Skip to content

Commit fbcb8d6

Browse files
henrymercerhenrymercer
committed
JS: Migrate CodeQL tests for ML-powered queries
1 parent 7bb11b8 commit fbcb8d6

File tree

127 files changed

+132859
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

127 files changed

+132859
-0
lines changed

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.expected

Lines changed: 16711 additions & 0 deletions
Large diffs are not rendered by default.

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.ql

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
/**
2+
* EndpointFeatures.ql
3+
*
4+
* This tests generic token-based featurization of all endpoint candidates for all of the security
5+
* queries we support. This is in comparison to the `ExtractEndpointData.qlref` test, which tests
6+
* just the endpoints we extract in the training data.
7+
*/
8+
9+
import javascript
10+
import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
11+
import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
12+
import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
13+
import experimental.adaptivethreatmodeling.XssATM as XssATM
14+
import experimental.adaptivethreatmodeling.EndpointFeatures as EndpointFeatures
15+
import experimental.adaptivethreatmodeling.StandardEndpointFilters as StandardEndpointFilters
16+
import extraction.NoFeaturizationRestrictionsConfig
17+
18+
query predicate tokenFeatures(DataFlow::Node endpoint, string featureName, string featureValue) {
19+
(
20+
not exists(NosqlInjectionATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint)) or
21+
not exists(SqlInjectionATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint)) or
22+
not exists(TaintedPathATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint)) or
23+
not exists(XssATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint)) or
24+
StandardEndpointFilters::isArgumentToModeledFunction(endpoint)
25+
) and
26+
EndpointFeatures::tokenFeatures(endpoint, featureName, featureValue)
27+
}
28+
29+
query predicate invalidTokenFeatures(
30+
DataFlow::Node endpoint, string featureName, string featureValue
31+
) {
32+
strictcount(string value | EndpointFeatures::tokenFeatures(endpoint, featureName, value)) > 1 and
33+
EndpointFeatures::tokenFeatures(endpoint, featureName, featureValue)
34+
}

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointData.expected

Lines changed: 47858 additions & 0 deletions
Large diffs are not rendered by default.

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointData.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
extraction/ExtractEndpointData.ql

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataEvaluation.expected

Lines changed: 47858 additions & 0 deletions
Large diffs are not rendered by default.

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataEvaluation.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
extraction/ExtractEndpointDataEvaluation.ql

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataTraining.expected

Lines changed: 12842 additions & 0 deletions
Large diffs are not rendered by default.

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ExtractEndpointDataTraining.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
extraction/ExtractEndpointDataTraining.ql

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/FilteredTruePositives.expected

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
nosqlFilteredTruePositives
2+
| autogenerated/NosqlAndSqlInjection/untyped/mongoose.js:111:14:111:18 | query | not a direct argument to a likely external library call or a heuristic sink |
3+
sqlFilteredTruePositives
4+
| autogenerated/NosqlAndSqlInjection/untyped/tst2.js:7:13:7:45 | select ... e id = | not an argument to a likely external library call or a heuristic sink |
5+
| autogenerated/NosqlAndSqlInjection/untyped/tst2.js:7:48:7:60 | req.params.id | not an argument to a likely external library call or a heuristic sink |
6+
taintedPathFilteredTruePositives
7+
| autogenerated/TaintedPath/TaintedPath.js:66:26:66:31 | "SAFE" | not a direct argument to a likely external library call or a heuristic sink |
8+
| autogenerated/TaintedPath/TaintedPath.js:71:26:71:45 | Cookie.get("unsafe") | not a direct argument to a likely external library call or a heuristic sink |
9+
xssFilteredTruePositives
10+
| autogenerated/Xss/DomBasedXss/d3.js:12:20:12:29 | getTaint() | not a direct argument to a likely external library call or a heuristic sink |
11+
| autogenerated/Xss/DomBasedXss/d3.js:14:20:14:29 | getTaint() | not a direct argument to a likely external library call or a heuristic sink |
12+
| autogenerated/Xss/DomBasedXss/express.js:7:15:7:33 | req.param("wobble") | not a direct argument to a likely external library call or a heuristic sink |
13+
| autogenerated/Xss/DomBasedXss/jwt-server.js:11:19:11:29 | decoded.foo | not a direct argument to a likely external library call or a heuristic sink |
14+
| autogenerated/Xss/DomBasedXss/tst.js:316:35:316:42 | location | not a direct argument to a likely external library call or a heuristic sink |
15+
| autogenerated/Xss/DomBasedXss/typeahead.js:10:16:10:18 | loc | not a direct argument to a likely external library call or a heuristic sink |
16+
| autogenerated/Xss/DomBasedXss/typeahead.js:25:18:25:20 | val | not a direct argument to a likely external library call or a heuristic sink |

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/FilteredTruePositives.ql

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
/*
2+
* FilteredTruePositives.ql
3+
*
4+
* This test checks several components of the endpoint filters for each query to see whether they
5+
* filter out any known sinks. It explicitly does not check the endpoint filtering step that's based
6+
* on whether the endpoint is an argument to a modelled function, since this necessarily filters out
7+
* all known sinks. However, we can test all the other filtering steps against the set of known
8+
* sinks.
9+
*
10+
* Ideally, the sink endpoint filters would have perfect recall and therefore each of the predicates
11+
* in this test would have zero results. However, in some cases we have chosen to sacrifice recall
12+
* when we perceive the improved precision of the results to be worth the drop in recall.
13+
*/
14+
15+
import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
16+
import semmle.javascript.security.dataflow.SqlInjectionCustomizations
17+
import semmle.javascript.security.dataflow.TaintedPathCustomizations
18+
import semmle.javascript.security.dataflow.DomBasedXssCustomizations
19+
import experimental.adaptivethreatmodeling.StandardEndpointFilters as StandardEndpointFilters
20+
import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
21+
import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
22+
import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
23+
import experimental.adaptivethreatmodeling.XssATM as XssATM
24+
25+
query predicate nosqlFilteredTruePositives(DataFlow::Node endpoint, string reason) {
26+
endpoint instanceof NosqlInjection::Sink and
27+
reason = NosqlInjectionATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint) and
28+
not reason = ["argument to modeled function", "modeled sink", "modeled database access"]
29+
}
30+
31+
query predicate sqlFilteredTruePositives(DataFlow::Node endpoint, string reason) {
32+
endpoint instanceof SqlInjection::Sink and
33+
reason = SqlInjectionATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint) and
34+
reason != "argument to modeled function"
35+
}
36+
37+
query predicate taintedPathFilteredTruePositives(DataFlow::Node endpoint, string reason) {
38+
endpoint instanceof TaintedPath::Sink and
39+
reason = TaintedPathATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint) and
40+
reason != "argument to modeled function"
41+
}
42+
43+
query predicate xssFilteredTruePositives(DataFlow::Node endpoint, string reason) {
44+
endpoint instanceof DomBasedXss::Sink and
45+
reason = XssATM::SinkEndpointFilter::getAReasonSinkExcluded(endpoint) and
46+
reason != "argument to modeled function"
47+
}

0 commit comments

Comments
 (0)