Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 55a9688

Browse filesBrowse files
erik-krogherik-krogh
committed
revert the JS deprecations. The old dataflow library is not that old yet
1 parent 1ddfb3b commit 55a9688
Copy full SHA for 55a9688

File tree

68 files changed

+1647
-1
lines changed
Filter options

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Dismiss banner

68 files changed

+1647
-1
lines changed

‎javascript/ql/lib/semmle/javascript/ES2015Modules.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/ES2015Modules.qll
+27Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,18 @@ class ImportDeclaration extends Stmt, Import, @import_declaration {
104104
*/
105105
ObjectExpr getImportAttributes() { result = this.getChildExpr(-10) }
106106

107+
/**
108+
* DEPRECATED: use `getImportAttributes` instead.
109+
* Gets the object literal passed as part of the `with` (or `assert`) clause in this import declaration.
110+
*
111+
* For example, this gets the `{ type: "json" }` object literal in the following:
112+
* ```js
113+
* import foo from "foo" with { type: "json" };
114+
* import foo from "foo" assert { type: "json" };
115+
* ```
116+
*/
117+
deprecated ObjectExpr getImportAssertion() { result = this.getImportAttributes() }
118+
107119
/** Gets the `i`th import specifier of this import declaration. */
108120
ImportSpecifier getSpecifier(int i) { result = this.getChildExpr(i) }
109121

@@ -338,6 +350,21 @@ abstract class ExportDeclaration extends Stmt, @export_declaration {
338350
* ```
339351
*/
340352
ObjectExpr getImportAttributes() { result = this.getChildExpr(-10) }
353+
354+
/**
355+
* DEPRECATED: use `getImportAttributes` instead.
356+
* Gets the object literal passed as part of the `with` (or `assert`) clause, if this is
357+
* a re-export declaration.
358+
*
359+
* For example, this gets the `{ type: "json" }` expression in each of the following:
360+
* ```js
361+
* export { x } from 'foo' with { type: "json" };
362+
* export * from 'foo' with { type: "json" };
363+
* export * as x from 'foo' with { type: "json" };
364+
* export * from 'foo' assert { type: "json" };
365+
* ```
366+
*/
367+
deprecated ObjectExpr getImportAssertion() { result = this.getImportAttributes() }
341368
}
342369

343370
/**

‎javascript/ql/lib/semmle/javascript/Expr.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/Expr.qll
+11Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2830,6 +2830,17 @@ class DynamicImportExpr extends @dynamic_import, Expr, Import {
28302830
*/
28312831
Expr getImportOptions() { result = this.getChildExpr(1) }
28322832

2833+
/**
2834+
* DEPRECATED: use `getImportOptions` instead.
2835+
* Gets the second "argument" to the import expression, that is, the `Y` in `import(X, Y)`.
2836+
*
2837+
* For example, gets the `{ with: { type: "json" }}` expression in the following:
2838+
* ```js
2839+
* import('foo', { with: { type: "json" }})
2840+
* ```
2841+
*/
2842+
deprecated Expr getImportAttributes() { result = this.getImportOptions() }
2843+
28332844
override Module getEnclosingModule() { result = this.getTopLevel() }
28342845

28352846
override DataFlow::Node getImportedModuleNode() { result = DataFlow::valueNode(this) }

‎javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll
+16Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,3 +39,19 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
3939
* Taint tracking flow for sensitive information in broken or weak cryptographic algorithms.
4040
*/
4141
module BrokenCryptoAlgorithmFlow = TaintTracking::Global<BrokenCryptoAlgorithmConfig>;
42+
43+
/**
44+
* DEPRECATED. Use the `BrokenCryptoAlgorithmFlow` module instead.
45+
*/
46+
deprecated class Configuration extends TaintTracking::Configuration {
47+
Configuration() { this = "BrokenCryptoAlgorithm" }
48+
49+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
50+
51+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
52+
53+
override predicate isSanitizer(DataFlow::Node node) {
54+
super.isSanitizer(node) or
55+
node instanceof Sanitizer
56+
}
57+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll
+21Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,3 +38,24 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
3838
* Taint tracking flow for storage of sensitive information in build artifact.
3939
*/
4040
module BuildArtifactLeakFlow = TaintTracking::Global<BuildArtifactLeakConfig>;
41+
42+
/**
43+
* DEPRECATED. Use the `BuildArtifactLeakFlow` module instead.
44+
*/
45+
deprecated class Configuration extends TaintTracking::Configuration {
46+
Configuration() { this = "BuildArtifactLeak" }
47+
48+
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
49+
source.(CleartextLogging::Source).getLabel() = lbl
50+
}
51+
52+
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
53+
sink.(Sink).getLabel() = lbl
54+
}
55+
56+
override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }
57+
58+
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
59+
CleartextLogging::isAdditionalTaintStep(src, trg)
60+
}
61+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
+20-1Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,22 @@ module CleartextLogging {
1515
abstract class Source extends DataFlow::Node {
1616
/** Gets a string that describes the type of this data flow source. */
1717
abstract string describe();
18+
19+
/**
20+
* DEPRECATED. Overriding this predicate no longer has any effect.
21+
*/
22+
deprecated DataFlow::FlowLabel getLabel() { result.isTaint() }
1823
}
1924

2025
/**
2126
* A data flow sink for clear-text logging of sensitive information.
2227
*/
23-
abstract class Sink extends DataFlow::Node { }
28+
abstract class Sink extends DataFlow::Node {
29+
/**
30+
* DEPRECATED. Overriding this predicate no longer has any effect.
31+
*/
32+
deprecated DataFlow::FlowLabel getLabel() { result.isTaint() }
33+
}
2434

2535
/**
2636
* A barrier for clear-text logging of sensitive information.
@@ -188,6 +198,15 @@ module CleartextLogging {
188198
}
189199
}
190200

201+
/**
202+
* DEPRECATED. Use `Barrier` instead, sanitized have been replaced by sanitized nodes.
203+
*
204+
* Holds if the edge `pred` -> `succ` should be sanitized for clear-text logging of sensitive information.
205+
*/
206+
deprecated predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
207+
succ.(DataFlow::PropRead).getBase() = pred
208+
}
209+
191210
/**
192211
* Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information.
193212
*/

‎javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
+21Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,3 +49,24 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
4949
* Taint tracking flow for clear-text logging of sensitive information.
5050
*/
5151
module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;
52+
53+
/**
54+
* DEPRECATED. Use the `CleartextLoggingFlow` module instead.
55+
*/
56+
deprecated class Configuration extends TaintTracking::Configuration {
57+
Configuration() { this = "CleartextLogging" }
58+
59+
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
60+
source.(Source).getLabel() = lbl
61+
}
62+
63+
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
64+
sink.(Sink).getLabel() = lbl
65+
}
66+
67+
override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
68+
69+
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
70+
CleartextLogging::isAdditionalTaintStep(src, trg)
71+
}
72+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageQuery.qll
+13Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,3 +30,16 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
3030
}
3131

3232
module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;
33+
34+
/**
35+
* DEPRECATED. Use the `ClearTextStorageFlow` module instead.
36+
*/
37+
deprecated class Configuration extends TaintTracking::Configuration {
38+
Configuration() { this = "ClearTextStorage" }
39+
40+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
41+
42+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
43+
44+
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
45+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
+27Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,3 +45,30 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
4545
* Taint tracking for client-side request forgery.
4646
*/
4747
module ClientSideRequestForgeryFlow = TaintTracking::Global<ClientSideRequestForgeryConfig>;
48+
49+
/**
50+
* DEPRECATED. Use the `ClientSideRequestForgeryFlow` module instead.
51+
*/
52+
deprecated class Configuration extends TaintTracking::Configuration {
53+
Configuration() { this = "ClientSideRequestForgery" }
54+
55+
override predicate isSource(DataFlow::Node source) {
56+
exists(Source src |
57+
source = src and
58+
not src.isServerSide()
59+
)
60+
}
61+
62+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
63+
64+
override predicate isSanitizer(DataFlow::Node node) {
65+
super.isSanitizer(node) or
66+
node instanceof Sanitizer
67+
}
68+
69+
override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
70+
71+
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
72+
isAdditionalRequestForgeryStep(pred, succ)
73+
}
74+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
+45Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,3 +62,48 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
6262
* Taint-tracking flow for reasoning about unvalidated URL redirections.
6363
*/
6464
module ClientSideUrlRedirectFlow = TaintTracking::GlobalWithState<ClientSideUrlRedirectConfig>;
65+
66+
/**
67+
* A taint-tracking configuration for reasoning about unvalidated URL redirections.
68+
*/
69+
deprecated class Configuration extends TaintTracking::Configuration {
70+
Configuration() { this = "ClientSideUrlRedirect" }
71+
72+
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
73+
source.(Source).getAFlowLabel() = lbl
74+
}
75+
76+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
77+
78+
override predicate isSanitizer(DataFlow::Node node) {
79+
super.isSanitizer(node) or
80+
node instanceof Sanitizer
81+
}
82+
83+
override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
84+
85+
override predicate isAdditionalFlowStep(
86+
DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1,
87+
DataFlow::FlowLabel state2
88+
) {
89+
ClientSideUrlRedirectConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1),
90+
node2, FlowState::fromFlowLabel(state2))
91+
or
92+
// Preserve document.url label in step from `location` to `location.href` or `location.toString()`
93+
state1 instanceof DocumentUrl and
94+
state2 instanceof DocumentUrl and
95+
(
96+
node2.(DataFlow::PropRead).accesses(node1, "href")
97+
or
98+
exists(DataFlow::CallNode call |
99+
call.getCalleeName() = "toString" and
100+
node1 = call.getReceiver() and
101+
node2 = call
102+
)
103+
)
104+
}
105+
106+
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
107+
guard instanceof HostnameSanitizerGuard
108+
}
109+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionQuery.qll
+20Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,23 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
3232
* Taint-tracking for reasoning about code injection vulnerabilities.
3333
*/
3434
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
35+
36+
/**
37+
* DEPRRECATED. Use the `CodeInjectionFlow` module instead.
38+
*/
39+
deprecated class Configuration extends TaintTracking::Configuration {
40+
Configuration() { this = "CodeInjection" }
41+
42+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
43+
44+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
45+
46+
override predicate isSanitizer(DataFlow::Node node) {
47+
super.isSanitizer(node) or
48+
node instanceof Sanitizer
49+
}
50+
51+
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
52+
CodeInjectionConfig::isAdditionalFlowStep(node1, node2)
53+
}
54+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll
+13Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,3 +45,16 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
4545
* Taint-tracking for reasoning about command-injection vulnerabilities.
4646
*/
4747
module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;
48+
49+
/**
50+
* DEPRECATED. Use the `CommandInjectionFlow` module instead.
51+
*/
52+
deprecated class Configuration extends TaintTracking::Configuration {
53+
Configuration() { this = "CommandInjection" }
54+
55+
override predicate isSource(DataFlow::Node source) { CommandInjectionConfig::isSource(source) }
56+
57+
override predicate isSink(DataFlow::Node sink) { CommandInjectionConfig::isSink(sink) }
58+
59+
override predicate isSanitizer(DataFlow::Node node) { CommandInjectionConfig::isBarrier(node) }
60+
}

‎javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll

Copy file name to clipboardExpand all lines: javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll
+78Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,26 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
3535
*/
3636
module ConditionalBypassFlow = TaintTracking::Global<ConditionalBypassConfig>;
3737

38+
/**
39+
* DEPRECATED. Use the `ConditionalBypassFlow` module instead.
40+
*/
41+
deprecated class Configuration extends TaintTracking::Configuration {
42+
Configuration() { this = "ConditionalBypass" }
43+
44+
override predicate isSource(DataFlow::Node source) { source instanceof Source }
45+
46+
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
47+
48+
override predicate isSanitizer(DataFlow::Node node) {
49+
super.isSanitizer(node) or
50+
node instanceof Sanitizer
51+
}
52+
53+
override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node dst) {
54+
ConditionalBypassConfig::isAdditionalFlowStep(src, dst)
55+
}
56+
}
57+
3858
/**
3959
* Holds if the value of `nd` flows into `guard`.
4060
*/
@@ -129,3 +149,61 @@ predicate isEarlyAbortGuardNode(ConditionalBypassFlow::PathNode e, SensitiveActi
129149
not action.asExpr().getEnclosingStmt().nestedIn(guard)
130150
)
131151
}
152+
153+
/**
154+
* Holds if `sink` guards `action`, and `source` taints `sink`.
155+
*
156+
* If flow from `source` taints `sink`, then an attacker can
157+
* control if `action` should be executed or not.
158+
*/
159+
deprecated predicate isTaintedGuardForSensitiveAction(
160+
DataFlow::PathNode sink, DataFlow::PathNode source, SensitiveAction action
161+
) {
162+
action = sink.getNode().(Sink).getAction() and
163+
// exclude the intermediary sink
164+
not sink.getNode() instanceof SensitiveActionGuardComparisonOperand and
165+
exists(Configuration cfg |
166+
// ordinary taint tracking to a guard
167+
cfg.hasFlowPath(source, sink)
168+
or
169+
// taint tracking to both operands of a guard comparison
170+
exists(
171+
SensitiveActionGuardComparison cmp, DataFlow::PathNode lSource, DataFlow::PathNode rSource,
172+
DataFlow::PathNode lSink, DataFlow::PathNode rSink
173+
|
174+
sink.getNode() = cmp.getGuard() and
175+
cfg.hasFlowPath(lSource, lSink) and
176+
lSink.getNode() = DataFlow::valueNode(cmp.getLeftOperand()) and
177+
cfg.hasFlowPath(rSource, rSink) and
178+
rSink.getNode() = DataFlow::valueNode(cmp.getRightOperand())
179+
|
180+
source = lSource or
181+
source = rSource
182+
)
183+
)
184+
}
185+
186+
/**
187+
* Holds if `e` effectively guards access to `action` by returning or throwing early.
188+
*
189+
* Example: `if (e) return; action(x)`.
190+
*/
191+
deprecated predicate isEarlyAbortGuard(DataFlow::PathNode e, SensitiveAction action) {
192+
exists(IfStmt guard |
193+
// `e` is in the condition of an if-statement ...
194+
e.getNode().(Sink).asExpr().getParentExpr*() = guard.getCondition() and
195+
// ... where the then-branch always throws or returns
196+
exists(Stmt abort |
197+
abort instanceof ThrowStmt or
198+
abort instanceof ReturnStmt
199+
|
200+
abort.nestedIn(guard) and
201+
abort.getBasicBlock().(ReachableBasicBlock).postDominates(guard.getThen().getBasicBlock())
202+
) and
203+
// ... and the else-branch does not exist
204+
not exists(guard.getElse())
205+
|
206+
// ... and `action` is outside the if-statement
207+
not action.asExpr().getEnclosingStmt().nestedIn(guard)
208+
)
209+
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.