remove client-side remote-flow from js/resource-exhaustion

erik-krogh · erik-krogh · commit 51a0b6d50132 · 2022-04-13T23:05:59.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
@@ -28,7 +28,9 @@ module ResourceExhaustion {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of remote user input, considered as a data flow source for resource exhaustion vulnerabilities. */
-  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
+  class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
+    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
+  }
 
   /**
    * A node that determines the repetitions of a string, considered as a data flow sink for resource exhaustion vulnerabilities.
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js b/javascript/ql/test/query-tests/Security/CWE-770/ResourceExhaustion/resource-exhaustion.js
@@ -92,3 +92,10 @@ var server = http.createServer(function(req, res) {
     Buffer.alloc(n); // NOT OK - NO length check
   }
 });
+
+function browser() {
+    const delay = parseInt(window.location.search.replace('?', '')) || 5000;
+    setTimeout(() => {
+        console.log("f00");
+    }, delay); // OK - source is client side
+}
