Skip to content

Commit 9128722

Browse files
asgerfasgerf
committed
JS: Port ImproperCodeSanitization
1 parent 8715c1b commit 9128722

File tree

3 files changed

+45
-64
lines changed

3 files changed

+45
-64
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/ImproperCodeSanitizationQuery.qll

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,23 @@ import ImproperCodeSanitizationCustomizations::ImproperCodeSanitization
1313
/**
1414
* A taint-tracking configuration for reasoning about improper code sanitization vulnerabilities.
1515
*/
16-
class Configuration extends TaintTracking::Configuration {
16+
module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
17+
predicate isSource(DataFlow::Node source) { source instanceof Source }
18+
19+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
20+
21+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
22+
}
23+
24+
/**
25+
* Taint-tracking for reasoning about improper code sanitization vulnerabilities.
26+
*/
27+
module ImproperCodeSanitizationFlow = TaintTracking::Global<ImproperCodeSanitizationConfig>;
28+
29+
/**
30+
* DEPRECATED. Use the `ImproperCodeSanitizationFlow` module instead.
31+
*/
32+
deprecated class Configuration extends TaintTracking::Configuration {
1733
Configuration() { this = "ImproperCodeSanitization" }
1834

1935
override predicate isSource(DataFlow::Node source) { source instanceof Source }

javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@
1414

1515
import javascript
1616
import semmle.javascript.security.dataflow.ImproperCodeSanitizationQuery
17-
import DataFlow::PathGraph
1817
private import semmle.javascript.heuristics.HeuristicSinks
1918
private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
19+
import ImproperCodeSanitizationFlow::PathGraph
2020

2121
/**
2222
* Gets a type-tracked instance of `RemoteFlowSource` using type-tracker `t`.
@@ -60,9 +60,9 @@ private DataFlow::Node endsInCodeInjectionSink() {
6060
result = endsInCodeInjectionSink(DataFlow::TypeBackTracker::end())
6161
}
6262

63-
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
63+
from ImproperCodeSanitizationFlow::PathNode source, ImproperCodeSanitizationFlow::PathNode sink
6464
where
65-
cfg.hasFlowPath(source, sink) and
65+
ImproperCodeSanitizationFlow::flowPath(source, sink) and
6666
// Basic detection of duplicate results with `js/code-injection`.
6767
not (
6868
sink.getNode().(StringOps::ConcatenationLeaf).getRoot() = endsInCodeInjectionSink() and

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/ImproperCodeSanitization.expected

Lines changed: 25 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -1,69 +1,34 @@
1-
nodes
2-
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
3-
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
4-
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
5-
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) |
6-
| bad-code-sanitization.js:6:11:6:25 | statements |
7-
| bad-code-sanitization.js:6:24:6:25 | [] |
8-
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
9-
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
10-
| bad-code-sanitization.js:8:27:8:36 | statements |
11-
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
12-
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
13-
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
14-
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
15-
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
16-
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
17-
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
18-
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
19-
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
20-
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
21-
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
22-
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
23-
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
24-
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
25-
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
26-
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
27-
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
28-
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
29-
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
30-
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
31-
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
32-
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
33-
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
34-
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
35-
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
36-
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
37-
| bad-code-sanitization.js:63:11:63:55 | assignment |
38-
| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
39-
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
40-
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) |
41-
| bad-code-sanitization.js:64:27:64:36 | assignment |
42-
| bad-code-sanitization.js:64:27:64:36 | assignment |
431
edges
442
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | bad-code-sanitization.js:7:31:7:43 | safeProp(key) |
45-
| bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
46-
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
47-
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:65:2:90 | `[${JSO ... key)}]` |
3+
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` |
484
| bad-code-sanitization.js:6:11:6:25 | statements | bad-code-sanitization.js:8:27:8:36 | statements |
49-
| bad-code-sanitization.js:6:24:6:25 | [] | bad-code-sanitization.js:6:11:6:25 | statements |
50-
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | bad-code-sanitization.js:6:24:6:25 | [] |
5+
| bad-code-sanitization.js:7:5:7:14 | [post update] statements | bad-code-sanitization.js:6:11:6:25 | statements |
6+
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | bad-code-sanitization.js:7:5:7:14 | [post update] statements |
517
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) | bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` |
528
| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
53-
| bad-code-sanitization.js:8:27:8:36 | statements | bad-code-sanitization.js:8:27:8:46 | statements.join(';') |
54-
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) |
55-
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) |
56-
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) |
57-
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) |
58-
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) |
59-
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) |
60-
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) |
61-
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) |
629
| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
63-
| bad-code-sanitization.js:63:11:63:55 | assignment | bad-code-sanitization.js:64:27:64:36 | assignment |
64-
| bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` | bad-code-sanitization.js:63:11:63:55 | assignment |
65-
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
66-
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:24:63:55 | `obj[${ ... )}]=42` |
10+
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | bad-code-sanitization.js:63:11:63:55 | assignment |
11+
nodes
12+
| bad-code-sanitization.js:2:12:2:90 | /^[_$a- ... key)}]` | semmle.label | /^[_$a- ... key)}]` |
13+
| bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | semmle.label | JSON.stringify(key) |
14+
| bad-code-sanitization.js:6:11:6:25 | statements | semmle.label | statements |
15+
| bad-code-sanitization.js:7:5:7:14 | [post update] statements | semmle.label | [post update] statements |
16+
| bad-code-sanitization.js:7:21:7:70 | `${name ... key])}` | semmle.label | `${name ... key])}` |
17+
| bad-code-sanitization.js:7:31:7:43 | safeProp(key) | semmle.label | safeProp(key) |
18+
| bad-code-sanitization.js:8:27:8:36 | statements | semmle.label | statements |
19+
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | semmle.label | statements.join(';') |
20+
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | semmle.label | htmlescape(pathname) |
21+
| bad-code-sanitization.js:19:27:19:47 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
22+
| bad-code-sanitization.js:31:30:31:50 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
23+
| bad-code-sanitization.js:40:23:40:43 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
24+
| bad-code-sanitization.js:44:22:44:42 | JSON.st ... (input) | semmle.label | JSON.st ... (input) |
25+
| bad-code-sanitization.js:52:28:52:62 | JSON.st ... bble")) | semmle.label | JSON.st ... bble")) |
26+
| bad-code-sanitization.js:54:29:54:63 | JSON.st ... bble")) | semmle.label | JSON.st ... bble")) |
27+
| bad-code-sanitization.js:58:29:58:49 | JSON.st ... (taint) | semmle.label | JSON.st ... (taint) |
28+
| bad-code-sanitization.js:63:11:63:55 | assignment | semmle.label | assignment |
29+
| bad-code-sanitization.js:63:31:63:49 | JSON.stringify(key) | semmle.label | JSON.stringify(key) |
30+
| bad-code-sanitization.js:64:27:64:36 | assignment | semmle.label | assignment |
31+
subpaths
6732
#select
6833
| bad-code-sanitization.js:8:27:8:46 | statements.join(';') | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | bad-code-sanitization.js:8:27:8:46 | statements.join(';') | Code construction depends on an $@. | bad-code-sanitization.js:2:69:2:87 | JSON.stringify(key) | improperly sanitized value |
6934
| bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | Code construction depends on an $@. | bad-code-sanitization.js:15:44:15:63 | htmlescape(pathname) | improperly sanitized value |

0 commit comments

Comments
 (0)