Update JS helmet model structure

knewbury01 · knewbury01 · commit e84dda4fa66a · 2024-08-15T16:08:48.000-04:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.Required.Setting.model.yml
@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
-      pack: codeql/javascript-queries
+      pack: codeql/javascript-all
       extensible: requiredHelmetSecuritySetting
     data:
       - ["frameguard"]
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll b/javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides classes for working with Helmet
+ */
+
+import javascript
+
+class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
+  ExpressLibraries::HelmetRouteHandler helmet;
+
+  HelmetProperty() {
+    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
+  }
+
+  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
+
+  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
+
+  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
+
+  predicate isImportantSecuritySetting() {
+    // read from data extensions to allow enforcing custom settings
+    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
+    requiredHelmetSecuritySetting(this.getName())
+  }
+}
+
+extensible predicate requiredHelmetSecuritySetting(string name);
diff --git a/javascript/ql/src/Security/CWE-693/CUSTOMIZING.md b/javascript/ql/src/Security/CWE-693/CUSTOMIZING.md
@@ -24,7 +24,7 @@ A suitable [model pack](https://docs.github.com/en/code-security/codeql-cli/usin
 name: my-org/javascript-helmet-insecure-config-model-pack
 version: 1.0.0
 extensionTargets:
-  codeql/java-all: '*'
+  codeql/javascript-all: '*'
 dataExtensions:
   - models/**/*.yml
 ```
diff --git a/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql b/javascript/ql/src/Security/CWE-693/InsecureHelmet.ql
@@ -12,30 +12,8 @@
  */
 
 import javascript
-import DataFlow
 import semmle.javascript.frameworks.ExpressModules
-
-class HelmetProperty extends DataFlow::Node instanceof DataFlow::PropWrite {
-  ExpressLibraries::HelmetRouteHandler helmet;
-
-  HelmetProperty() {
-    this = helmet.(DataFlow::CallNode).getAnArgument().getALocalSource().getAPropertyWrite()
-  }
-
-  ExpressLibraries::HelmetRouteHandler getHelmet() { result = helmet }
-
-  predicate isFalse() { DataFlow::PropWrite.super.getRhs().mayHaveBooleanValue(false) }
-
-  string getName() { result = DataFlow::PropWrite.super.getPropertyName() }
-
-  predicate isImportantSecuritySetting() {
-    // read from data extensions to allow enforcing custom settings
-    // defaults are located in javascript/ql/lib/semmle/frameworks/helmet/Helmet.Required.Setting.model.yml
-    requiredHelmetSecuritySetting(this.getName())
-  }
-}
-
-extensible predicate requiredHelmetSecuritySetting(string name);
+import semmle.javascript.frameworks.helmet.Helmet
 
 from HelmetProperty helmetProperty, ExpressLibraries::HelmetRouteHandler helmet
 where
