hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-25 00:27:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
17183bdb57fe6afa50c5ee346582588b39c68435
codeql/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionCustomizations.qll
Andrew Eisenberg 45d1fa7f01 Packaging: Rafactor Javascript core libraries 
Extract the external facing `qll` files into the codeql/javascript-all
query pack.
2021-08-25 12:15:56 -07:00

71 lines
2.1 KiB
Plaintext
Raw Blame History

/**
* Provides default sources, sinks and sanitizers for reasoning about
* injections in property names, used either for writing into a
* property, into a header or for calling an object's method, as well
* as extension points for adding your own.
*/
import javascript
import semmle.javascript.frameworks.Express
import PropertyInjectionShared
module RemotePropertyInjection {
/**
* A data flow source for remote property injection.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for remote property injection.
*/
abstract class Sink extends DataFlow::Node {
/**
* Gets a string to identify the different types of sinks.
*/
abstract string getMessage();
}
/**
* A sanitizer for remote property injection.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* A source of remote user input, considered as a flow source for remote property
* injection.
*/
class RemoteFlowSourceAsSource extends Source {
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
}
/**
* A sink for property writes with dynamically computed property name.
*/
class PropertyWriteSink extends Sink, DataFlow::ValueNode {
PropertyWriteSink() {
exists(DataFlow::PropWrite pw | astNode = pw.getPropertyNameExpr()) or
exists(DeleteExpr expr | expr.getOperand().(PropAccess).getPropertyNameExpr() = astNode)
}
override string getMessage() { result = " a property name to write to." }
}
/**
* A sink for HTTP header writes with dynamically computed header name.
* This sink avoids double-flagging by ignoring `SetMultipleHeaders` since
* the multiple headers use case consists of an objects containing different
* header names as properties. This case is already handled by
* `PropertyWriteSink`.
*/
class HeaderNameSink extends Sink, DataFlow::ValueNode {
HeaderNameSink() {
exists(HTTP::ExplicitHeaderDefinition hd |
not hd instanceof Express::SetMultipleHeaders and
astNode = hd.getNameExpr()
)
}
override string getMessage() { result = " a header name." }
}
}
Reference in New Issue View Git Blame Copy Permalink