mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
222 lines
7.4 KiB
Plaintext
222 lines
7.4 KiB
Plaintext
import javascript
|
|
import semmle.javascript.security.dataflow.CleartextStorageCustomizations
|
|
import semmle.javascript.security.dataflow.CorsMisconfigurationForCredentialsCustomizations
|
|
import semmle.javascript.security.dataflow.StackTraceExposureCustomizations
|
|
import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
|
|
import semmle.javascript.security.dataflow.RequestForgeryCustomizations
|
|
import semmle.javascript.security.dataflow.ReflectedXssCustomizations
|
|
import semmle.javascript.security.dataflow.ReflectedXssQuery as XssConfig
|
|
|
|
class InlineTest extends LineComment {
|
|
string tests;
|
|
|
|
InlineTest() { tests = this.getText().regexpCapture("\\s*test:(.*)", 1) }
|
|
|
|
string getPositiveTest() {
|
|
result = tests.trim().splitAt(",").trim() and not result.matches("!%")
|
|
}
|
|
|
|
string getNegativeTest() { result = tests.trim().splitAt(",").trim() and result.matches("!%") }
|
|
|
|
predicate hasPositiveTest(string test) { test = this.getPositiveTest() }
|
|
|
|
predicate hasNegativeTest(string test) { test = this.getNegativeTest() }
|
|
|
|
predicate inNode(DataFlow::Node n) {
|
|
this.getLocation().getFile() = n.getFile() and
|
|
this.getLocation().getStartLine() = n.getStartLine()
|
|
}
|
|
}
|
|
|
|
query predicate passingPositiveTests(string res, string expectation, InlineTest t) {
|
|
res = "PASSED" and
|
|
t.hasPositiveTest(expectation) and
|
|
(
|
|
expectation = "headerDefinition" and
|
|
exists(Http::HeaderDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "cookieDefinition" and
|
|
exists(Http::CookieDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "templateInstantiation" and
|
|
exists(Templating::TemplateInstantiation::Range n | t.inNode(n))
|
|
or
|
|
expectation = "source" and
|
|
exists(RemoteFlowSource n | t.inNode(n))
|
|
or
|
|
expectation = "setup" and
|
|
exists(Http::RouteSetup n | t.inNode(n))
|
|
or
|
|
expectation = "handler" and
|
|
exists(Http::RouteHandler n | t.inNode(n))
|
|
or
|
|
expectation = "candidateHandler" and
|
|
exists(Http::RouteHandlerCandidate n | t.inNode(n))
|
|
or
|
|
expectation = "xssSink" and
|
|
exists(ReflectedXss::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "xss" and
|
|
exists(DataFlow::Node sink | XssConfig::ReflectedXssFlow::flowTo(sink) and t.inNode(sink))
|
|
or
|
|
expectation = "cleartextStorageSink" and
|
|
exists(CleartextStorage::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "corsMiconfigurationSink" and
|
|
exists(CorsMisconfigurationForCredentials::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "stackTraceExposureSink" and
|
|
exists(StackTraceExposure::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "redirectSink" and
|
|
exists(ServerSideUrlRedirect::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "ssrfSink" and
|
|
exists(RequestForgery::Sink n | t.inNode(n))
|
|
)
|
|
}
|
|
|
|
query predicate failingPositiveTests(string res, string expectation, InlineTest t) {
|
|
res = "FAILED" and
|
|
t.hasPositiveTest(expectation) and
|
|
(
|
|
expectation = "headerDefinition" and
|
|
not exists(Http::HeaderDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "cookieDefinition" and
|
|
not exists(Http::CookieDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "templateInstantiation" and
|
|
not exists(Templating::TemplateInstantiation::Range n | t.inNode(n))
|
|
or
|
|
expectation = "source" and
|
|
not exists(RemoteFlowSource n | t.inNode(n))
|
|
or
|
|
expectation = "setup" and
|
|
not exists(Http::RouteSetup n | t.inNode(n))
|
|
or
|
|
expectation = "handler" and
|
|
not exists(Http::RouteHandler n | t.inNode(n))
|
|
or
|
|
expectation = "candidateHandler" and
|
|
not exists(Http::RouteHandlerCandidate n | t.inNode(n))
|
|
or
|
|
expectation = "xssSink" and
|
|
not exists(ReflectedXss::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "xss" and
|
|
not exists(DataFlow::Node sink | XssConfig::ReflectedXssFlow::flowTo(sink) and t.inNode(sink))
|
|
or
|
|
expectation = "cleartextStorageSink" and
|
|
not exists(CleartextStorage::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "corsMiconfigurationSink" and
|
|
not exists(CorsMisconfigurationForCredentials::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "stackTraceExposureSink" and
|
|
not exists(StackTraceExposure::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "redirectSink" and
|
|
not exists(ServerSideUrlRedirect::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "ssrfSink" and
|
|
not exists(RequestForgery::Sink n | t.inNode(n))
|
|
)
|
|
}
|
|
|
|
query predicate passingNegativeTests(string res, string expectation, InlineTest t) {
|
|
res = "PASSED" and
|
|
t.hasNegativeTest(expectation) and
|
|
(
|
|
expectation = "!headerDefinition" and
|
|
not exists(Http::HeaderDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "!cookieDefinition" and
|
|
not exists(Http::CookieDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "!templateInstantiation" and
|
|
not exists(Templating::TemplateInstantiation::Range n | t.inNode(n))
|
|
or
|
|
expectation = "!source" and
|
|
not exists(RemoteFlowSource n | t.inNode(n))
|
|
or
|
|
expectation = "!setup" and
|
|
not exists(Http::RouteSetup n | t.inNode(n))
|
|
or
|
|
expectation = "!handler" and
|
|
not exists(Http::RouteHandler n | t.inNode(n))
|
|
or
|
|
expectation = "!candidateHandler" and
|
|
not exists(Http::RouteHandlerCandidate n | t.inNode(n))
|
|
or
|
|
expectation = "!xssSink" and
|
|
not exists(ReflectedXss::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!xss" and
|
|
not exists(DataFlow::Node sink | XssConfig::ReflectedXssFlow::flowTo(sink) and t.inNode(sink))
|
|
or
|
|
expectation = "!cleartextStorageSink" and
|
|
not exists(CleartextStorage::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!corsMiconfigurationSink" and
|
|
not exists(CorsMisconfigurationForCredentials::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!stackTraceExposureSink" and
|
|
not exists(StackTraceExposure::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!redirectSink" and
|
|
not exists(ServerSideUrlRedirect::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!ssrfSink" and
|
|
not exists(RequestForgery::Sink n | t.inNode(n))
|
|
)
|
|
}
|
|
|
|
query predicate failingNegativeTests(string res, string expectation, InlineTest t) {
|
|
res = "FAILED" and
|
|
t.hasNegativeTest(expectation) and
|
|
(
|
|
expectation = "!headerDefinition" and
|
|
exists(Http::HeaderDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "!cookieDefinition" and
|
|
exists(Http::CookieDefinition n | t.inNode(n))
|
|
or
|
|
expectation = "!templateInstantiation" and
|
|
exists(Templating::TemplateInstantiation::Range n | t.inNode(n))
|
|
or
|
|
expectation = "!source" and
|
|
exists(RemoteFlowSource n | t.inNode(n))
|
|
or
|
|
expectation = "!setup" and
|
|
exists(Http::RouteSetup n | t.inNode(n))
|
|
or
|
|
expectation = "!handler" and
|
|
exists(Http::RouteHandler n | t.inNode(n))
|
|
or
|
|
expectation = "!candidateHandler" and
|
|
exists(Http::RouteHandlerCandidate n | t.inNode(n))
|
|
or
|
|
expectation = "!xssSink" and
|
|
exists(ReflectedXss::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!xss" and
|
|
exists(DataFlow::Node sink | XssConfig::ReflectedXssFlow::flowTo(sink) and t.inNode(sink))
|
|
or
|
|
expectation = "!cleartextStorageSink" and
|
|
exists(CleartextStorage::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!corsMiconfigurationSink" and
|
|
exists(CorsMisconfigurationForCredentials::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!stackTraceExposureSink" and
|
|
exists(StackTraceExposure::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!redirectSink" and
|
|
exists(ServerSideUrlRedirect::Sink n | t.inNode(n))
|
|
or
|
|
expectation = "!ssrfSink" and
|
|
exists(RequestForgery::Sink n | t.inNode(n))
|
|
)
|
|
}
|