JS: Partial SSRF does not select the sink location

asgerf · asgerf · commit d3b9d1d89d8e · 2025-02-06T11:30:32.000+01:00
diff --git a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
@@ -68,8 +68,7 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.(Sink).getLocation()
-    or
+    // Note: this query does not select the sink itself
     result = sink.(Sink).getRequest().getLocation()
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -68,8 +68,7 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config`
`68`	`68`	`predicate observeDiffInformedIncrementalMode() { any() }`
`69`	`69`
`70`	`70`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`71`		`- result = sink.(Sink).getLocation()`
`72`		`- or`
	`71`	`+ // Note: this query does not select the sink itself`
`73`	`72`	`result = sink.(Sink).getRequest().getLocation()`
`74`	`73`	`}`
`75`	`74`	`}`