Merge pull request github#8619 from erik-krogh/atmSteps

JS-ML: fix isKnownStepSrc such that it recognizes taint-steps

Author: erik-krogh

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll

@@ -106,9 +106,9 @@ predicate isKnownLibrarySink(DataFlow::Node n) {
  * Holds if the node `n` is known as the predecessor in a modeled flow step.
  */
 predicate isKnownStepSrc(DataFlow::Node n) {
-  any(TaintTracking::AdditionalTaintStep s).step(n, _) or
-  any(DataFlow::AdditionalFlowStep s).step(n, _) or
-  any(DataFlow::AdditionalFlowStep s).step(n, _, _, _)
+  TaintTracking::sharedTaintStep(n, _) or
+  DataFlow::SharedFlowStep::step(n, _) or
+  DataFlow::SharedFlowStep::step(n, _, _, _)
 }
 
 /**

javascript/ql/experimental/adaptivethreatmodeling/test/.gitignore

@@ -0,0 +1 @@
+**/*.testproj

javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.expected

@@ -9926,6 +9926,10 @@ tokenFeatures
 | autogenerated/Xss/DomBasedXss/string-manipulations.js:12:16:12:61 | escape( ... href))) | calleeAccessPathWithStructuralInfo |  |
 | autogenerated/Xss/DomBasedXss/string-manipulations.js:12:16:12:61 | escape( ... href))) | calleeName | write |
 | autogenerated/Xss/DomBasedXss/string-manipulations.js:12:16:12:61 | escape( ... href))) | receiverName | document |
+| autogenerated/Xss/DomBasedXss/translate.js:7:42:7:60 | target.substring(1) | calleeAccessPath |  |
+| autogenerated/Xss/DomBasedXss/translate.js:7:42:7:60 | target.substring(1) | calleeAccessPathWithStructuralInfo |  |
+| autogenerated/Xss/DomBasedXss/translate.js:7:42:7:60 | target.substring(1) | enclosingFunctionBody | translate own goal backpass fumble feint target document location search searchParams URLSearchParams target substring 1 $ original-term html searchParams get term $ translated-term html translate searchParams get term |
+| autogenerated/Xss/DomBasedXss/translate.js:7:42:7:60 | target.substring(1) | enclosingFunctionName |  |
 | autogenerated/Xss/DomBasedXss/translate.js:7:59:7:59 | 1 | argumentIndex | 0 |
 | autogenerated/Xss/DomBasedXss/translate.js:7:59:7:59 | 1 | calleeAccessPath |  |
 | autogenerated/Xss/DomBasedXss/translate.js:7:59:7:59 | 1 | calleeAccessPathWithStructuralInfo |  |
@@ -10213,6 +10217,10 @@ tokenFeatures
 | autogenerated/Xss/DomBasedXss/tst.js:18:29:18:34 | 'name' | enclosingFunctionBody | target document location search $ myId html target document write <OPTION value=1> document location href substring document location href indexOf default= 8 </OPTION> document write <OPTION value=2>English</OPTION> $ <div style="width: target px"> $ <div style="width: target px"> $ <div style="width: parseInt target px"> params URL document location searchParams $ name html params get name searchParams URLSearchParams target substring 1 $ name html searchParams get name |
 | autogenerated/Xss/DomBasedXss/tst.js:18:29:18:34 | 'name' | enclosingFunctionName | test |
 | autogenerated/Xss/DomBasedXss/tst.js:18:29:18:34 | 'name' | receiverName | params |
+| autogenerated/Xss/DomBasedXss/tst.js:20:42:20:60 | target.substring(1) | calleeAccessPath |  |
+| autogenerated/Xss/DomBasedXss/tst.js:20:42:20:60 | target.substring(1) | calleeAccessPathWithStructuralInfo |  |
+| autogenerated/Xss/DomBasedXss/tst.js:20:42:20:60 | target.substring(1) | enclosingFunctionBody | target document location search $ myId html target document write <OPTION value=1> document location href substring document location href indexOf default= 8 </OPTION> document write <OPTION value=2>English</OPTION> $ <div style="width: target px"> $ <div style="width: target px"> $ <div style="width: parseInt target px"> params URL document location searchParams $ name html params get name searchParams URLSearchParams target substring 1 $ name html searchParams get name |
+| autogenerated/Xss/DomBasedXss/tst.js:20:42:20:60 | target.substring(1) | enclosingFunctionName | test |
 | autogenerated/Xss/DomBasedXss/tst.js:20:59:20:59 | 1 | argumentIndex | 0 |
 | autogenerated/Xss/DomBasedXss/tst.js:20:59:20:59 | 1 | calleeAccessPath |  |
 | autogenerated/Xss/DomBasedXss/tst.js:20:59:20:59 | 1 | calleeAccessPathWithStructuralInfo |  |
@@ -12661,6 +12669,13 @@ tokenFeatures
 | autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:12:23:27 | marked(req.body) | enclosingFunctionBody | req res res send req body res send marked req body |
 | autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:12:23:27 | marked(req.body) | enclosingFunctionName | app.get#functionalargument |
 | autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:12:23:27 | marked(req.body) | receiverName | res |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | argumentIndex | 0 |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | calleeAccessPath | marked |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | calleeAccessPathWithStructuralInfo | marked instanceorreturn |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | calleeApiName | marked |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | calleeName | marked |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | enclosingFunctionBody | req res res send req body res send marked req body |
+| autogenerated/Xss/ReflectedXss/ReflectedXss.js:23:19:23:26 | req.body | enclosingFunctionName | app.get#functionalargument |
 | autogenerated/Xss/ReflectedXss/ReflectedXss.js:27:21:27:36 | 'markdown-table' | argumentIndex | 0 |
 | autogenerated/Xss/ReflectedXss/ReflectedXss.js:27:21:27:36 | 'markdown-table' | calleeAccessPath |  |
 | autogenerated/Xss/ReflectedXss/ReflectedXss.js:27:21:27:36 | 'markdown-table' | calleeAccessPathWithStructuralInfo |  |