JavaScript: Allow summary details to be omitted.

Max Schaefer · Max Schaefer · commit bdf29d010a25 · 2019-01-09T09:09:58.000Z
If a summary does not specify a configuration, it is taken to apply to all configurations without custom sanitisers/barriers.

If a source summary does not specify a flow label, `data` is assumed.

If a sink summary does not specify a flow label, both `data` and `taint` are assumed.

Flow step summaries cannot omit flow labels.

Note that the standard extraction queries always provide explicit configurations and flow labels, and hence do not exercise this functionality.
diff --git a/javascript/ql/src/Security/Summaries/ImportFromCsv.qll b/javascript/ql/src/Security/Summaries/ImportFromCsv.qll
@@ -6,6 +6,7 @@
 import javascript
 import semmle.javascript.dataflow.Portals
 import external.ExternalArtifact
+private import Shared
 
 /**
  * An additional source specified in an `additional-sources.csv` file.
@@ -26,18 +27,25 @@ class AdditionalSourceSpec extends ExternalData {
    * Gets the flow label of this source.
    */
   DataFlow::FlowLabel getFlowLabel() {
-    result.toString() = getField(1)
+    sourceFlowLabelSpec(result, getField(1))
   }
 
   /**
-   * Gets the configuration for which this is a source.
+   * Gets the configuration for which this is a source, or any
+   * configuration if this source does not specify a configuration.
    */
   DataFlow::Configuration getConfiguration() {
-    result.toString() = getField(2)
+    configSpec(result, getField(2))
   }
 
   override string toString() {
-    result = getPortal() + " as " + getFlowLabel() + " source for " + getConfiguration()
+    exists (string config |
+      if getField(2) = "" then
+        config = "any configuration"
+      else
+        config = getConfiguration() |
+      result = getPortal() + " as " + getFlowLabel() + " source for " + config
+    )
   }
 }
 
@@ -69,21 +77,30 @@ class AdditionalSinkSpec extends ExternalData {
   }
 
   /**
-   * Gets the flow label of this sink.
+   * Gets the flow label of this sink, or any standard flow label if this sink
+   * does not specify a flow label.
    */
   DataFlow::FlowLabel getFlowLabel() {
-    result.toString() = getField(1)
+    sinkFlowLabelSpec(result, getField(1))
   }
 
   /**
-   * Gets the configuration for which this is a sink.
+   * Gets the configuration for which this is a sink, or any configuration if
+   * this sink does not specify a configuration.
    */
   DataFlow::Configuration getConfiguration() {
-    result.toString() = getField(2)
+    configSpec(result, getField(2))
   }
 
   override string toString() {
-    result = getPortal() + " as " + getFlowLabel() + " sink for " + getConfiguration()
+    exists (string labels, string config |
+      labels = strictconcat(getFlowLabel(), " or ") and
+      if getField(2) = "" then
+        config = "any configuration"
+      else
+        config = getConfiguration() |
+      result = getPortal() + " as " + labels + " sink for " + config
+    )
   }
 }
 
@@ -138,13 +155,19 @@ class AdditionalStepSpec extends ExternalData {
    * Gets the configuration to which this step should be added.
    */
   DataFlow::Configuration getConfiguration() {
-    result.toString() = getField(4)
+    configSpec(result, getField(4))
   }
 
   override string toString() {
-    result = "edge from " + getStartPortal() + " to " + getEndPortal() +
-             ", transforming " + getStartFlowLabel() + " into " + getEndFlowLabel() +
-             " for " + getConfiguration()
+    exists (string config |
+      if getField(4) = "" then
+        config = "any configuration"
+      else
+        config = getConfiguration() |
+      result = "edge from " + getStartPortal() + " to " + getEndPortal() +
+               ", transforming " + getStartFlowLabel() + " into " + getEndFlowLabel() +
+               " for " + config
+    )
   }
 }
 
diff --git a/javascript/ql/src/Security/Summaries/ImportFromExternalPredicates.qll b/javascript/ql/src/Security/Summaries/ImportFromExternalPredicates.qll
@@ -6,6 +6,7 @@
 import javascript
 import semmle.javascript.dataflow.Portals
 import external.ExternalArtifact
+import Shared
 
 /**
  * An external predicate providing information about additional sources.
@@ -42,8 +43,7 @@ private class AdditionalSourceFromSpec extends DataFlow::AdditionalSource {
   }
 
   override predicate isSourceFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {
-    cfg.toString() = config and
-    lbl = flowLabel
+    configSpec(cfg, config) and sourceFlowLabelSpec(lbl, flowLabel)
   }
 }
 
@@ -61,8 +61,7 @@ private class AdditionalSinkFromSpec extends DataFlow::AdditionalSink {
   }
 
   override predicate isSinkFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {
-    cfg.toString() = config and
-    lbl = flowLabel
+    configSpec(cfg, config) and sinkFlowLabelSpec(lbl, flowLabel)
   }
 }
 /**
@@ -75,8 +74,9 @@ private class AdditionalFlowStepFromSpec extends DataFlow::Configuration {
   string endFlowLabel;
 
   AdditionalFlowStepFromSpec() {
-    exists (Portal startPortal, Portal endPortal |
-      additionalSteps(startPortal.toString(), startFlowLabel, endPortal.toString(), endFlowLabel, this) and
+    exists (Portal startPortal, Portal endPortal, string config |
+      additionalSteps(startPortal.toString(), startFlowLabel, endPortal.toString(), endFlowLabel, config) and
+      configSpec(this, config) and
       entry = startPortal.getAnEntryNode(_) and
       exit = endPortal.getAnExitNode(_)
     )
diff --git a/javascript/ql/src/Security/Summaries/Shared.qll b/javascript/ql/src/Security/Summaries/Shared.qll
@@ -0,0 +1,37 @@
+/**
+ * Provides utility predicates for working with flow summary specifications.
+ */
+
+import javascript
+
+/**
+ * Holds if `config` matches `spec`, that is, either `spec` is the name of `config`
+ * or `spec` is the empty string and `config` is an arbitrary configuration.
+ */
+predicate configSpec(DataFlow::Configuration config, string spec) {
+  config.toString() = spec
+  or
+  spec = ""
+}
+
+/**
+ * Holds if `lbl` matches `spec`, that is, either `spec` is the name of `config`
+ * or `spec` is the empty string and `lbl` is the built-in flow label `data`.
+ */
+predicate sourceFlowLabelSpec(DataFlow::FlowLabel lbl, string spec) {
+  lbl.toString() = spec
+  or
+  spec = "" and
+  lbl = DataFlow::FlowLabel::data()
+}
+
+/**
+ * Holds if `lbl` matches `spec`, that is, either `spec` is the name of `config`
+ * or `spec` is the empty string and `lbl` is an arbitrary standard flow label.
+ */
+predicate sinkFlowLabelSpec(DataFlow::FlowLabel lbl, string spec) {
+  lbl.toString() = spec
+  or
+  spec = "" and
+  lbl instanceof DataFlow::StandardFlowLabel
+}

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@`
`6`	`6`	`import javascript`
`7`	`7`	`import semmle.javascript.dataflow.Portals`
`8`	`8`	`import external.ExternalArtifact`
	`9`	`+import Shared`
`9`	`10`
`10`	`11`	`/**`
`11`	`12`	`* An external predicate providing information about additional sources.`
`@@ -42,8 +43,7 @@ private class AdditionalSourceFromSpec extends DataFlow::AdditionalSource {`
`42`	`43`	`}`
`43`	`44`
`44`	`45`	`override predicate isSourceFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {`
`45`		`- cfg.toString() = config and`
`46`		`- lbl = flowLabel`
	`46`	`+ configSpec(cfg, config) and sourceFlowLabelSpec(lbl, flowLabel)`
`47`	`47`	`}`
`48`	`48`	`}`
`49`	`49`
`@@ -61,8 +61,7 @@ private class AdditionalSinkFromSpec extends DataFlow::AdditionalSink {`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`override predicate isSinkFor(DataFlow::Configuration cfg, DataFlow::FlowLabel lbl) {`
`64`		`- cfg.toString() = config and`
`65`		`- lbl = flowLabel`
	`64`	`+ configSpec(cfg, config) and sinkFlowLabelSpec(lbl, flowLabel)`
`66`	`65`	`}`
`67`	`66`	`}`
`68`	`67`	`/**`
`@@ -75,8 +74,9 @@ private class AdditionalFlowStepFromSpec extends DataFlow::Configuration {`
`75`	`74`	`string endFlowLabel;`
`76`	`75`
`77`	`76`	`AdditionalFlowStepFromSpec() {`
`78`		`- exists (Portal startPortal, Portal endPortal \|`
`79`		`- additionalSteps(startPortal.toString(), startFlowLabel, endPortal.toString(), endFlowLabel, this) and`
	`77`	`+ exists (Portal startPortal, Portal endPortal, string config \|`
	`78`	`+ additionalSteps(startPortal.toString(), startFlowLabel, endPortal.toString(), endFlowLabel, config) and`
	`79`	`+ configSpec(this, config) and`
`80`	`80`	`entry = startPortal.getAnEntryNode(_) and`
`81`	`81`	`exit = endPortal.getAnExitNode(_)`
`82`	`82`	`)`