hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Use function-forwarding steps when tracking rate limiters

Browse Source
This commit is contained in:
Asger Feldthaus
2021-04-20 13:00:42 +01:00
parent 581f4ed757
commit f8d428cb2d
2 changed files with 32 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
View File

@@ -113,29 +113,53 @@ class DatabaseAccessAsExpensiveAction extends ExpensiveAction {
* A route handler expression that is rate-limited by a rate-limiting middleware.
*/
class RouteHandlerExpressionWithRateLimiter extends RateLimitedRouteHandlerExpr {
RouteHandlerExpressionWithRateLimiter() { getAMatchingAncestor() instanceof RateLimiter }
RouteHandlerExpressionWithRateLimiter() {
any(RateLimitingMiddleware m).ref().flowsToExpr(getAMatchingAncestor())
}
}
/**
* DEPRECATED. Use `RateLimitingMiddleware` instead.
*
* A middleware that acts as a rate limiter.
*/
abstract class RateLimiter extends Express::RouteHandlerExpr { }
deprecated class RateLimiter extends Express::RouteHandlerExpr {
RateLimiter() { any(RateLimitingMiddleware m).ref().flowsToExpr(this) }
}
/**
* Creation of a middleware function that acts as a rate limiter.
*/
abstract class RateLimitingMiddleware extends DataFlow::SourceNode {
/** Gets a data flow node referring to this middleware. */
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
t.start() and
result = this
or
DataFlow::functionOneWayForwardingStep(ref(t.continue()).getALocalUse(), result)
or
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
}
/** Gets a data flow node referring to this middleware. */
DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
}
/**
* A rate limiter constructed using the `express-rate-limit` package.
*/
class ExpressRateLimit extends RateLimiter {
class ExpressRateLimit extends RateLimitingMiddleware {
ExpressRateLimit() {
this = API::moduleImport("express-rate-limit").getReturn().getAUse().asExpr()
this = API::moduleImport("express-rate-limit").getReturn().getAnImmediateUse()
}
}
/**
* A rate limiter constructed using the `express-brute` package.
*/
class BruteForceRateLimit extends RateLimiter {
class BruteForceRateLimit extends RateLimitingMiddleware {
BruteForceRateLimit() {
this = API::moduleImport("express-brute").getInstance().getMember("prevent").getAUse().asExpr()
this = API::moduleImport("express-brute").getInstance().getMember("prevent").getAnImmediateUse()
}
}
@@ -183,8 +207,6 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
/**
* A route-handler expression that is rate-limited by the `rate-limiter-flexible` package.
*/
class RouteHandlerLimitedByRateLimiterFlexible extends RateLimiter {
RouteHandlerLimitedByRateLimiterFlexible() {
any(RateLimiterFlexibleRateLimiter rl).flowsToExpr(this)
}
class RouteHandlerLimitedByRateLimiterFlexible extends RateLimitingMiddleware {
RouteHandlerLimitedByRateLimiterFlexible() { this instanceof RateLimiterFlexibleRateLimiter }
}