JavaScript: Select Nodes (instead of PathNodes) everywhere.

Max Schaefer · Max Schaefer · commit 52ae75727992 · 2018-11-14T09:16:40.000Z
diff --git a/javascript/ql/src/Security/CWE-022/TaintedPath.ql b/javascript/ql/src/Security/CWE-022/TaintedPath.ql
@@ -20,4 +20,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "This path depends on $@.", source, "a user-provided value"
+select sink.getNode(), source, sink, "This path depends on $@.",
+       source.getNode(), "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.ql b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
@@ -22,4 +22,5 @@ where cfg.hasPathFlow(source, sink) and
         cfg.isSinkWithHighlight(sink.getNode(), highlight)
       else
         highlight = sink.getNode()
-select highlight, source, sink, "This command depends on $@.", source, "a user-provided value"
+select highlight, source, sink, "This command depends on $@.",
+       source.getNode(), "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
-       source, "user-provided value"
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, "Stored cross-site scripting vulnerability due to $@.",
-       source, "stored value"
+       source.getNode(), "stored value"
diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.",
-       source, "user-provided value"
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.ql b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
@@ -19,4 +19,5 @@ from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode
 where (cfg instanceof SqlInjection::Configuration or
        cfg instanceof NosqlInjection::Configuration) and
       cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "This query depends on $@.", source, "a user-provided value"
+select sink.getNode(), source, sink, "This query depends on $@.",
+       source.getNode(), "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.", source, "User-provided value"
+select sink.getNode(), source, sink, "$@ flows to here and is interpreted as code.",
+       source.getNode(), "User-provided value"
diff --git a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
@@ -15,4 +15,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "$@ flows here and is used in a format string.", source, "User-provided value"
+select sink.getNode(), source, sink, "$@ flows here and is used in a format string.",
+       source.getNode(), "User-provided value"
diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
@@ -14,4 +14,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "$@ flows directly to outbound network request", source, "File data"
+select sink.getNode(), source, sink, "$@ flows directly to outbound network request",
+       source.getNode(), "File data"
diff --git a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, "Stack trace information from $@ may be exposed to an external user here.",
-       source, "here"
+       source.getNode(), "here"
diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -36,4 +36,5 @@ from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink) and
       // ignore logging to the browser console (even though it is not a good practice)
       not inBrowserEnvironment(sink.getNode().asExpr().getTopLevel())
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.", source, source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "Sensitive data returned by $@ is logged here.",
+       source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.", source, source.getNode().(Source).describe()
+select sink.getNode(), source, sink, "Sensitive data returned by $@ is stored here.",
+       source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -16,5 +16,6 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink) and
-      not source.asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
-select sink.getNode(), source, sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.", source , source.(Source).describe()
+      not source.getNode().asExpr() instanceof CleartextPasswordExpr // flagged by js/insufficient-password-hash
+select sink.getNode(), source, sink, "Sensitive data from $@ is used in a broken or weak cryptographic algorithm.",
+       source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.", source, "random value"
+select sink.getNode(), source, sink, "Cryptographically insecure $@ in a security context.",
+       source.getNode(), "random value"
diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, "$@ leak vulnerability due to $@.",
-       sink.(Sink).getCredentialsHeader(), "Credential",
-       source, "a misconfigured CORS header value"
+       sink.getNode().(Sink).getCredentialsHeader(), "Credential",
+       source.getNode(), "a misconfigured CORS header value"
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "A $@ is used as" + sink.(Sink).getMessage(),
-       source, "user-provided value"
+select sink.getNode(), source, sink, "A $@ is used as" + sink.getNode().(Sink).getMessage(),
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Unsafe deserialization of $@.", source, "user input"
+select sink.getNode(), source, sink, "Unsafe deserialization of $@.",
+       source.getNode(), "user input"
diff --git a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.",
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.", source, "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection due to $@.",
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-611/Xxe.ql b/javascript/ql/src/Security/CWE-611/Xxe.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against external entity expansion.",
-       source, "user-provided value"
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.", source, "here"
+select sink.getNode(), source, sink, "Links in this email can be hijacked by poisoning the HTTP host header $@.",
+       source.getNode(), "here"
diff --git a/javascript/ql/src/Security/CWE-643/XpathInjection.ql b/javascript/ql/src/Security/CWE-643/XpathInjection.ql
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.", source, "User-provided value"
+select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.",
+       source.getNode(), "User-provided value"
diff --git a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "This regular expression is constructed from a $@.", source, "user-provided value"
+select sink.getNode(), source, sink, "This regular expression is constructed from a $@.",
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-776/XmlBomb.ql b/javascript/ql/src/Security/CWE-776/XmlBomb.ql
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
 select sink.getNode(), source, sink, "A $@ is parsed as XML without guarding against uncontrolled entity expansion.",
-       source, "user-provided value"
+       source.getNode(), "user-provided value"
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -23,4 +23,5 @@ where cfg.hasPathFlow(source, sink) and
         value = "The hard-coded value \"" + source.getNode().asExpr().(ConstantString).getStringValue() + "\""
       else
         value = "This hard-coded value"
-select source.getNode(), source, sink, value + " is used as $@.", sink, sink.getNode().(Sink).getKind()
+select source.getNode(), source, sink, value + " is used as $@.",
+       sink.getNode(), sink.getNode().(Sink).getKind()
diff --git a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
@@ -114,4 +114,4 @@ where isTaintedGuardForSensitiveAction(sink, source, action) and
       not isEarlyAbortGuard(sink, action)
 select sink.getNode(), source, sink, "This condition guards a sensitive $@, but $@ controls it.",
     action, "action",
-    source, "a user-provided value"
+    source.getNode(), "a user-provided value"
diff --git a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
@@ -15,4 +15,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Potential type confusion for $@.", source, "HTTP request parameter"
+select sink.getNode(), source, sink, "Potential type confusion for $@.",
+       source.getNode(), "HTTP request parameter"
diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -14,4 +14,4 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "$@ flows to file system", source, "Untrusted data"
+select sink.getNode(), source, sink, "$@ flows to file system", source.getNode(), "Untrusted data"
diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
@@ -15,4 +15,5 @@ import DataFlow::PathGraph
 
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasPathFlow(source, sink)
-select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.", source , source.(Source).describe()
+select sink.getNode(), source, sink, "Password from $@ is hashed insecurely.",
+       source.getNode(), source.getNode().(Source).describe()
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node request
 where cfg.hasPathFlow(source, sink) and
       request = sink.getNode().(Sink).getARequest()
-select request, source, sink, "The $@ of this request depends on $@.", sink, sink.getNode().(Sink).getKind(), source, "a user-provided value"
+select request, source, sink, "The $@ of this request depends on $@.",
+       sink.getNode(), sink.getNode().(Sink).getKind(), source, "a user-provided value"
