TokenAssignmentValueSink refactor

bananabr · bananabr · commit 375edf74552f · 2022-10-25T09:50:04.000-05:00
diff --git a/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql b/javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
@@ -28,17 +28,12 @@ class PredictableResultSource extends DataFlow::Node {
 
 class TokenAssignmentValueSink extends DataFlow::Node {
   TokenAssignmentValueSink() {
-    exists(PropWrite pw | this = pw.getRhs() |
-      pw.getPropertyName().toLowerCase().matches(["%token", "%code"])
-    )
+    exists(string name | name.toLowerCase().matches(["%token", "%code"]) |
+      exists(PropWrite pw | this = pw.getRhs() | pw.getPropertyName().toLowerCase() = name)
     or
     exists(AssignExpr ae | this = ae.getRhs().flow() |
-      ae.getLhs()
-          .(VariableAccess)
-          .getVariable()
-          .getName()
-          .toLowerCase()
-          .matches(["%token", "%code"])
+        ae.getLhs().(VariableAccess).getVariable().getName().toLowerCase() = name
+      )
     )
   }
 }
diff --git a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
@@ -34,14 +34,10 @@ class PredictableResultSource extends DataFlow::Node {
 
 class TokenAssignmentValueSink extends DataFlow::Node {
   TokenAssignmentValueSink() {
-    exists(Assign a, Expr target | this = DataFlow::exprNode(a.getValue()) |
-      target = a.getATarget() and
-      (target instanceof Attribute or target instanceof Name) and
-      (
-        target.(Attribute).getName().toLowerCase().matches(["%token", "%code"])
+    exists(string name | name.toLowerCase().matches(["%token", "%code"]) |
+      exists(DefinitionNode n | n.getValue() = this.asCfgNode() | name = n.(NameNode).getId())
         or
-        target.(Name).getId().toLowerCase().matches(["%token", "%code"])
-      )
+      exists(DataFlow::AttrWrite aw | aw.getValue() = this | name = aw.getAttributeName())
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -34,14 +34,10 @@ class PredictableResultSource extends DataFlow::Node {`
`34`	`34`
`35`	`35`	`class TokenAssignmentValueSink extends DataFlow::Node {`
`36`	`36`	`TokenAssignmentValueSink() {`
`37`		`- exists(Assign a, Expr target \| this = DataFlow::exprNode(a.getValue()) \|`
`38`		`- target = a.getATarget() and`
`39`		`- (target instanceof Attribute or target instanceof Name) and`
`40`		`- (`
`41`		`- target.(Attribute).getName().toLowerCase().matches(["%token", "%code"])`
	`37`	`+ exists(string name \| name.toLowerCase().matches(["%token", "%code"]) \|`
	`38`	`+ exists(DefinitionNode n \| n.getValue() = this.asCfgNode() \| name = n.(NameNode).getId())`
`42`	`39`	`or`
`43`		`- target.(Name).getId().toLowerCase().matches(["%token", "%code"])`
`44`		`- )`
	`40`	`+ exists(DataFlow::AttrWrite aw \| aw.getValue() = this \| name = aw.getAttributeName())`
`45`	`41`	`)`
`46`	`42`	`}`
`47`	`43`	`}`