Intial support for partial queries for js

Author: felickz

javascript/lib/ghsl/Utils.qll

@@ -6,6 +6,7 @@ private import semmle.javascript.security.dataflow.CommandInjectionCustomization
 private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
 private import semmle.javascript.security.dataflow.LogInjectionQuery as LogInjection
 private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
 private import semmle.javascript.security.dataflow.Xss as Xss
 private import semmle.javascript.security.dataflow.XxeCustomizations
 
@@ -77,6 +78,8 @@ class AllSinks extends DataFlow::Node {
     sink = "log-injection" or
     this instanceof NosqlInjection::Sink and
     sink = "nosql-injection" or
+    this instanceof SqlInjection::Sink and
+    sink = "sql-injection" or
     this instanceof Xss::Shared::Sink and
     sink = "xss" or
     this instanceof Xxe::Sink and

javascript/src/audit/explore/RemoteSources.ql

@@ -0,0 +1,60 @@
+/**
+ * @name Remote Sources
+ * @kind problem
+ * @problem.severity note
+ * @precision low
+ * @id js/debugging/remote-sources
+ * @tags debugging
+ */
+
+ import javascript
+
+ // ==========================================================================
+//     Helper Predicates
+// ==========================================================================
+
+/**
+ * Filter results to a specific file and line number
+ * 
+ *  **Examples:**
+ * 
+ *  ```
+ *  filterByLocation(sources, "db.js", 1)
+ *  // or we don't care about the line numbers
+ *  filterByLocation(sources, "db.js", _)
+ *  ```
+ */
+predicate filterByLocation(DataFlow::Node node, string relative_path, int linenumber) {
+    node.getLocation().getFile().getRelativePath() = relative_path and
+    node.getLocation().getStartLine() = linenumber
+  }
+  
+  
+  // ==========================================================================
+  //     Sources
+  // ==========================================================================
+  
+  /**
+   * All Sources (Remote and Local)
+   */
+  final class AllSources extends RemoteSources, LocalSources { }
+  
+  /**
+   * Remote Sources (HTTP frameworks, etc)
+   */
+  class RemoteSources extends ThreatModelSource {
+    RemoteSources() { this.getThreatModel() = "remote" }
+  }
+  
+  /**
+   * Local Sources (CLI arguments, Filesystem, etc)
+   */
+  class LocalSources extends ThreatModelSource {
+    LocalSources() { this.getThreatModel() = "local" }
+  }
+
+ from RemoteSources sources
+//  where
+//    // Filter results to a specific file
+//    filterByLocation(sources, "app.js", _)
+ select sources, "Remote Sources"

javascript/src/debugging/PartialPathsFromSink.ql

@@ -0,0 +1,39 @@
+/**
+ * @name Partial Path Query from Sink
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 1.0
+ * @sub-severity low
+ * @precision low
+ * @id js/debugging/partial-path-from-sink
+ * @tags debugging
+ */
+
+import javascript
+import ghsl
+import DataFlow
+
+// Partial Graph
+module PartialFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { any() }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof AllSinks }
+}
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlows = DataFlow::Global<PartialFlowConfig>;
+
+private module PartialFlowsGraph = PartialFlows::FlowExplorationRev<explorationLimit/0>;
+
+private import PartialFlowsGraph::PartialPathGraph
+
+from PartialFlowsGraph::PartialPathNode source, PartialFlowsGraph::PartialPathNode sink
+where
+  /// Only show sinks from a certain file
+  //filterByLocation(sink.getNode(), "index.js", _) and
+  /// Only show sources that match our criteria
+  //checkSource(source.getNode()) and
+  /// Partial Path
+  PartialFlowsGraph::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "Partial Graph $@.", source.getNode(), "user-provided value"

javascript/src/debugging/PartialPathsFromSource.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Partial Path Query from Source
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 1.0
+ * @sub-severity low
+ * @precision low
+ * @id js/debugging/partial-path-from-source
+ * @tags debugging
+ */
+
+import javascript
+import ghsl
+import DataFlow
+
+// Partial Graph
+module PartialFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source instanceof AllSources
+  }
+
+  predicate isSink(DataFlow::Node sink) { none() }
+}
+
+int explorationLimit() { result = 10 }
+
+private module PartialFlows = DataFlow::Global<PartialFlowConfig>;
+
+private module PartialFlowsGraph = PartialFlows::FlowExplorationFwd<explorationLimit/0>;
+
+private import PartialFlowsGraph::PartialPathGraph
+
+from PartialFlowsGraph::PartialPathNode source, PartialFlowsGraph::PartialPathNode sink
+where
+  /// Filter by location
+  // filterByLocation(source.getNode(), "main.js", _) and
+  PartialFlowsGraph::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "Partial Graph $@.", source.getNode(), "user-provided value"