hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-17 23:43:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1b70111dd256961bec3191ea04a1077bc4ad34fe
codeql/javascript/ql/lib/semmle/javascript/security/CommonFlowState.qll
Asger F 5f42a715f6 JS: Migrate TaintedObject to a CommonFlowState
2024-12-13 10:08:08 +01:00

91 lines
2.7 KiB
Plaintext
Raw Blame History

/**
* Contains a class with flow states that are used by multiple queries.
*/
private import javascript
private import TaintedUrlSuffixCustomizations
private import TaintedObjectCustomizations
private newtype TFlowState =
TTaint() or
TTaintedUrlSuffix() or
TTaintedPrefix() or
TTaintedObject()
/**
* A flow state indicating which part of a value is tainted.
*/
class FlowState extends TFlowState {
/**
* Holds if this represents a value that is considered entirely tainted, except the first character
* might not be user-controlled.
*/
predicate isTaint() { this = TTaint() }
/**
* Holds if this represents a URL whose fragment and/or query parts are considered tainted.
*/
predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() }
/**
* Holds if this represents a string whose prefix is known to be tainted.
*/
predicate isTaintedPrefix() { this = TTaintedPrefix() }
/**
* Holds if this represents a deeply tainted object, such as a JSON object
* parsed from user-controlled data.
*/
predicate isTaintedObject() { this = TTaintedObject() }
/** Gets a string representation of this flow state. */
string toString() {
this.isTaint() and result = "taint"
or
this.isTaintedUrlSuffix() and result = "tainted-url-suffix"
or
this.isTaintedPrefix() and result = "tainted-prefix"
or
this.isTaintedObject() and result = "tainted-object"
}
/** DEPRECATED. Gets the corresponding flow label. */
deprecated DataFlow::FlowLabel toFlowLabel() {
this.isTaint() and result.isTaint()
or
this.isTaintedUrlSuffix() and result = TaintedUrlSuffix::label()
or
this.isTaintedPrefix() and result = "PrefixString"
or
this.isTaintedObject() and result = TaintedObject::label()
}
}
/** Convenience predicates for working with common flow states. */
module FlowState {
/**
* Gets the flow state representing a value that is considered entirely tainted, except the first character
* might not be user-controlled.
*/
FlowState taint() { result.isTaint() }
/**
* Gets the flow state representing a URL whose fragment and/or query parts are considered tainted.
*/
FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() }
/**
* Gets the flow state representing a string whose prefix is known to be tainted.
*/
FlowState taintedPrefix() { result.isTaintedPrefix() }
/**
* Gets the flow state representing a deeply tainted object, such as a JSON object
* parsed from user-controlled data.
*/
FlowState taintedObject() { result.isTaintedObject() }
/** DEPRECATED. Gets the flow state corresponding to `label`. */
deprecated FlowState fromFlowLabel(DataFlow::FlowLabel label) { result.toFlowLabel() = label }
}
Reference in New Issue View Git Blame Copy Permalink