codeql/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll

/**
 * Provides a taint-tracking configuration for reasoning about code
 * injection vulnerabilities.
 *
 * Note, for performance reasons: only import this file if
 * `CodeInjection::Configuration` is needed, otherwise
 * `CodeInjectionCustomizations` should be imported instead.
 */

import javascript
import CodeInjectionCustomizations::CodeInjection

/**
 * A taint-tracking configuration for reasoning about code injection vulnerabilities.
 */
module CodeInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof Source }

  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    // HTML sanitizers are insufficient protection against code injection
    node1 = node2.(HtmlSanitizerCall).getInput()
  }

  predicate observeDiffInformedIncrementalMode() { any() }
}

/**
 * Taint-tracking for reasoning about code injection vulnerabilities.
 */
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

/**
 * DEPRRECATED. Use the `CodeInjectionFlow` module instead.
 */
deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "CodeInjection" }

  override predicate isSource(DataFlow::Node source) { source instanceof Source }

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  override predicate isSanitizer(DataFlow::Node node) {
    super.isSanitizer(node) or
    node instanceof Sanitizer
  }

  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
    CodeInjectionConfig::isAdditionalFlowStep(node1, node2)
  }
}