move the TextEncoder and Buffer jose.base64url taint steps to a local query taint step

Author: am0o0

javascript/ql/lib/semmle/javascript/frameworks/JWT.qll

@@ -56,20 +56,6 @@ private module JsonWebToken {
  * Provides classes and predicates modeling the `jose` library.
  */
 private module Jose {
-  /**
-   * A taint-step for `succ = jose.base64url.encode(pred)` or `succ = jose.base64url.decode(pred)`.
-   */
-  private class Base64urlStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
-    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(API::Node n |
-        n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
-      |
-        pred = n.getACall().getArgument(0) and
-        succ = n.getACall()
-      )
-    }
-  }
-
   /**
    * The asymmetric key or symmetric secret for verifying a JWT as a `CredentialsNode`.
    */
@@ -162,29 +148,3 @@ private module PassportJwt {
     override string getCredentialsKind() { result = "key" }
   }
 }
-
-/**
- * A taint-step for `succ = new TextEncoder().encode(pred)`.
- */
-private class TextEncoderStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-   
-  exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("TextEncoder").getAnInstantiation().getAMemberCall("encode") |
-    pred = n.getArgument(0) and
-    succ = n and
-    n.getLocation().getFile().getRelativePath().matches("%HardcodedCredentials.js%")
-  )
-  }
-}
-
-/**
- * A taint-step for `succ = Buffer.from(pred, "base64")`.
- */
-private class BufferFromStep extends TaintTracking::SharedTaintStep, DataFlow::SharedFlowStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
-      pred = n.getArgument(0) and
-      succ = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
-    )
-  }
-}

javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsQuery.qll

@@ -54,5 +54,25 @@ class Configuration extends DataFlow::Configuration {
       src = n.getParameter(0).getMember(["x", "y", "n"]).asSink() and
       trg = n.getReturn().getPromised().asSource()
     )
+    or
+    exists(DataFlow::CallNode n |
+      n = DataFlow::globalVarRef("TextEncoder").getAnInstantiation().getAMemberCall("encode")
+    |
+      src = n.getArgument(0) and
+      trg = n and
+      n.getLocation().getFile().getRelativePath().matches("%HardcodedCredentials.js%")
+    )
+    or
+    exists(DataFlow::CallNode n | n = DataFlow::globalVarRef("Buffer").getAMemberCall("from") |
+      src = n.getArgument(0) and
+      trg = [n, n.getAChainedMethodCall(["toString", "toJSON"])]
+    )
+    or
+    exists(API::Node n |
+      n = API::moduleImport("jose").getMember("base64url").getMember(["decode", "encode"])
+    |
+      src = n.getACall().getArgument(0) and
+      trg = n.getACall()
+    )
   }
 }