|
| 1 | +/** |
| 2 | + * Provides predicates for reasoning about sanitization via the `class-validator` library. |
| 3 | + */ |
| 4 | + |
| 5 | +import javascript |
| 6 | + |
| 7 | +/** |
| 8 | + * Provides predicates for reasoning about sanitization via the `class-validator` library. |
| 9 | + */ |
| 10 | +module ClassValidator { |
| 11 | + /** |
| 12 | + * Holds if the decorator with the given name does not sanitize the input, for the purpose of taint tracking. |
| 13 | + */ |
| 14 | + bindingset[name] |
| 15 | + private predicate isSanitizingDecoratorName(string name) { |
| 16 | + // Most decorators do sanitize the input, so only list those that don't. |
| 17 | + not name = |
| 18 | + [ |
| 19 | + "IsDefined", "IsOptional", "NotEquals", "IsNotEmpty", "IsNotIn", "IsString", "IsArray", |
| 20 | + "Contains", "NotContains", "IsAscii", "IsByteLength", "IsDataURI", "IsFQDN", "IsJSON", |
| 21 | + "IsJWT", "IsObject", "IsNotEmptyObject", "IsLowercase", "IsSurrogatePair", "IsUrl", |
| 22 | + "IsUppercase", "Length", "MinLength", "MaxLength", "ArrayContains", "ArrayNotContains", |
| 23 | + "ArrayNotEmpty", "ArrayMinSize", "ArrayMaxSize", "ArrayUnique", "Allow", "ValidateNested", |
| 24 | + "Validate", |
| 25 | + // Consider "Matches" to be non-sanitizing as it is special-cased below |
| 26 | + "Matches" |
| 27 | + ] |
| 28 | + } |
| 29 | + |
| 30 | + /** Holds if the given call is a decorator that sanitizes values for the purpose of taint tracking, such as `IsBoolean()`. */ |
| 31 | + API::CallNode sanitizingDecorator() { |
| 32 | + exists(string name | result = API::moduleImport("class-validator").getMember(name).getACall() | |
| 33 | + isSanitizingDecoratorName(name) |
| 34 | + or |
| 35 | + name = "Matches" and |
| 36 | + RegExp::isGenericRegExpSanitizer(RegExp::getRegExpFromNode(result.getArgument(0)), true) |
| 37 | + ) |
| 38 | + } |
| 39 | + |
| 40 | + /** Holds if the given field has a decorator that sanitizes its value for the purpose of taint tracking. */ |
| 41 | + predicate isFieldSanitizedByDecorator(FieldDefinition field) { |
| 42 | + field.getADecorator().getExpression().flow() = sanitizingDecorator().getReturn().getAUse() |
| 43 | + } |
| 44 | + |
| 45 | + pragma[noinline] |
| 46 | + private predicate isFieldSanitizedByDecorator(ClassDefinition cls, string name) { |
| 47 | + isFieldSanitizedByDecorator(cls.getField(name)) |
| 48 | + } |
| 49 | + |
| 50 | + pragma[noinline] |
| 51 | + private ClassDefinition getClassReferencedByPropRead(DataFlow::PropRead read) { |
| 52 | + read.getBase().asExpr().getType().unfold().(ClassType).getClass() = result |
| 53 | + } |
| 54 | + |
| 55 | + /** |
| 56 | + * Holds if the given property read refers to a field that has a sanitizing decorator. |
| 57 | + * |
| 58 | + * Only holds when TypeScript types are available. |
| 59 | + */ |
| 60 | + pragma[noinline] |
| 61 | + predicate isAccessToSanitizedField(DataFlow::PropRead read) { |
| 62 | + exists(ClassDefinition class_ | |
| 63 | + class_ = getClassReferencedByPropRead(read) and |
| 64 | + isFieldSanitizedByDecorator(class_, read.getPropertyName()) |
| 65 | + ) |
| 66 | + } |
| 67 | +} |
0 commit comments