@@ -11,25 +11,24 @@ import javascript
11
11
import PropertyInjectionShared
12
12
private import DataFlow:: FlowLabel
13
13
import UnsafeDynamicMethodAccessCustomizations:: UnsafeDynamicMethodAccess
14
+ private import UnsafeDynamicMethodAccessCustomizations:: UnsafeDynamicMethodAccess as UnsafeDynamicMethodAccess
14
15
15
16
// Materialize flow labels
16
- private class ConcreteUnsafeFunction extends UnsafeFunction {
17
+ deprecated private class ConcreteUnsafeFunction extends UnsafeFunction {
17
18
ConcreteUnsafeFunction ( ) { this = this }
18
19
}
19
20
20
21
/**
21
22
* A taint-tracking configuration for reasoning about unsafe dynamic method access.
22
23
*/
23
24
module UnsafeDynamicMethodAccessConfig implements DataFlow:: StateConfigSig {
24
- class FlowState = DataFlow :: FlowLabel ;
25
+ class FlowState = UnsafeDynamicMethodAccess :: FlowState ;
25
26
26
- predicate isSource ( DataFlow:: Node source , DataFlow :: FlowLabel label ) {
27
- source .( Source ) .getFlowLabel ( ) = label
27
+ predicate isSource ( DataFlow:: Node source , FlowState label ) {
28
+ source .( Source ) .getAFlowState ( ) = label
28
29
}
29
30
30
- predicate isSink ( DataFlow:: Node sink , DataFlow:: FlowLabel label ) {
31
- sink .( Sink ) .getFlowLabel ( ) = label
32
- }
31
+ predicate isSink ( DataFlow:: Node sink , FlowState label ) { sink .( Sink ) .getAFlowState ( ) = label }
33
32
34
33
predicate isBarrier ( DataFlow:: Node node ) {
35
34
node instanceof Sanitizer
@@ -38,44 +37,42 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
38
37
not StringConcatenation:: isCoercion ( node )
39
38
}
40
39
41
- predicate isBarrier ( DataFlow:: Node node , DataFlow :: FlowLabel label ) {
40
+ predicate isBarrier ( DataFlow:: Node node , FlowState label ) {
42
41
TaintTracking:: defaultSanitizer ( node ) and
43
- label . isTaint ( )
42
+ label = FlowState :: taint ( )
44
43
}
45
44
46
45
/** An additional flow step for use in both this configuration and the legacy configuration. */
47
46
additional predicate additionalFlowStep (
48
- DataFlow:: Node src , DataFlow:: FlowLabel srclabel , DataFlow:: Node dst ,
49
- DataFlow:: FlowLabel dstlabel
47
+ DataFlow:: Node src , FlowState srclabel , DataFlow:: Node dst , FlowState dstlabel
50
48
) {
51
49
// Reading a property of the global object or of a function
52
50
exists ( DataFlow:: PropRead read |
53
51
PropertyInjection:: hasUnsafeMethods ( read .getBase ( ) .getALocalSource ( ) ) and
54
52
src = read .getPropertyNameExpr ( ) .flow ( ) and
55
53
dst = read and
56
- srclabel . isTaint ( ) and
57
- dstlabel = unsafeFunction ( )
54
+ srclabel = FlowState :: taint ( ) and
55
+ dstlabel = FlowState :: unsafeFunction ( )
58
56
)
59
57
or
60
58
// Reading a chain of properties from any object with a prototype can lead to Function
61
59
exists ( PropertyProjection proj |
62
60
not PropertyInjection:: isPrototypeLessObject ( proj .getObject ( ) .getALocalSource ( ) ) and
63
61
src = proj .getASelector ( ) and
64
62
dst = proj and
65
- srclabel . isTaint ( ) and
66
- dstlabel = unsafeFunction ( )
63
+ srclabel = FlowState :: taint ( ) and
64
+ dstlabel = FlowState :: unsafeFunction ( )
67
65
)
68
66
}
69
67
70
68
predicate isAdditionalFlowStep (
71
- DataFlow:: Node src , DataFlow:: FlowLabel srclabel , DataFlow:: Node dst ,
72
- DataFlow:: FlowLabel dstlabel
69
+ DataFlow:: Node src , FlowState srclabel , DataFlow:: Node dst , FlowState dstlabel
73
70
) {
74
71
additionalFlowStep ( src , srclabel , dst , dstlabel )
75
72
or
76
73
// We're not using a taint-tracking config because taint steps would then apply to all flow states.
77
74
// So we use a plain data flow config and manually add the default taint steps.
78
- srclabel . isTaint ( ) and
75
+ srclabel = FlowState :: taint ( ) and
79
76
TaintTracking:: defaultTaintStep ( src , dst ) and
80
77
srclabel = dstlabel
81
78
}
@@ -93,11 +90,11 @@ deprecated class Configuration extends TaintTracking::Configuration {
93
90
Configuration ( ) { this = "UnsafeDynamicMethodAccess" }
94
91
95
92
override predicate isSource ( DataFlow:: Node source , DataFlow:: FlowLabel label ) {
96
- UnsafeDynamicMethodAccessConfig:: isSource ( source , label )
93
+ UnsafeDynamicMethodAccessConfig:: isSource ( source , FlowState :: fromFlowLabel ( label ) )
97
94
}
98
95
99
96
override predicate isSink ( DataFlow:: Node sink , DataFlow:: FlowLabel label ) {
100
- UnsafeDynamicMethodAccessConfig:: isSink ( sink , label )
97
+ UnsafeDynamicMethodAccessConfig:: isSink ( sink , FlowState :: fromFlowLabel ( label ) )
101
98
}
102
99
103
100
override predicate isSanitizer ( DataFlow:: Node node ) {
@@ -117,6 +114,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
117
114
DataFlow:: Node src , DataFlow:: Node dst , DataFlow:: FlowLabel srclabel ,
118
115
DataFlow:: FlowLabel dstlabel
119
116
) {
120
- UnsafeDynamicMethodAccessConfig:: additionalFlowStep ( src , srclabel , dst , dstlabel )
117
+ UnsafeDynamicMethodAccessConfig:: additionalFlowStep ( src , FlowState:: fromFlowLabel ( srclabel ) ,
118
+ dst , FlowState:: fromFlowLabel ( dstlabel ) )
121
119
}
122
120
}
0 commit comments