Compare commits

...

2 Commits

Author SHA1 Message Date
Stephan Brandauer
9359f56edd don't filter sinks due to intermediary notes 2022-03-16 09:58:34 +01:00
Esben Sparre Andreasen
2e28900dbb exclude intermediary data flow nodes from sinks 2022-03-16 09:51:13 +01:00
2 changed files with 57 additions and 47 deletions

View File

@@ -11,8 +11,14 @@ private import semmle.javascript.filters.ClassifyFiles as ClassifyFiles
private import semmle.javascript.heuristics.SyntacticHeuristics private import semmle.javascript.heuristics.SyntacticHeuristics
private import CoreKnowledge as CoreKnowledge private import CoreKnowledge as CoreKnowledge
predicate isIntermediaryDataflowNode(DataFlow::Node n) {
n instanceof DataFlow::ExceptionalInvocationReturnNode
}
/** Provides a set of reasons why a given data flow node should be excluded as a sink candidate. */ /** Provides a set of reasons why a given data flow node should be excluded as a sink candidate. */
string getAReasonSinkExcluded(DataFlow::Node n) { string getAReasonSinkExcluded(DataFlow::Node n) {
not isIntermediaryDataflowNode(n) and
(
isArgumentToModeledFunction(n) and result = "argument to modeled function" isArgumentToModeledFunction(n) and result = "argument to modeled function"
or or
isArgumentToSinklessLibrary(n) and result = "argument to sinkless library" isArgumentToSinklessLibrary(n) and result = "argument to sinkless library"
@@ -30,6 +36,7 @@ string getAReasonSinkExcluded(DataFlow::Node n) {
ClassifyFiles::classify(n.getFile(), category) and ClassifyFiles::classify(n.getFile(), category) and
result = "in " + category + " file" result = "in " + category + " file"
) )
)
} }
/** /**
@@ -125,7 +132,7 @@ private DataFlow::SourceNode getACallback(DataFlow::ParameterNode p, DataFlow::T
* Get calls for which we do not have the callee (i.e. the definition of the called function). This * Get calls for which we do not have the callee (i.e. the definition of the called function). This
* acts as a heuristic for identifying calls to external library functions. * acts as a heuristic for identifying calls to external library functions.
*/ */
private DataFlow::CallNode getACallWithoutCallee() { private DataFlow::InvokeNode getACallWithoutCallee() {
forall(Function callee | callee = result.getACallee() | callee.getTopLevel().isExterns()) and forall(Function callee | callee = result.getACallee() | callee.getTopLevel().isExterns()) and
not exists(DataFlow::ParameterNode param, DataFlow::FunctionNode callback | not exists(DataFlow::ParameterNode param, DataFlow::FunctionNode callback |
param.flowsTo(result.getCalleeNode()) and param.flowsTo(result.getCalleeNode()) and

View File

@@ -25,6 +25,8 @@ module SinkEndpointFilter {
* effective sink. * effective sink.
*/ */
string getAReasonSinkExcluded(DataFlow::Node sinkCandidate) { string getAReasonSinkExcluded(DataFlow::Node sinkCandidate) {
not StandardEndpointFilters::isIntermediaryDataflowNode(sinkCandidate) and
(
result = StandardEndpointFilters::getAReasonSinkExcluded(sinkCandidate) result = StandardEndpointFilters::getAReasonSinkExcluded(sinkCandidate)
or or
// Require path injection sink candidates to be (a) arguments to external library calls // Require path injection sink candidates to be (a) arguments to external library calls
@@ -56,6 +58,7 @@ module SinkEndpointFilter {
isAssignedToOrConcatenatedWith(sinkCandidate, "(?i)path") isAssignedToOrConcatenatedWith(sinkCandidate, "(?i)path")
) and ) and
result = "not a direct argument to a likely external library call or a heuristic sink" result = "not a direct argument to a likely external library call or a heuristic sink"
)
} }
} }