fix flowLabels

am0o0 · am0o0 · commit 41e7b91d78f3 · 2023-10-08T11:00:07.000+02:00
diff --git a/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql b/javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql
@@ -53,8 +53,8 @@ class WorkerThreads extends DataFlow::Node {
   }
 }
 
-class WorkerThreadsLabel extends FlowLabel {
-  WorkerThreadsLabel() { this = "worker_threads" }
+class URLConstructorLabel extends FlowLabel {
+  URLConstructorLabel() { this = "URLConstructorLabel" }
 }
 
 class DynamicImportLabel extends FlowLabel {
@@ -67,15 +67,12 @@ class DynamicImportLabel extends FlowLabel {
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CodeInjection" }
 
-  override predicate isSource(DataFlow::Node source, FlowLabel label) {
-    source instanceof RemoteFlowSource and
-    (label instanceof DynamicImportLabel or label instanceof WorkerThreadsLabel)
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DynamicImport }
 
   override predicate isSink(DataFlow::Node sink, FlowLabel label) {
-    sink instanceof DynamicImport and label instanceof DynamicImportLabel
-    or
-    sink instanceof WorkerThreads and label instanceof WorkerThreadsLabel
+    sink instanceof WorkerThreads and label instanceof URLConstructorLabel
   }
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
@@ -87,8 +84,8 @@ class Configuration extends TaintTracking::Configuration {
       newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
       pred = newUrl.getArgument(0)
     ) and
-    predlbl instanceof WorkerThreadsLabel and
-    succlbl instanceof WorkerThreadsLabel
+    predlbl instanceof StandardFlowLabel and
+    succlbl instanceof URLConstructorLabel
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -53,8 +53,8 @@ class WorkerThreads extends DataFlow::Node {`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`
`56`		`-class WorkerThreadsLabel extends FlowLabel {`
`57`		`- WorkerThreadsLabel() { this = "worker_threads" }`
	`56`	`+class URLConstructorLabel extends FlowLabel {`
	`57`	`+ URLConstructorLabel() { this = "URLConstructorLabel" }`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`class DynamicImportLabel extends FlowLabel {`
`@@ -67,15 +67,12 @@ class DynamicImportLabel extends FlowLabel {`
`67`	`67`	`class Configuration extends TaintTracking::Configuration {`
`68`	`68`	`Configuration() { this = "CodeInjection" }`
`69`	`69`
`70`		`- override predicate isSource(DataFlow::Node source, FlowLabel label) {`
`71`		`- source instanceof RemoteFlowSource and`
`72`		`- (label instanceof DynamicImportLabel or label instanceof WorkerThreadsLabel)`
`73`		`- }`
	`70`	`+ override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
	`71`	`+`
	`72`	`+ override predicate isSink(DataFlow::Node sink) { sink instanceof DynamicImport }`
`74`	`73`
`75`	`74`	`override predicate isSink(DataFlow::Node sink, FlowLabel label) {`
`76`		`- sink instanceof DynamicImport and label instanceof DynamicImportLabel`
`77`		`- or`
`78`		`- sink instanceof WorkerThreads and label instanceof WorkerThreadsLabel`
	`75`	`+ sink instanceof WorkerThreads and label instanceof URLConstructorLabel`
`79`	`76`	`}`
`80`	`77`
`81`	`78`	`override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }`
`@@ -87,8 +84,8 @@ class Configuration extends TaintTracking::Configuration {`
`87`	`84`	`newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and`
`88`	`85`	`pred = newUrl.getArgument(0)`
`89`	`86`	`) and`
`90`		`- predlbl instanceof WorkerThreadsLabel and`
`91`		`- succlbl instanceof WorkerThreadsLabel`
	`87`	`+ predlbl instanceof StandardFlowLabel and`
	`88`	`+ succlbl instanceof URLConstructorLabel`
`92`	`89`	`}`
`93`	`90`	`}`
`94`	`91`