Skip to content

Commit d83ddfa

Browse files
asgerfasgerf
committed
JS: Migrate an experimental CodeInjection query
1 parent a398599 commit d83ddfa

File tree

1 file changed

+17
-12
lines changed

1 file changed

+17
-12
lines changed

javascript/ql/src/experimental/Security/CWE-094-dataURL/CodeInjection.ql

Lines changed: 17 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -49,38 +49,43 @@ class WorkerThreads extends DataFlow::Node {
4949
}
5050
}
5151

52-
class UrlConstructorLabel extends DataFlow::FlowLabel {
53-
UrlConstructorLabel() { this = "UrlConstructorLabel" }
54-
}
52+
newtype TFlowState =
53+
TTaint() or
54+
TUrlConstructor()
5555

5656
/**
5757
* A taint-tracking configuration for reasoning about code injection vulnerabilities.
5858
*/
5959
module CodeInjectionConfig implements DataFlow::StateConfigSig {
60-
class FlowState = DataFlow::FlowLabel;
60+
class FlowState extends TFlowState {
61+
string toString() {
62+
this = TTaint() and result = "taint"
63+
or
64+
this = TUrlConstructor() and result = "url-constructor"
65+
}
66+
}
6167

62-
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
63-
source instanceof ActiveThreatModelSource and label.isTaint()
68+
predicate isSource(DataFlow::Node source, FlowState label) {
69+
source instanceof ActiveThreatModelSource and label = TTaint()
6470
}
6571

6672
predicate isSink(DataFlow::Node sink) { sink instanceof DynamicImport }
6773

68-
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
69-
sink instanceof WorkerThreads and label instanceof UrlConstructorLabel
74+
predicate isSink(DataFlow::Node sink, FlowState label) {
75+
sink instanceof WorkerThreads and label = TUrlConstructor()
7076
}
7177

7278
predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
7379

7480
predicate isAdditionalFlowStep(
75-
DataFlow::Node pred, DataFlow::FlowLabel predlbl, DataFlow::Node succ,
76-
DataFlow::FlowLabel succlbl
81+
DataFlow::Node pred, FlowState predlbl, DataFlow::Node succ, FlowState succlbl
7782
) {
7883
exists(DataFlow::NewNode newUrl | succ = newUrl |
7984
newUrl = DataFlow::globalVarRef("URL").getAnInstantiation() and
8085
pred = newUrl.getArgument(0)
8186
) and
82-
predlbl.isDataOrTaint() and
83-
succlbl instanceof UrlConstructorLabel
87+
predlbl = TTaint() and
88+
succlbl = TUrlConstructor()
8489
}
8590
}
8691

0 commit comments

Comments
 (0)