Merge pull request github#10018 from github/new-atm-features-rebased

New atm features rebased

Author: Stephan Brandauer

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointFeatures.qll

@@ -76,51 +76,75 @@ endpoints
 | index.js:84:12:84:18 | foo.bar | Xss | notASinkReason | ClientRequest | string |
 | index.js:84:12:84:18 | foo.bar | Xss | sinkLabel | NotASink | string |
 tokenFeatures
-| index.js:9:15:9:45 | { 'isAd ... Admin } | argumentIndex | 0 |
-| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeAccessPath | mongoose model find |
-| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeAccessPathWithStructuralInfo | mongoose member model instanceorreturn member find instanceorreturn |
-| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeApiName | mongoose |
-| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeName | find |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | CalleeFlexibleAccessPath | User.find |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | InputAccessPathFromCallee |  |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | InputArgumentIndex | 0 |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | assignedToPropName |  |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | calleeImports | mongoose |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | contextSurroundingFunctionParameters | ()\n(req, res) |
 | index.js:9:15:9:45 | { 'isAd ... Admin } | enclosingFunctionBody | app post /isAdmin req res User find isAdmin req body isAdmin |
 | index.js:9:15:9:45 | { 'isAd ... Admin } | enclosingFunctionName | flowFromSourceToSink |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | fileImports | express mongoose |
 | index.js:9:15:9:45 | { 'isAd ... Admin } | receiverName | User |
-| index.js:15:17:15:32 | req.body.isAdmin | argumentIndex | 0 |
-| index.js:15:17:15:32 | req.body.isAdmin | calleeAccessPath |  |
-| index.js:15:17:15:32 | req.body.isAdmin | calleeAccessPathWithStructuralInfo |  |
-| index.js:15:17:15:32 | req.body.isAdmin | calleeApiName |  |
-| index.js:15:17:15:32 | req.body.isAdmin | calleeName | log |
+| index.js:9:15:9:45 | { 'isAd ... Admin } | stringConcatenatedWith |  |
+| index.js:15:17:15:32 | req.body.isAdmin | CalleeFlexibleAccessPath | console.log |
+| index.js:15:17:15:32 | req.body.isAdmin | InputAccessPathFromCallee |  |
+| index.js:15:17:15:32 | req.body.isAdmin | InputArgumentIndex | 0 |
+| index.js:15:17:15:32 | req.body.isAdmin | assignedToPropName |  |
+| index.js:15:17:15:32 | req.body.isAdmin | calleeImports |  |
+| index.js:15:17:15:32 | req.body.isAdmin | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
+| index.js:15:17:15:32 | req.body.isAdmin | contextSurroundingFunctionParameters | ()\n(req, res) |
 | index.js:15:17:15:32 | req.body.isAdmin | enclosingFunctionBody | app post /isAdmin req res console log req body isAdmin |
 | index.js:15:17:15:32 | req.body.isAdmin | enclosingFunctionName | flowFromSourceToNotASink |
+| index.js:15:17:15:32 | req.body.isAdmin | fileImports | express mongoose |
 | index.js:15:17:15:32 | req.body.isAdmin | receiverName | console |
-| index.js:20:13:20:31 | { 'isAdmin': true } | argumentIndex | 0 |
-| index.js:20:13:20:31 | { 'isAdmin': true } | calleeAccessPath | mongoose model find |
-| index.js:20:13:20:31 | { 'isAdmin': true } | calleeAccessPathWithStructuralInfo | mongoose member model instanceorreturn member find instanceorreturn |
-| index.js:20:13:20:31 | { 'isAdmin': true } | calleeApiName | mongoose |
-| index.js:20:13:20:31 | { 'isAdmin': true } | calleeName | find |
+| index.js:15:17:15:32 | req.body.isAdmin | stringConcatenatedWith |  |
+| index.js:20:13:20:31 | { 'isAdmin': true } | CalleeFlexibleAccessPath | User.find |
+| index.js:20:13:20:31 | { 'isAdmin': true } | InputAccessPathFromCallee |  |
+| index.js:20:13:20:31 | { 'isAdmin': true } | InputArgumentIndex | 0 |
+| index.js:20:13:20:31 | { 'isAdmin': true } | assignedToPropName |  |
+| index.js:20:13:20:31 | { 'isAdmin': true } | calleeImports | mongoose |
+| index.js:20:13:20:31 | { 'isAdmin': true } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
+| index.js:20:13:20:31 | { 'isAdmin': true } | contextSurroundingFunctionParameters | () |
 | index.js:20:13:20:31 | { 'isAdmin': true } | enclosingFunctionBody | User find isAdmin true |
 | index.js:20:13:20:31 | { 'isAdmin': true } | enclosingFunctionName | notFlowFromSource |
+| index.js:20:13:20:31 | { 'isAdmin': true } | fileImports | express mongoose |
 | index.js:20:13:20:31 | { 'isAdmin': true } | receiverName | User |
-| index.js:28:13:28:28 | UNDEFINED_GLOBAL | argumentIndex | 0 |
-| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeAccessPath | mongoose model find |
-| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeAccessPathWithStructuralInfo | mongoose member model instanceorreturn member find instanceorreturn |
-| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeApiName | mongoose |
-| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeName | find |
+| index.js:20:13:20:31 | { 'isAdmin': true } | stringConcatenatedWith |  |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | CalleeFlexibleAccessPath | User.find |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | InputAccessPathFromCallee |  |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | InputArgumentIndex | 0 |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | assignedToPropName |  |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | calleeImports | mongoose |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | contextSurroundingFunctionParameters | () |
 | index.js:28:13:28:28 | UNDEFINED_GLOBAL | enclosingFunctionBody | User find UNDEFINED_GLOBAL |
 | index.js:28:13:28:28 | UNDEFINED_GLOBAL | enclosingFunctionName | notConstantExpression |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | fileImports | express mongoose |
 | index.js:28:13:28:28 | UNDEFINED_GLOBAL | receiverName | User |
-| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | argumentIndex | 0 |
-| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | calleeAccessPath |  |
-| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | calleeAccessPathWithStructuralInfo |  |
-| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | calleeApiName |  |
-| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | calleeName | ajax |
+| index.js:28:13:28:28 | UNDEFINED_GLOBAL | stringConcatenatedWith |  |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | CalleeFlexibleAccessPath | $.ajax |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | InputAccessPathFromCallee |  |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | InputArgumentIndex | 0 |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | assignedToPropName |  |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | calleeImports |  |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | contextSurroundingFunctionParameters | (foo) |
 | index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | enclosingFunctionBody | foo $ ajax url foo bar |
 | index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | enclosingFunctionName | effectiveSinkAndNotASink |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | fileImports | express mongoose |
 | index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | receiverName | $ |
-| index.js:84:12:84:18 | foo.bar | argumentIndex |  |
-| index.js:84:12:84:18 | foo.bar | calleeAccessPath |  |
-| index.js:84:12:84:18 | foo.bar | calleeAccessPathWithStructuralInfo |  |
-| index.js:84:12:84:18 | foo.bar | calleeApiName |  |
-| index.js:84:12:84:18 | foo.bar | calleeName |  |
+| index.js:83:10:85:3 | {\\n    " ... ar,\\n  } | stringConcatenatedWith |  |
+| index.js:84:12:84:18 | foo.bar | CalleeFlexibleAccessPath | $.ajax |
+| index.js:84:12:84:18 | foo.bar | InputAccessPathFromCallee | 0.url |
+| index.js:84:12:84:18 | foo.bar | InputArgumentIndex | 0 |
+| index.js:84:12:84:18 | foo.bar | assignedToPropName | url |
+| index.js:84:12:84:18 | foo.bar | calleeImports |  |
+| index.js:84:12:84:18 | foo.bar | contextFunctionInterfaces | constantExpression()\neffectiveSinkAndNotASink(foo)\nflowFromSourceToNotASink()\nflowFromSourceToSink()\nidentity(x)\nnotASink()\nnotASinkMultipleReasons()\nnotConstantExpression()\nnotFlowFromSource()\nveryLongFunctionBody() |
+| index.js:84:12:84:18 | foo.bar | contextSurroundingFunctionParameters | (foo) |
 | index.js:84:12:84:18 | foo.bar | enclosingFunctionBody | foo $ ajax url foo bar |
 | index.js:84:12:84:18 | foo.bar | enclosingFunctionName | effectiveSinkAndNotASink |
+| index.js:84:12:84:18 | foo.bar | fileImports | express mongoose |
 | index.js:84:12:84:18 | foo.bar | receiverName |  |
+| index.js:84:12:84:18 | foo.bar | stringConcatenatedWith |  |

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.expected

@@ -0,0 +1,9 @@
+import javascript
+import experimental.adaptivethreatmodeling.EndpointFeatures
+import experimental.adaptivethreatmodeling.FeaturizationConfig
+import TestUtil
+
+// every feature must produce a value for at least one endpoint, otherwise the feature is completely broken, or a relevant test example is missing
+from EndpointFeature feature
+where forall(Endpoint endpoint | not exists(feature.getValue(endpoint)))
+select feature.getName()