Create the sink ClassificationReasons

tiferet · tiferet · commit 08bbe596a24c · 2022-11-04T09:30:29.000-07:00
Write the reasons that indicate that an endpoint is a sink for each sink type.

Also fix import error.
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/AdaptiveThreatModeling.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/AdaptiveThreatModeling.qll
@@ -4,7 +4,7 @@
  * Provides information about the results of boosted queries for use in adaptive threat modeling (ATM).
  */
 
-private import javascript::DataFlow as DataFlow
+private import javascript::DataFlow
 import ATMConfig
 private import BaseScoring
 private import EndpointScoring as EndpointScoring
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ClassificationReasons.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ClassificationReasons.qll
@@ -0,0 +1,113 @@
+/**
+ * For internal use only.
+ *
+ * Defines a set of characteristics that a particular endpoint might have. This set of characteristics is used to make
+ * decisions about whether to include the endpoint in the training set and with what label, as well as whether to score
+ * the endpoint at inference time.
+ */
+
+import experimental.adaptivethreatmodeling.EndpointTypes
+import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
+private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
+private import semmle.javascript.security.dataflow.TaintedPathCustomizations
+
+abstract class ClassificationReason extends string {
+  // The name of the reason, which should describe some characteristic of the endpoint that is meaningful for
+  // determining whether it's a sink and if so of which type
+  bindingset[this]
+  ClassificationReason() { any() }
+
+  // Indicators with confidence at or above this threshold are considered to be high-confidence indicators.
+  float getHighConfidenceThreshold() { result = 0.8 }
+
+  // Indicators with confidence at or above this threshold are considered to be medium-confidence indicators.
+  float getMediumConfidenceThreshold() { result = 0.5 }
+
+  // The logic to identify which endpoints have this reason.
+  abstract predicate getEndpoints(DataFlow::Node n);
+
+  // This predicate describes what the reason tells us about an endpoint.
+  //
+  // Params:
+  // endpointClass: Class 0 is the negative class. Each positive int corresponds to a single sink type.
+  // isPositiveIndicator: Does this reason indicate this endpoint _is_ a member of the class, or that it _isn't_ a
+  // member of the class?
+  // confidence: A number in [0, 1], which tells us how strong an indicator this reason is for the endpoint belonging /
+  // not belonging to the given class.
+  abstract predicate getImplications(
+    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+  );
+}
+
+/*
+ * Endpoints that were identified as "DomBasedXssSink" by the standard Javascript library are XSS sinks with maximal
+ * confidence.
+ */
+
+class DomBasedXssSinkReason extends ClassificationReason {
+  DomBasedXssSinkReason() { this = "DomBasedXssSink" }
+
+  override predicate getEndpoints(DataFlow::Node n) { n instanceof DomBasedXss::Sink }
+
+  override predicate getImplications(
+    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+  ) {
+    endpointClass instanceof XssSinkType and isPositiveIndicator = true and confidence = 1.0
+  }
+}
+
+/*
+ * Endpoints that were identified as "TaintedPathSink" by the standard Javascript library are path injection sinks with
+ * maximal confidence.
+ */
+
+class TaintedPathSinkReason extends ClassificationReason {
+  TaintedPathSinkReason() { this = "TaintedPathSink" }
+
+  override predicate getEndpoints(DataFlow::Node n) { n instanceof TaintedPath::Sink }
+
+  override predicate getImplications(
+    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+  ) {
+    endpointClass instanceof TaintedPathSinkType and isPositiveIndicator = true and confidence = 1.0
+  }
+}
+
+/*
+ * Endpoints that were identified as "SqlInjectionSink" by the standard Javascript library are SQL injection sinks with
+ * maximal confidence.
+ */
+
+class SqlInjectionSinkReason extends ClassificationReason {
+  SqlInjectionSinkReason() { this = "SqlInjectionSink" }
+
+  override predicate getEndpoints(DataFlow::Node n) { n instanceof SqlInjection::Sink }
+
+  override predicate getImplications(
+    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+  ) {
+    endpointClass instanceof SqlInjectionSinkType and
+    isPositiveIndicator = true and
+    confidence = 1.0
+  }
+}
+
+/*
+ * Endpoints that were identified as "NosqlInjectionSink" by the standard Javascript library are NoSQL injection sinks
+ * with maximal confidence.
+ */
+
+class NosqlInjectionSinkReason extends ClassificationReason {
+  NosqlInjectionSinkReason() { this = "NosqlInjectionSink" }
+
+  override predicate getEndpoints(DataFlow::Node n) { n instanceof NosqlInjection::Sink }
+
+  override predicate getImplications(
+    EndpointType endpointClass, boolean isPositiveIndicator, float confidence
+  ) {
+    endpointClass instanceof NosqlInjectionSinkType and
+    isPositiveIndicator = true and
+    confidence = 1.0
+  }
+}
