supplied to the same call as `pred` is an argument to.
|
||||
* For example: `outerCall(foo, <pred>, bar, (<result>, val) => { ... })`.
|
||||
*/
|
||||
DataFlow::Node getCallbackErrorParam(DataFlow::Node pred) {
|
||||
exists(DataFlow::CallNode call, Callback callback |
|
||||
pred = call.getAnArgument() and
|
||||
call.getLastArgument() = callback and
|
||||
result = callback.getErrorParam() and
|
||||
not pred = callback
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the data-flow node to which any exceptions thrown by
|
||||
* this expression will propagate.
|
||||
* This predicate adds, on top of `Expr::getExceptionTarget`, exceptions
|
||||
* propagated by callbacks.
|
||||
*/
|
||||
private DataFlow::Node getExceptionTarget(DataFlow::Node pred) {
|
||||
result = pred.asExpr().getExceptionTarget()
|
||||
or
|
||||
result = getCallbackErrorParam(pred)
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
|
||||
* Flow labels are used to ensure that we only report taint-flow that has been thrown in
|
||||
* an exception.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ExceptionXss" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
source.(Xss::ExceptionXss::Source).getAFlowLabel() = label
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink instanceof Xss::Shared::Sink and not label instanceof NotYetThrown
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Xss::Shared::Sanitizer }
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl,
|
||||
DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
inlbl instanceof NotYetThrown and
|
||||
(outlbl.isTaint() or outlbl instanceof NotYetThrown) and
|
||||
canThrowSensitiveInformation(pred) and
|
||||
succ = getExceptionTarget(pred)
|
||||
or
|
||||
// All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
|
||||
this.isAdditionalFlowStep(pred, succ) and
|
||||
inlbl instanceof NotYetThrown and
|
||||
outlbl instanceof NotYetThrown
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `ExceptionXssQuery` instead. */
|
||||
deprecated module ExceptionXss = ExceptionXssQuery;
|
||||
|
||||
@@ -0,0 +1,158 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about cross-site
|
||||
* scripting vulnerabilities where the taint-flow passes through a thrown
|
||||
* exception.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import DomBasedXssCustomizations::DomBasedXss as DomBasedXssCustom
|
||||
import ReflectedXssCustomizations::ReflectedXss as ReflectedXssCustom
|
||||
import Xss as Xss
|
||||
import Xss::ExceptionXss
|
||||
private import semmle.javascript.dataflow.InferredTypes
|
||||
|
||||
/**
|
||||
* Gets the name of a method that does not leak taint from its arguments if an exception is thrown by the method.
|
||||
*/
|
||||
private string getAnUnlikelyToThrowMethodName() {
|
||||
result = "getElementById" or // document.getElementById
|
||||
result = "indexOf" or // String.prototype.indexOf
|
||||
result = "assign" or // Object.assign
|
||||
result = "pick" or // _.pick
|
||||
result = getAStandardLoggerMethodName() or // log.info etc.
|
||||
result = "val" or // $.val
|
||||
result = "parse" or // JSON.parse
|
||||
result = "stringify" or // JSON.stringify
|
||||
result = "test" or // RegExp.prototype.test
|
||||
result = "setItem" or // localStorage.setItem
|
||||
result = "existsSync" or
|
||||
// the "fs" methods are a mix of "this is safe" and "you have bigger problems".
|
||||
exists(ExternalMemberDecl decl | decl.hasQualifiedName("fs", result)) or
|
||||
// Array methods are generally exception safe.
|
||||
exists(ExternalMemberDecl decl | decl.hasQualifiedName("Array", result))
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node` is unlikely to cause an exception containing sensitive information to be thrown.
|
||||
*/
|
||||
private predicate isUnlikelyToThrowSensitiveInformation(DataFlow::Node node) {
|
||||
node =
|
||||
any(DataFlow::CallNode call | call.getCalleeName() = getAnUnlikelyToThrowMethodName())
|
||||
.getAnArgument()
|
||||
or
|
||||
node = DataFlow::globalVarRef("console").getAMemberCall(_).getAnArgument()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `t` is `null` or `undefined`.
|
||||
*/
|
||||
private predicate isNullOrUndefined(InferredType t) {
|
||||
t = TTNull() or
|
||||
t = TTUndefined()
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `node` can possibly cause an exception containing sensitive information to be thrown.
|
||||
*/
|
||||
predicate canThrowSensitiveInformation(DataFlow::Node node) {
|
||||
not isUnlikelyToThrowSensitiveInformation(node) and
|
||||
not node instanceof Xss::Shared::Sink and // removes duplicates from js/xss.
|
||||
(
|
||||
// in the case of reflective calls the below ensures that both InvokeNodes have no known callee.
|
||||
forex(DataFlow::InvokeNode call | call.getAnArgument() = node | not exists(call.getACallee()))
|
||||
or
|
||||
node.asExpr().getEnclosingStmt() instanceof ThrowStmt
|
||||
or
|
||||
exists(DataFlow::PropRef prop |
|
||||
node = DataFlow::valueNode(prop.getPropertyNameExpr()) and
|
||||
forex(InferredType t | t = prop.getBase().analyze().getAType() | isNullOrUndefined(t))
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
// Materialize flow labels
|
||||
private class ConcreteNotYetThrown extends Xss::ExceptionXss::NotYetThrown {
|
||||
ConcreteNotYetThrown() { this = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A callback that is the last argument to some call, and the callback has the form:
|
||||
* `function (err, value) {if (err) {...} ... }`
|
||||
*/
|
||||
class Callback extends DataFlow::FunctionNode {
|
||||
DataFlow::ParameterNode errorParameter;
|
||||
|
||||
Callback() {
|
||||
exists(DataFlow::CallNode call | call.getLastArgument().getAFunctionValue() = this) and
|
||||
this.getNumParameter() = 2 and
|
||||
errorParameter = this.getParameter(0) and
|
||||
exists(IfStmt ifStmt |
|
||||
ifStmt = this.getFunction().getBodyStmt(0) and
|
||||
errorParameter.flowsToExpr(ifStmt.getCondition())
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the parameter in the callback that contains an error.
|
||||
* In the current implementation this is always the first parameter.
|
||||
*/
|
||||
DataFlow::Node getErrorParam() { result = errorParameter }
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the error parameter for a callback that is supplied to the same call as `pred` is an argument to.
|
||||
* For example: `outerCall(foo, <pred>, bar, (<result>, val) => { ... })`.
|
||||
*/
|
||||
DataFlow::Node getCallbackErrorParam(DataFlow::Node pred) {
|
||||
exists(DataFlow::CallNode call, Callback callback |
|
||||
pred = call.getAnArgument() and
|
||||
call.getLastArgument() = callback and
|
||||
result = callback.getErrorParam() and
|
||||
not pred = callback
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the data-flow node to which any exceptions thrown by
|
||||
* this expression will propagate.
|
||||
* This predicate adds, on top of `Expr::getExceptionTarget`, exceptions
|
||||
* propagated by callbacks.
|
||||
*/
|
||||
private DataFlow::Node getExceptionTarget(DataFlow::Node pred) {
|
||||
result = pred.asExpr().getExceptionTarget()
|
||||
or
|
||||
result = getCallbackErrorParam(pred)
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about XSS with possible exceptional flow.
|
||||
* Flow labels are used to ensure that we only report taint-flow that has been thrown in
|
||||
* an exception.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ExceptionXss" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
source.(Xss::ExceptionXss::Source).getAFlowLabel() = label
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink instanceof Xss::Shared::Sink and not label instanceof NotYetThrown
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Xss::Shared::Sanitizer }
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
|
||||
) {
|
||||
inlbl instanceof NotYetThrown and
|
||||
(outlbl.isTaint() or outlbl instanceof NotYetThrown) and
|
||||
canThrowSensitiveInformation(pred) and
|
||||
succ = getExceptionTarget(pred)
|
||||
or
|
||||
// All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
|
||||
this.isAdditionalFlowStep(pred, succ) and
|
||||
inlbl instanceof NotYetThrown and
|
||||
outlbl instanceof NotYetThrown
|
||||
}
|
||||
}
|
||||
@@ -1,106 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about untrusted
|
||||
* data flowing to an external API call.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ExternalAPIUsedWithUntrustedData::Configuration` is needed, otherwise
|
||||
* `ExternalAPIUsedWithUntrustedDataCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `ExternalAPIUsedWithUntrustedDataQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import ExternalAPIUsedWithUntrustedDataQuery as ExternalAPIUsedWithUntrustedDataQuery // ignore-query-import
|
||||
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about untrusted
|
||||
* data flowing to an external API call.
|
||||
*/
|
||||
module ExternalAPIUsedWithUntrustedData {
|
||||
import ExternalAPIUsedWithUntrustedDataCustomizations::ExternalAPIUsedWithUntrustedData
|
||||
|
||||
/** Flow label for objects from which a tainted value is reachable. */
|
||||
private class ObjectWrapperFlowLabel extends DataFlow::FlowLabel {
|
||||
ObjectWrapperFlowLabel() { this = "object-wrapper" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for untrusted data flowing to an external API.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ExternalAPIUsedWithUntrustedData" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
|
||||
sink instanceof Sink and
|
||||
(lbl.isTaint() or lbl instanceof ObjectWrapperFlowLabel)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predLbl,
|
||||
DataFlow::FlowLabel succLbl
|
||||
) {
|
||||
// Step into an object and switch to the 'object-wrapper' label.
|
||||
exists(DataFlow::PropWrite write |
|
||||
pred = write.getRhs() and
|
||||
succ = write.getBase().getALocalSource() and
|
||||
(predLbl.isTaint() or predLbl instanceof ObjectWrapperFlowLabel) and
|
||||
succLbl instanceof ObjectWrapperFlowLabel
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
// Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own.
|
||||
// The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where
|
||||
// the whole location object escapes.
|
||||
exists(DataFlow::PropRead read |
|
||||
read = DOM::locationRef().getAPropertyRead() and
|
||||
pred = read.getBase() and
|
||||
succ = read
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** A node representing data being passed to an external API. */
|
||||
class ExternalAPIDataNode extends DataFlow::Node {
|
||||
ExternalAPIDataNode() { this instanceof Sink }
|
||||
}
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalAPIDataNode extends ExternalAPIDataNode {
|
||||
UntrustedExternalAPIDataNode() { any(Configuration c).hasFlow(_, this) }
|
||||
|
||||
/** Gets a source of untrusted data which is passed to this external API data node. */
|
||||
DataFlow::Node getAnUntrustedSource() { any(Configuration c).hasFlow(result, this) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Name of an external API sink, boxed in a newtype for consistency with other languages.
|
||||
*/
|
||||
private newtype TExternalApi =
|
||||
MkExternalApiNode(string name) {
|
||||
exists(Sink sink |
|
||||
any(Configuration c).hasFlow(_, sink) and
|
||||
name = sink.getApiName()
|
||||
)
|
||||
}
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
class ExternalAPIUsedWithUntrustedData extends TExternalApi {
|
||||
/** Gets a possibly untrusted use of this external API. */
|
||||
UntrustedExternalAPIDataNode getUntrustedDataNode() {
|
||||
this = MkExternalApiNode(result.(Sink).getApiName())
|
||||
}
|
||||
|
||||
/** Gets the number of untrusted sources used with this external API. */
|
||||
int getNumberOfUntrustedSources() {
|
||||
result = count(getUntrustedDataNode().getAnUntrustedSource())
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() { this = MkExternalApiNode(result) }
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `ExternalAPIUsedWithUntrustedDataQuery` instead. */
|
||||
deprecated module ExternalAPIUsedWithUntrustedData = ExternalAPIUsedWithUntrustedDataQuery;
|
||||
|
||||
@@ -0,0 +1,99 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about untrusted
|
||||
* data flowing to an external API call.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ExternalAPIUsedWithUntrustedData::Configuration` is needed, otherwise
|
||||
* `ExternalAPIUsedWithUntrustedDataCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import ExternalAPIUsedWithUntrustedDataCustomizations::ExternalAPIUsedWithUntrustedData
|
||||
|
||||
/** Flow label for objects from which a tainted value is reachable. */
|
||||
private class ObjectWrapperFlowLabel extends DataFlow::FlowLabel {
|
||||
ObjectWrapperFlowLabel() { this = "object-wrapper" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for untrusted data flowing to an external API.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ExternalAPIUsedWithUntrustedData" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
|
||||
sink instanceof Sink and
|
||||
(lbl.isTaint() or lbl instanceof ObjectWrapperFlowLabel)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predLbl,
|
||||
DataFlow::FlowLabel succLbl
|
||||
) {
|
||||
// Step into an object and switch to the 'object-wrapper' label.
|
||||
exists(DataFlow::PropWrite write |
|
||||
pred = write.getRhs() and
|
||||
succ = write.getBase().getALocalSource() and
|
||||
(predLbl.isTaint() or predLbl instanceof ObjectWrapperFlowLabel) and
|
||||
succLbl instanceof ObjectWrapperFlowLabel
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
// Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own.
|
||||
// The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where
|
||||
// the whole location object escapes.
|
||||
exists(DataFlow::PropRead read |
|
||||
read = DOM::locationRef().getAPropertyRead() and
|
||||
pred = read.getBase() and
|
||||
succ = read
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/** A node representing data being passed to an external API. */
|
||||
class ExternalAPIDataNode extends DataFlow::Node {
|
||||
ExternalAPIDataNode() { this instanceof Sink }
|
||||
}
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalAPIDataNode extends ExternalAPIDataNode {
|
||||
UntrustedExternalAPIDataNode() { any(Configuration c).hasFlow(_, this) }
|
||||
|
||||
/** Gets a source of untrusted data which is passed to this external API data node. */
|
||||
DataFlow::Node getAnUntrustedSource() { any(Configuration c).hasFlow(result, this) }
|
||||
}
|
||||
|
||||
/**
|
||||
* Name of an external API sink, boxed in a newtype for consistency with other languages.
|
||||
*/
|
||||
private newtype TExternalApi =
|
||||
MkExternalApiNode(string name) {
|
||||
exists(Sink sink |
|
||||
any(Configuration c).hasFlow(_, sink) and
|
||||
name = sink.getApiName()
|
||||
)
|
||||
}
|
||||
|
||||
/** An external API which is used with untrusted data. */
|
||||
class ExternalAPIUsedWithUntrustedData extends TExternalApi {
|
||||
/** Gets a possibly untrusted use of this external API. */
|
||||
UntrustedExternalAPIDataNode getUntrustedDataNode() {
|
||||
this = MkExternalApiNode(result.(Sink).getApiName())
|
||||
}
|
||||
|
||||
/** Gets the number of untrusted sources used with this external API. */
|
||||
int getNumberOfUntrustedSources() {
|
||||
result = count(getUntrustedDataNode().getAnUntrustedSource())
|
||||
}
|
||||
|
||||
/** Gets a textual representation of this element. */
|
||||
string toString() { this = MkExternalApiNode(result) }
|
||||
}
|
||||
@@ -1,38 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about file
|
||||
* data in outbound network requests.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `FileAccessToHttp::Configuration` is needed, otherwise
|
||||
* `FileAccessToHttpCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `FileAccessToHttpQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import FileAccessToHttpQuery as FileAccessToHttpQuery // ignore-query-import
|
||||
|
||||
module FileAccessToHttp {
|
||||
import FileAccessToHttpCustomizations::FileAccessToHttp
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for file data in outbound network requests.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "FileAccessToHttp" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
// taint entire object on property write
|
||||
exists(DataFlow::PropWrite pwr |
|
||||
succ = pwr.getBase() and
|
||||
pred = pwr.getRhs()
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `FileAccessToHttpQuery` instead. */
|
||||
deprecated module FileAccessToHttp = FileAccessToHttpQuery;
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about file
|
||||
* data in outbound network requests.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `FileAccessToHttp::Configuration` is needed, otherwise
|
||||
* `FileAccessToHttpCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import FileAccessToHttpCustomizations::FileAccessToHttp
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for file data in outbound network requests.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "FileAccessToHttp" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
// taint entire object on property write
|
||||
exists(DataFlow::PropWrite pwr |
|
||||
succ = pwr.getBase() and
|
||||
pred = pwr.getRhs()
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1,37 +1,7 @@
|
||||
/**
|
||||
* Provides a data flow configuration for reasoning about hardcoded
|
||||
* credentials.
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `HardcodedCredentials::Configuration` is needed, otherwise
|
||||
* `HardcodedCredentialsCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `HardcodedCredentialsQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import HardcodedCredentialsQuery as HardcodedCredentialsQuery // ignore-query-import
|
||||
|
||||
module HardcodedCredentials {
|
||||
import HardcodedCredentialsCustomizations::HardcodedCredentials
|
||||
|
||||
/**
|
||||
* A data flow tracking configuration for hardcoded credentials.
|
||||
*/
|
||||
class Configuration extends DataFlow::Configuration {
|
||||
Configuration() { this = "HardcodedCredentials" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
|
||||
or
|
||||
trg.(StringOps::ConcatenationRoot).getALeaf() = src and
|
||||
not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
|
||||
or
|
||||
exists(DataFlow::MethodCallNode bufferFrom |
|
||||
bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
|
||||
trg = bufferFrom and
|
||||
src = bufferFrom.getArgument(0)
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `HardcodedCredentialsQuery` instead. */
|
||||
deprecated module HardcodedCredentials = HardcodedCredentialsQuery;
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
/**
|
||||
* Provides a data flow configuration for reasoning about hardcoded
|
||||
* credentials.
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `HardcodedCredentials::Configuration` is needed, otherwise
|
||||
* `HardcodedCredentialsCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import HardcodedCredentialsCustomizations::HardcodedCredentials
|
||||
|
||||
/**
|
||||
* A data flow tracking configuration for hardcoded credentials.
|
||||
*/
|
||||
class Configuration extends DataFlow::Configuration {
|
||||
Configuration() { this = "HardcodedCredentials" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
|
||||
exists(Base64::Encode encode | src = encode.getInput() and trg = encode.getOutput())
|
||||
or
|
||||
trg.(StringOps::ConcatenationRoot).getALeaf() = src and
|
||||
not exists(src.(StringOps::ConcatenationLeaf).getStringValue()) // to avoid e.g. the ":" in `user + ":" + pass` being flagged as a constant credential.
|
||||
or
|
||||
exists(DataFlow::MethodCallNode bufferFrom |
|
||||
bufferFrom = DataFlow::globalVarRef("Buffer").getAMethodCall("from") and
|
||||
trg = bufferFrom and
|
||||
src = bufferFrom.getArgument(0)
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -1,33 +1,7 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about hard-coded data
|
||||
* being interpreted as code.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `HardcodedDataInterpretedAsCode::Configuration` is needed,
|
||||
* otherwise `HardcodedDataInterpretedAsCodeCustomizations` should be
|
||||
* imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `HardcodedDataInterpretedAsCodeQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import HardcodedDataInterpretedAsCodeQuery as HardcodedDataInterpretedAsCodeQuery // ignore-query-import
|
||||
|
||||
module HardcodedDataInterpretedAsCode {
|
||||
import HardcodedDataInterpretedAsCodeCustomizations::HardcodedDataInterpretedAsCode
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about hard-coded data
|
||||
* being interpreted as code
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "HardcodedDataInterpretedAsCode" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(Source).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
|
||||
nd.(Sink).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `HardcodedDataInterpretedAsCodeQuery` instead. */
|
||||
deprecated module HardcodedDataInterpretedAsCode = HardcodedDataInterpretedAsCodeQuery;
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about hard-coded data
|
||||
* being interpreted as code.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `HardcodedDataInterpretedAsCode::Configuration` is needed,
|
||||
* otherwise `HardcodedDataInterpretedAsCodeCustomizations` should be
|
||||
* imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import HardcodedDataInterpretedAsCodeCustomizations::HardcodedDataInterpretedAsCode
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about hard-coded data
|
||||
* being interpreted as code
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "HardcodedDataInterpretedAsCode" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
|
||||
source.(Source).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
|
||||
nd.(Sink).getLabel() = lbl
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
@@ -1,26 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about host header
|
||||
* poisoning in email generation.
|
||||
*/
|
||||
/** DEPRECATED. Import `HostHeaderPoisoningInEmailGenerationQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import HostHeaderPoisoningInEmailGenerationQuery as HostHeaderPoisoningInEmailGenerationQuery // ignore-query-import
|
||||
|
||||
module HostHeaderPoisoningInEmailGeneration {
|
||||
/**
|
||||
* A taint tracking configuration for host header poisoning in email generation.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "TaintedHostHeader" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node) {
|
||||
exists(HTTP::RequestHeaderAccess input | node = input |
|
||||
input.getKind() = "header" and
|
||||
input.getAHeaderName() = "host"
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node node) {
|
||||
exists(EmailSender email | node = email.getABody())
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `HostHeaderPoisoningInEmailGenerationQuery` instead. */
|
||||
deprecated module HostHeaderPoisoningInEmailGeneration = HostHeaderPoisoningInEmailGenerationQuery;
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about host header
|
||||
* poisoning in email generation.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for host header poisoning in email generation.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "TaintedHostHeader" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node) {
|
||||
exists(HTTP::RequestHeaderAccess input | node = input |
|
||||
input.getKind() = "header" and
|
||||
input.getAHeaderName() = "host"
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node node) {
|
||||
exists(EmailSender email | node = email.getABody())
|
||||
}
|
||||
}
|
||||
@@ -1,29 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about writing user-controlled data to files.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `HttpToFileAccess::Configuration` is needed, otherwise
|
||||
* `HttpToFileAccessCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `HttpToFileAccessQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import HttpToFileAccessQuery as HttpToFileAccessQuery // ignore-query-import
|
||||
|
||||
module HttpToFileAccess {
|
||||
import HttpToFileAccessCustomizations::HttpToFileAccess
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for writing user-controlled data to files.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "HttpToFileAccess" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `HttpToFileAccessQuery` instead. */
|
||||
deprecated module HttpToFileAccess = HttpToFileAccessQuery;
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about writing user-controlled data to files.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `HttpToFileAccess::Configuration` is needed, otherwise
|
||||
* `HttpToFileAccessCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import HttpToFileAccessCustomizations::HttpToFileAccess
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for writing user-controlled data to files.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "HttpToFileAccess" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
super.isSanitizer(node) or
|
||||
node instanceof Sanitizer
|
||||
}
|
||||
}
|
||||
@@ -1,30 +1,7 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about improper code
|
||||
* sanitization.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ImproperCodeSanitization::Configuration` is needed, otherwise
|
||||
* `ImproperCodeSanitizationCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `ImproperCodeSanitizationQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import ImproperCodeSanitizationQuery as ImproperCodeSanitizationQuery // ignore-query-import
|
||||
|
||||
/**
|
||||
* Classes and predicates for reasoning about improper code sanitization.
|
||||
*/
|
||||
module ImproperCodeSanitization {
|
||||
import ImproperCodeSanitizationCustomizations::ImproperCodeSanitization
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about improper code sanitization vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ImproperCodeSanitization" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `ImproperCodeSanitizationQuery` instead. */
|
||||
deprecated module ImproperCodeSanitization = ImproperCodeSanitizationQuery;
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about improper code
|
||||
* sanitization.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `ImproperCodeSanitization::Configuration` is needed, otherwise
|
||||
* `ImproperCodeSanitizationCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import ImproperCodeSanitizationCustomizations::ImproperCodeSanitization
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about improper code sanitization vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "ImproperCodeSanitization" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
|
||||
}
|
||||
@@ -1,58 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* incomplete HTML sanitization vulnerabilities.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `IncompleteHtmlAttributeSanitization::Configuration` is needed, otherwise
|
||||
* `IncompleteHtmlAttributeSanitizationCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `IncompleteHtmlAttributeSanitizationQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import IncompleteHtmlAttributeSanitizationQuery as IncompleteHtmlAttributeSanitizationQuery // ignore-query-import
|
||||
|
||||
module IncompleteHtmlAttributeSanitization {
|
||||
import IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization
|
||||
|
||||
private module Label {
|
||||
class Quote extends DataFlow::FlowLabel {
|
||||
Quote() { this = ["\"", "'"] }
|
||||
}
|
||||
|
||||
class Ampersand extends DataFlow::FlowLabel {
|
||||
Ampersand() { this = "&" }
|
||||
}
|
||||
|
||||
DataFlow::FlowLabel characterToLabel(string c) { c = result }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about incomplete HTML sanitization vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "IncompleteHtmlAttributeSanitization" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
label = Label::characterToLabel(source.(Source).getAnUnsanitizedCharacter())
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
label = Label::characterToLabel(sink.(Sink).getADangerousCharacter())
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
|
||||
DataFlow::FlowLabel dstlabel
|
||||
) {
|
||||
super.isAdditionalFlowStep(src, dst) and srclabel = dstlabel
|
||||
}
|
||||
|
||||
override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
|
||||
lbl = Label::characterToLabel(node.(StringReplaceCall).getAReplacedString()) or
|
||||
isSanitizer(node)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node n) {
|
||||
n instanceof Sanitizer or
|
||||
super.isSanitizer(n)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `IncompleteHtmlAttributeSanitizationQuery` instead. */
|
||||
deprecated module IncompleteHtmlAttributeSanitization = IncompleteHtmlAttributeSanitizationQuery;
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about
|
||||
* incomplete HTML sanitization vulnerabilities.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `IncompleteHtmlAttributeSanitization::Configuration` is needed, otherwise
|
||||
* `IncompleteHtmlAttributeSanitizationCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import IncompleteHtmlAttributeSanitizationCustomizations::IncompleteHtmlAttributeSanitization
|
||||
|
||||
private module Label {
|
||||
class Quote extends DataFlow::FlowLabel {
|
||||
Quote() { this = ["\"", "'"] }
|
||||
}
|
||||
|
||||
class Ampersand extends DataFlow::FlowLabel {
|
||||
Ampersand() { this = "&" }
|
||||
}
|
||||
|
||||
DataFlow::FlowLabel characterToLabel(string c) { c = result }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about incomplete HTML sanitization vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "IncompleteHtmlAttributeSanitization" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
label = Label::characterToLabel(source.(Source).getAnUnsanitizedCharacter())
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
label = Label::characterToLabel(sink.(Sink).getADangerousCharacter())
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
|
||||
DataFlow::FlowLabel dstlabel
|
||||
) {
|
||||
super.isAdditionalFlowStep(src, dst) and srclabel = dstlabel
|
||||
}
|
||||
|
||||
override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
|
||||
lbl = Label::characterToLabel(node.(StringReplaceCall).getAReplacedString()) or
|
||||
isSanitizer(node)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node n) {
|
||||
n instanceof Sanitizer or
|
||||
super.isSanitizer(n)
|
||||
}
|
||||
}
|
||||
@@ -1,38 +1,7 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about command-injection
|
||||
* vulnerabilities (CWE-078).
|
||||
*/
|
||||
/** DEPRECATED. Import `IndirectCommandInjectionQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import IndirectCommandInjectionQuery as IndirectCommandInjectionQuery // ignore-query-import
|
||||
|
||||
module IndirectCommandInjection {
|
||||
import IndirectCommandInjectionCustomizations::IndirectCommandInjection
|
||||
private import IndirectCommandArgument
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "IndirectCommandInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a data-flow sink for command-injection vulnerabilities, and
|
||||
* the alert should be placed at the node `highlight`.
|
||||
*/
|
||||
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
|
||||
sink instanceof Sink and highlight = sink
|
||||
or
|
||||
isIndirectCommandArgument(sink, highlight)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
argsParseStep(pred, succ)
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `IndirectCommandInjectionQuery` instead. */
|
||||
deprecated module IndirectCommandInjection = IndirectCommandInjectionQuery;
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
/**
|
||||
* Provides a taint-tracking configuration for reasoning about command-injection
|
||||
* vulnerabilities (CWE-078).
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import IndirectCommandInjectionCustomizations::IndirectCommandInjection
|
||||
private import IndirectCommandArgument
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for reasoning about command-injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "IndirectCommandInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
/**
|
||||
* Holds if `sink` is a data-flow sink for command-injection vulnerabilities, and
|
||||
* the alert should be placed at the node `highlight`.
|
||||
*/
|
||||
predicate isSinkWithHighlight(DataFlow::Node sink, DataFlow::Node highlight) {
|
||||
sink instanceof Sink and highlight = sink
|
||||
or
|
||||
isIndirectCommandArgument(sink, highlight)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
argsParseStep(pred, succ)
|
||||
}
|
||||
}
|
||||
@@ -1,40 +1,7 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about download of sensitive file through insecure connection.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `InsecureDownload::Configuration` is needed, otherwise
|
||||
* `InsecureDownloadCustomizations` should be imported instead.
|
||||
*/
|
||||
/** DEPRECATED. Import `InsecureDownloadQuery` instead. */
|
||||
|
||||
import javascript
|
||||
private import InsecureDownloadQuery as InsecureDownloadQuery // ignore-query-import
|
||||
|
||||
/**
|
||||
* Classes and predicates for reasoning about download of sensitive file through insecure connection vulnerabilities.
|
||||
*/
|
||||
module InsecureDownload {
|
||||
import InsecureDownloadCustomizations::InsecureDownload
|
||||
|
||||
// Materialize flow labels
|
||||
private class ConcreteSensitiveInsecureURL extends Label::SensitiveInsecureURL {
|
||||
ConcreteSensitiveInsecureURL() { this = this }
|
||||
}
|
||||
|
||||
private class ConcreteInsecureURL extends Label::InsecureURL {
|
||||
ConcreteInsecureURL() { this = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for download of sensitive file through insecure connection.
|
||||
*/
|
||||
class Configuration extends DataFlow::Configuration {
|
||||
Configuration() { this = "InsecureDownload" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
source.(Source).getALabel() = label
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink.(Sink).getALabel() = label
|
||||
}
|
||||
}
|
||||
}
|
||||
/** DEPRECATED. Import `InsecureDownloadQuery` instead. */
|
||||
deprecated module InsecureDownload = InsecureDownloadQuery;
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
/**
|
||||
* Provides a taint tracking configuration for reasoning about download of sensitive file through insecure connection.
|
||||
*
|
||||
* Note, for performance reasons: only import this file if
|
||||
* `InsecureDownload::Configuration` is needed, otherwise
|
||||
* `InsecureDownloadCustomizations` should be imported instead.
|
||||
*/
|
||||
|
||||
import javascript
|
||||
import InsecureDownloadCustomizations::InsecureDownload
|
||||
|
||||
// Materialize flow labels
|
||||
private class ConcreteSensitiveInsecureURL extends Label::SensitiveInsecureURL {
|
||||
ConcreteSensitiveInsecureURL() { this = this }
|
||||
}
|
||||
|
||||
private class ConcreteInsecureURL extends Label::InsecureURL {
|
||||
ConcreteInsecureURL() { this = this }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint tracking configuration for download of sensitive file through insecure connection.
|
||||
*/
|
||||
class Configuration extends DataFlow::Configuration {
|
||||
Configuration() { this = "InsecureDownload" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
|
||||
source.(Source).getALabel() = label
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
|
||||
sink.(Sink).getALabel() = label
|
||||
}
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user