Skip to content

Commit 05a943c

Browse files
tiferettiferet
committed
Delete StandardEndpointFilters.
All remaining functionality in `StandardEndpointFilters` is only being used in `EndpointCharacteristics`, so it can be moved there as a small set of helper predicates.
1 parent 5402f04 commit 05a943c

File tree

1 file changed

+47
-1
lines changed

1 file changed

+47
-1
lines changed

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll

Lines changed: 47 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
99
private import semmle.javascript.security.dataflow.TaintedPathCustomizations
1010
private import semmle.javascript.heuristics.SyntacticHeuristics as SyntacticHeuristics
1111
private import semmle.javascript.filters.ClassifyFiles as ClassifyFiles
12-
private import StandardEndpointFilters as StandardEndpointFilters
1312
private import semmle.javascript.security.dataflow.XxeCustomizations
1413
private import semmle.javascript.security.dataflow.RemotePropertyInjectionCustomizations
1514
private import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperingCustomizations
@@ -155,6 +154,53 @@ private predicate isKnownStepSrc(DataFlow::Node n) {
155154
DataFlow::SharedFlowStep::step(n, _, _, _)
156155
}
157156

157+
/**
158+
* Holds if the data flow node is a (possibly indirect) argument of a likely external library call.
159+
*
160+
* This includes direct arguments of likely external library calls as well as nested object
161+
* literals within those calls.
162+
*/
163+
private predicate flowsToArgumentOfLikelyExternalLibraryCall(DataFlow::Node n) {
164+
n = getACallWithoutCallee().getAnArgument()
165+
or
166+
exists(DataFlow::SourceNode src | flowsToArgumentOfLikelyExternalLibraryCall(src) |
167+
n = src.getAPropertyWrite().getRhs()
168+
)
169+
or
170+
exists(DataFlow::ArrayCreationNode arr | flowsToArgumentOfLikelyExternalLibraryCall(arr) |
171+
n = arr.getAnElement()
172+
)
173+
}
174+
175+
/**
176+
* Get calls for which we do not have the callee (i.e. the definition of the called function). This
177+
* acts as a heuristic for identifying calls to external library functions.
178+
*/
179+
private DataFlow::CallNode getACallWithoutCallee() {
180+
forall(Function callee | callee = result.getACallee() | callee.getTopLevel().isExterns()) and
181+
not exists(DataFlow::ParameterNode param, DataFlow::FunctionNode callback |
182+
param.flowsTo(result.getCalleeNode()) and
183+
callback = getACallback(param, DataFlow::TypeBackTracker::end())
184+
)
185+
}
186+
187+
/**
188+
* Gets a node that flows to callback-parameter `p`.
189+
*/
190+
private DataFlow::SourceNode getACallback(DataFlow::ParameterNode p, DataFlow::TypeBackTracker t) {
191+
t.start() and
192+
result = p and
193+
any(DataFlow::FunctionNode f).getLastParameter() = p and
194+
exists(p.getACall())
195+
or
196+
exists(DataFlow::TypeBackTracker t2 | result = getACallback(p, t2).backtrack(t2, t))
197+
}
198+
199+
/**
200+
* Get calls which are likely to be to external non-built-in libraries.
201+
*/
202+
DataFlow::CallNode getALikelyExternalLibraryCall() { result = getACallWithoutCallee() }
203+
158204
/*
159205
* Characteristics that are indicative of a sink.
160206
* NOTE: Initially each sink type has only one characteristic, which is that it's a sink of this type in the standard

0 commit comments

Comments
 (0)