Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Migrate to shared data flow library (targeting main!) 🚀 #18467

Merged
merged 548 commits into from
Jan 16, 2025
+28,632 −35,398
Merged

JS: Migrate to shared data flow library (targeting main!) 🚀 #18467

Changes from all commits
Commits
Show all changes
548 commits
Select commit Hold shift + click to select a range
bc04131
JS: Disallow implicit reads before an optional step
asgerf Sep 11, 2024
2712bf8
JS: Fix a bug in isSafeClientSideUrlProperty
asgerf Sep 11, 2024
74ab346
JS: Do not include taint steps in TaintedUrlSuffix::step
asgerf Sep 11, 2024
0e4e0f4
JS: Preverse tainted-url-suffix when stepping into prefix
asgerf Sep 11, 2024
1df69ec
JS: Actually don't propagate into array element 0
asgerf Sep 12, 2024
7ba6995
JS: Clarify a comment
asgerf Sep 17, 2024
5e4c090
Merge pull request #17412 from asgerf/jss/array-index-constant
asgerf Sep 18, 2024
1cd00a1
Merge branch 'main' into js/shared-dataflow-merge-main
asgerf Sep 18, 2024
341bacf
JS: Fix bug causing re-evaluation of cached barriers
asgerf Oct 1, 2024
6cbe04d
JS: Consistently use the shared XSS barrier guards in the XSS queries
asgerf Oct 2, 2024
5d2ce17
JS: Update a test to handle AdditionalSanitizerGuardNode
asgerf Oct 2, 2024
72daa98
Merge pull request #17643 from asgerf/jss/cached-barriers
asgerf Oct 3, 2024
e2e91ac
Merge branch 'main' into js/shared-dataflow-merge-main
asgerf Oct 8, 2024
12e316b
JS: Update test output after merging in 'main'
asgerf Oct 8, 2024
443987b
Merge branch 'main' into js/shared-dataflow-merge-main
asgerf Oct 22, 2024
a258489
JS: Refactor some internal methods to make them easier to alias
asgerf Sep 19, 2024
7363b57
JS: Instantiate shared SSA library
asgerf Sep 19, 2024
81e74d8
JS: Add test case for spurious flow from lack of use-use
asgerf Sep 19, 2024
78e961c
JS: Add use-use flow
asgerf Sep 20, 2024
9e60042
JS: Remove unused predicate
asgerf Sep 20, 2024
211b42d
JS: Move BasicBlocks.qll -> internal/BasicBlocksInternal.qll
asgerf Sep 23, 2024
3b663bd
JS: Remove BasicBlockInternal module and mark relevant predicates as …
asgerf Sep 23, 2024
ed0af95
JS: Add Public module and only expose that
asgerf Sep 23, 2024
3fca27b
JS: Fix indentation
asgerf Sep 23, 2024
beaacf9
JS: Rename Internal -> Cached since whole file is internal now
asgerf Sep 23, 2024
992c144
JS: Add qldoc to file
asgerf Sep 23, 2024
d626e79
JS: Add two test cases for missing flow
asgerf Sep 23, 2024
9fc99d6
JS: Fix store into object literals that have a post-update node
asgerf Sep 23, 2024
c3c003b
JS: Fix post-update flow into 'this'
asgerf Sep 23, 2024
8dc0505
JS: Add test for missing flow into 'this' in field initializers
asgerf Sep 23, 2024
d31499d
JS: introduce implicit this uses in general
asgerf Sep 23, 2024
0ebe8bd
JS: Add test for missing capture flow for 'this'
asgerf Sep 23, 2024
12370e9
JS: Use VariableOrThis in variable capture as well
asgerf Sep 23, 2024
81af9a1
Fix missing flow through super calls
asgerf Sep 24, 2024
67fdd86
JS: Add TODO
asgerf Sep 24, 2024
e784813
JS: Make barrier guards work with use-use flow
asgerf Oct 8, 2024
958602e
JS: Cache getARead (as per instructions in the SSA library)
asgerf Sep 27, 2024
16b08b7
JS: Add test showing potential for FPs when handling refinement guards
asgerf Sep 27, 2024
e05e077
JS: Block jump steps through 'this' now that the capture lib handles …
asgerf Sep 30, 2024
bd94fe1
JS: Explain false positive in test case
asgerf Oct 8, 2024
cb87494
Test updates from introduction of implicit 'this'
asgerf Oct 10, 2024
4473e6d
JS: Update test with some post-update consistency checks gone
asgerf Oct 11, 2024
c0997c2
JS: Reveal issue with immutable.js test
asgerf Oct 17, 2024
ad52b71
JS: Update immutable.js test to clarify why it stopped working
asgerf Oct 17, 2024
1efef2c
JS: Change rule for getPostUpdateForStore
asgerf Oct 18, 2024
d557c76
JS: Update a test that now has more precise output
asgerf Oct 23, 2024
1b85feb
JS: Add imprecise post-update steps for when a captured var/this is n…
asgerf Oct 23, 2024
d3e70c1
JS: Add in-barrier to XSS query
asgerf Oct 23, 2024
18b3946
JS: Add regained results in UnsafeJQueryPlugin
asgerf Oct 23, 2024
1243188
JS: Update CleartextLogging with fixed FP
asgerf Oct 23, 2024
52ba91a
JS: Updates to nodes/edges in tests
asgerf Oct 23, 2024
1e9e57e
JS: Fix missing qldoc
asgerf Oct 28, 2024
2fb1084
JS: Only parameter-calls as lambda calls
asgerf Oct 28, 2024
637baab
JS: Clarify why there are no SSA definitions
asgerf Nov 12, 2024
80ee372
JS: Replace an unused value with _
asgerf Nov 12, 2024
33b7ba4
Merge pull request #17535 from asgerf/jss/use-use-flow
asgerf Nov 18, 2024
5ed362f
JS: Add exception test case
asgerf Nov 4, 2024
7acc568
JS: Port exception steps to a universal summary
asgerf Aug 22, 2024
7f2eae0
JS: Add test case for false flow through IIFEs
asgerf Nov 18, 2024
37676f4
JS: Remove jump steps from IIFE steps
asgerf Nov 1, 2024
023dcce
JS: Disable variable capture heuristic
asgerf Nov 1, 2024
d2daec4
JS: Add tests explaining why the IIFE in f2 didn't work
asgerf Nov 19, 2024
80a5a59
JS: Use getUnderlyingValue() a few places in VariableCapture
asgerf Nov 19, 2024
0166990
JS: Block InsecureRandomness flow into test files
asgerf Nov 1, 2024
d1c9e47
JS: More aggressive test file classification
asgerf Nov 1, 2024
d52bc97
Merge branch 'main' into js/shared-dataflow-merge-main
asgerf Nov 20, 2024
b7dd455
JS: Add test case
asgerf Nov 21, 2024
dcdb2e5
JS: Fix callback check so it works without parameters
asgerf Nov 21, 2024
948d21c
JS: Propagate exceptions from summarized callables by default
asgerf Nov 21, 2024
84820ad
Add test for exception flow out of finally()
asgerf Nov 21, 2024
4e62a51
JS: Only apply exception propagator when no other summary applies
asgerf Nov 21, 2024
ce00bd2
JS: More docs
asgerf Nov 21, 2024
9dad2d6
JS: Update DataFlowConsistency
asgerf Nov 21, 2024
1ac7591
JS: Update missed flow in capture-flow.js
asgerf Nov 21, 2024
7a77432
JS: Update lost result in insecure-download
asgerf Nov 21, 2024
930a7b6
JS: Update output changes to nodes/edges/subpaths
asgerf Nov 21, 2024
b4bd8e7
JS: Add test for file classification change
asgerf Nov 26, 2024
65da9b4
JS: Add cross-file test in InsecureRandom
asgerf Nov 26, 2024
f073f3b
JS: Rename file to foo.test.js
asgerf Nov 26, 2024
c2e9dca
Merge pull request #18043 from asgerf/jss/jump-and-test-exclusion
asgerf Nov 26, 2024
82d61e4
Merge branch 'js/shared-dataflow-branch' into js/shared-dataflow-merg…
asgerf Nov 26, 2024
bf62582
JS: Implement 'speculativeTaintStep'
asgerf Nov 20, 2024
c94a01e
JS: Remove reference to argsParseStep
asgerf Nov 21, 2024
8818fcc
JS: Benign test output changes
asgerf Nov 26, 2024
805fd0b
JS: Refine speculative step definition
asgerf Nov 26, 2024
66d6bda
Merge pull request #18044 from asgerf/js/shared-dataflow-bump
asgerf Nov 27, 2024
df12f25
JS: Rename propagatesFlowExt -> propagatesFlow
asgerf Nov 12, 2024
e34064e
JS: Initial instantiation of sumamry type tracking
asgerf Nov 19, 2024
6349903
JS: Move FlowSummary/Summaries.qll into testUtilities
asgerf Nov 19, 2024
440cbb7
JS: Add inline-expectation test for type tracking
asgerf Nov 19, 2024
2f0c80a
JS: Include summary steps in type tracking
asgerf Nov 19, 2024
9c6b698
JS: Add test to restrict dependencies
asgerf Nov 29, 2024
cab8a40
JS: Fix accidental recursion
asgerf Nov 29, 2024
32f020e
JS: Port tutorial query1
asgerf Nov 28, 2024
3319870
JS: Port tutorial query2
asgerf Nov 28, 2024
1f6335f
JS: Port tutorial query3
asgerf Nov 28, 2024
02c5e49
JS: Port tutorial query4
asgerf Nov 28, 2024
103a6ea
JS: Port tutorial query5
asgerf Nov 28, 2024
2722c45
JS: Update global data flow tutorial .rst file
asgerf Nov 28, 2024
2db89c1
JS: Update query17 from intro tutorial
asgerf Nov 29, 2024
628f60d
JS: Update flow label tutorial
asgerf Nov 29, 2024
422c089
JS: Remove redundant base class in TruthinessCheck
asgerf Dec 2, 2024
404b0f2
JS: Fix another stray reference to BarrierGuardNode/SanitizerGuardNode
asgerf Dec 2, 2024
8bca664
JS: Add test showing lack of inclusion in PropertyName
asgerf Dec 3, 2024
054558d
JS: Include content properties in type-tracker properties
asgerf Dec 3, 2024
5e27257
Update docs/codeql/codeql-language-guides/analyzing-data-flow-in-java…
asgerf Dec 3, 2024
89849fa
Update docs/codeql/codeql-language-guides/using-flow-labels-for-preci…
asgerf Dec 3, 2024
935e1c0
Update docs/codeql/codeql-language-guides/using-flow-labels-for-preci…
asgerf Dec 3, 2024
89463d7
JS: Remove mention of isAdditionalTaintStep
asgerf Dec 3, 2024
27e61a1
JS: Also update cheat sheet
asgerf Dec 3, 2024
e1aff15
Merge pull request #18125 from asgerf/jss/summary-type-tracker
asgerf Dec 3, 2024
071189a
Merge pull request #18175 from asgerf/jss/documentation
asgerf Dec 3, 2024
0cd2e3f
JS: Deprecate old data flow library, except some guard-related nodes
asgerf Nov 6, 2024
bc7753d
JS: Remove non-deprecated reference to AdditionalBarrierGuardNode
asgerf Nov 6, 2024
82682d9
JS: Remove a non-deprecated reference to SanitizerGuardNode
asgerf Nov 6, 2024
c2abb0f
JS: Remove reference to AdditionalSanitizerGuard from CachedStages
asgerf Nov 6, 2024
0b1e859
JS: Remove uses of AdditionalSanitizerGuardNode
asgerf Nov 6, 2024
988fa9c
JS: Deprecate AdditionalSanitizerGuardNode
asgerf Nov 6, 2024
13ee597
JS: Add some proper documentation to SummarizedCallable
asgerf Nov 12, 2024
249104b
JS: Update comments referring to old `Configuration` style
asgerf Nov 12, 2024
f758b67
JS: Openly recommend SummarizedCallable
asgerf Nov 12, 2024
a568d8c
JS: Port threat-model test to ConfigSig
asgerf Nov 28, 2024
3548544
JS: Avoid some uses of deprecated guard classes in tests
asgerf Nov 28, 2024
4d7401a
JS: Deprecate tests for deprecated APIs
asgerf Nov 28, 2024
1832e93
JS: Port FormParsers test to ConfigSig
asgerf Nov 28, 2024
8887ca1
JS: Port an experimental CodeInjection variant to ConfigSig
asgerf Nov 28, 2024
4f83907
JS: Port experimental EnvValueAndKeyInjection to ConfigSig
asgerf Nov 28, 2024
7e162f5
JS: Port experimental EnvValueInjection to ConfigSig
asgerf Nov 28, 2024
72e5226
JS: Port experimental jwtDecodeWithoutVerification to ConfigSig
asgerf Nov 28, 2024
f5a6485
JS: Port experimental decodeJwtWithoutVerificationLocalSource
asgerf Nov 28, 2024
871bc3b
JS: Port experimental CorsPermissiveConfiguration to ConfigSig
asgerf Nov 28, 2024
834d35b
JS: Port experimental DecompressionBombs to ConfigSig
asgerf Nov 28, 2024
04a3a67
JS: Update a reference to AdditionalSanitizerGuardNode
asgerf Nov 28, 2024
0ce1fe7
JS: Deprecate ConsistencyChecking to avoid deprecation warnings
asgerf Nov 28, 2024
e6680de
JS: Avoid use of LabeledSanitizerGuardNode in TaintedObject
asgerf Nov 28, 2024
75ab485
Remove unsupported features from PoI
asgerf Nov 28, 2024
08d25c1
JS: Deprecate more uses of ConsistencyConfiguration
asgerf Nov 28, 2024
a574ff1
JS: Remove use of MakeLegacyBarrierGuard in experimental SSRF
asgerf Nov 29, 2024
21494fb
JS: Refactor BarrierGuardLegacy pattern to not depend on SanitizerGua…
asgerf Nov 29, 2024
2ef652d
JS: Add more deprecation annotations in tests
asgerf Nov 29, 2024
2ae7386
JS: Also apply new BarrierGuardLegacy pattern in Xss.qll
asgerf Nov 29, 2024
f620191
JS: Deprecate SanitizerGuardNode
asgerf Nov 29, 2024
62c17d3
JS: Update SanitizerGuardNode use in BasicTaintTracking test
asgerf Nov 29, 2024
0d79c71
JS: Update two more uses of SanitizerGuardNode
asgerf Nov 29, 2024
b346198
JS: Remove use of SanitizerGuardNode in experimental SSRF query
asgerf Nov 29, 2024
3f0d0e3
JS: Deprecate DataFlow::BarrierGuardNode
asgerf Dec 2, 2024
b8d652c
Merge pull request #18132 from asgerf/jss/deprecation
asgerf Dec 6, 2024
f8ff504
JS: Add ClientSideUrlRedirect test consistency
asgerf Dec 4, 2024
712c69e
JS: Fixup the test expectations
asgerf Dec 4, 2024
e2b2d1c
JS: Allow arbitrary comments in ConsistencyChecking
asgerf Dec 4, 2024
ef833de
JS: Replace DocumentUrl with TaintedUrlSuffix
asgerf Dec 4, 2024
f6d0835
JS: Show problem with new RegExp().exec()
asgerf Dec 4, 2024
71a6a47
JS: Fix issue with new RegExp().exec()
asgerf Dec 4, 2024
8fe39bd
JS: Update query's own output after test changes
asgerf Dec 4, 2024
d169401
JS: Update test showing accidental flow label materialisation
asgerf Dec 9, 2024
2a2a4d2
JS: Add TaintedUrlSuffixCustomizations
asgerf Dec 9, 2024
703cad9
Expand test case
asgerf Dec 9, 2024
be617ce
JS: More precise handling of .exec()
asgerf Dec 9, 2024
6e7c5a3
JS: Slightly more general getRoot()
asgerf Dec 9, 2024
66eb458
JS: Handle match/matchAll and unknown regexps
asgerf Dec 9, 2024
0802107
JS: Flow label -> flow state in TaintedPath
asgerf Nov 29, 2024
0cd01cb
JS: Use node1,state1,node2,state2 naming convention in tainted path
asgerf Dec 4, 2024
38c9023
JS: FlowLabel -> FlowState in ZipSlip
asgerf Dec 4, 2024
77f8e8e
JS: Use FlowState::fromFlowLabel instead of Label::toFlowState
asgerf Dec 10, 2024
f8abc5a
Merge pull request #18204 from asgerf/jss/flow-labels
asgerf Dec 11, 2024
97b78e7
JS: Added more qldoc
asgerf Dec 12, 2024
a53d294
Merge pull request #18203 from asgerf/jss/document-url
asgerf Dec 12, 2024
a8fdd75
JS: Add FlowState class to TaintedUrlSuffix
asgerf Dec 11, 2024
cca9802
JS: Use flow state in barrier and step relations
asgerf Dec 11, 2024
3cf14d8
JS: Migrate ClientSideUrlRedirect to flow state
asgerf Dec 11, 2024
114d4a1
JS: Move FlowState definition into CommonFlowState
asgerf Dec 11, 2024
12289d4
JS: Migrate DomBasedXssQuery to FlowState
asgerf Dec 11, 2024
14ca1c1
JS: Update TaintedUrlSuffix test
asgerf Dec 11, 2024
5f42a71
JS: Migrate TaintedObject to a CommonFlowState
asgerf Dec 11, 2024
15d999a
JS: Migrate DeepObjectResourceExhaustion
asgerf Dec 11, 2024
daddff0
JS: Avoid deprecation warning in XssThroughDom
asgerf Dec 11, 2024
8e8de5c
JS: Migrate LoopBoundInjection
asgerf Dec 12, 2024
c38e3a2
JS: Migrate NoSqlInjection
asgerf Dec 12, 2024
355f7cd
JS: Migrate PrototypePollutingMergeCall
asgerf Dec 12, 2024
3573f0b
JS: Migrate SecondOrderCommandInjection
asgerf Dec 12, 2024
8907252
JS: Migrate TemplateObjectInjection
asgerf Dec 12, 2024
d9a43db
JS: Migrate UnsafeHtmlConstruction
asgerf Dec 12, 2024
42a7208
JS: Migrate ExceptionXss
asgerf Dec 12, 2024
dc3d7a0
Update ExceptionXssCustomizations.qll
asgerf Dec 13, 2024
2112ecc
JS: Migrate HardcodedDataInterpretedAsCode
asgerf Dec 13, 2024
d381ab1
JS: Migrate IncompleteHtmlAttributeSanitization
asgerf Dec 13, 2024
4e25036
JS: Follow naming convention in InsecureModuleFlow module
asgerf Dec 13, 2024
bcc1669
JS: Migrate InsecureDownload
asgerf Dec 13, 2024
a9e89ed
JS: Migrate PrototypePollutingAssignment
asgerf Dec 13, 2024
820f81f
JS: Migrate UnsafeDynamicMethodAccess
asgerf Dec 13, 2024
c951a29
JS: Migrate UnvalidatedDynamicMethodCall
asgerf Dec 13, 2024
a398599
JS: Rename an experimental query
asgerf Dec 13, 2024
d83ddfa
JS: Migrate an experimental CodeInjection query
asgerf Dec 13, 2024
ebe596f
JS: Migrate CorsPermissiveConfiguration
asgerf Dec 13, 2024
73af3f3
JS: Migrate PrototypePollutingFunction
asgerf Dec 13, 2024
69b361a
JS: Migrate a test to use flow state
asgerf Dec 13, 2024
d993c88
JS: Deprecate the FlowLabel class
asgerf Dec 13, 2024
ac6da6c
JS: Add some missing qldoc
asgerf Dec 13, 2024
079294e
JS: Mass rename to node1,state1,node2,state2 naming convention
asgerf Dec 13, 2024
cf6d166
JS: Also update tutorial code
asgerf Dec 13, 2024
db00dad
JS: Avoid deprecation warnings in some tests
asgerf Dec 13, 2024
0b2914f
JS: A few more deprecation updates
asgerf Dec 13, 2024
947b785
JS: Remove reference to deprecated step relation that's empty anyway
asgerf Dec 13, 2024
e5ae7e0
JS: Fix bad join in isOptionallySanitizedEdgeInternal
asgerf Dec 16, 2024
729efff
Merge pull request #18265 from asgerf/jss/flow-labels2
asgerf Dec 17, 2024
3acd481
Merge branch 'main' into js/shared-dataflow-merge-main
asgerf Dec 19, 2024
33e8bd5
JS: Update testUtilities import
asgerf Dec 19, 2024
c204527
JS: Update Array test output (new tests added on main)
asgerf Dec 19, 2024
de5e6dd
JS: Update with changes in TaintTracking test
asgerf Dec 19, 2024
dc2f39c
JS: Add model of Map#groupBy
asgerf Dec 19, 2024
cd6ebb1
JS: Make test not assume implicit through for maps
asgerf Dec 19, 2024
4a6030c
JS: Update expected with some absent result sets
asgerf Dec 19, 2024
f8dc7eb
JS: Update output from tests that changed on main
asgerf Dec 19, 2024
942ba18
JS: Minor test output change in nodes/edges
asgerf Dec 19, 2024
7e4fbe2
Merge pull request #18326 from asgerf/js/shared-dataflow-bump
asgerf Jan 3, 2025
0339bd0
JS: Deprecate forward/backward exploration modules
asgerf Jan 3, 2025
25f5ecb
JS: Deprecate the Configuration.qll file
asgerf Jan 3, 2025
4c9f406
JS: Exclude some sinks in UnvalidatedDynamicMethodCall
asgerf Jan 6, 2025
e2af19b
JS: Restrict "get" step to Map objects
asgerf Jan 6, 2025
23d7420
JS: Hide default exceptional return node
asgerf Jan 6, 2025
7ccb476
JS: Restrict AP length in ExceptionXss
asgerf Jan 6, 2025
0cdda87
JS: Restrict AP length in prototype-polluting function
asgerf Jan 6, 2025
47cc3c0
JS: Deprecate an import
asgerf Jan 7, 2025
f17cc5a
JS: Move all hidden node definitions into DataFlowPrivate
asgerf Jan 7, 2025
abea019
Merge pull request #18412 from asgerf/jss/perf-fixes
asgerf Jan 7, 2025
c47419e
JS: Remove an obsolete TODO comment (this has been fixed)
asgerf Jan 8, 2025
36f0d2f
JS: Move VarAccessBarrier outside the deprecated Configuration.qll file
asgerf Jan 8, 2025
e7d267e
JS: Add migration guide and change note
asgerf Jan 7, 2025
df9b955
JS: Add deprecation qldoc to Configuration classes
asgerf Dec 20, 2024
0623913
JS: Remove notes about changing API in the future
asgerf Jan 3, 2025
b6b93dc
Merge pull request #18392 from asgerf/jss/deprecate-modules
asgerf Jan 8, 2025
26d85d5
Apply suggestions from code review
asgerf Jan 8, 2025
ecccc7c
Update docs/codeql/codeql-language-guides/migrating-javascript-datafl…
asgerf Jan 8, 2025
10d5d09
JS: Polish taint-tracking section in response to review comment
asgerf Jan 8, 2025
1997e0a
Merge pull request #18427 from asgerf/jss/change-note
asgerf Jan 9, 2025
3cc1525
JS: Remove obsolete TODOs
asgerf Jan 9, 2025
8ac08db
JS: Remove TODOs about WithArrayElement not being a taint step
asgerf Jan 9, 2025
7766f97
JS: Remove obsolete TODO
asgerf Jan 9, 2025
b29ee2a
JS: Remove references to localFieldStep
asgerf Jan 9, 2025
fb54a3b
JS: Remove obsolete TODO comment
asgerf Jan 9, 2025
dd37c47
JS: Remove mention of results from comments
asgerf Jan 9, 2025
a8f93ca
JS: Remove obsolete comment
asgerf Jan 9, 2025
8b060c4
JS: Remove TODO about evaluating legacy steps
asgerf Jan 9, 2025
388dd87
JS: Remove TODO tracked by an issue.
asgerf Jan 9, 2025
3def8ec
JS: Remove unimportant TODO
asgerf Jan 9, 2025
d9da944
JS: Rephrase TODO
asgerf Jan 9, 2025
b2d62a0
JS: Move a test failure explanation into the test suite
asgerf Jan 9, 2025
3f2882e
JS: Remove an obsolete comment
asgerf Jan 9, 2025
9c4d378
JS: Remove TODO comment
asgerf Jan 9, 2025
0f6e8bf
Merge pull request #18451 from asgerf/jss/cleanup-todos
asgerf Jan 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
137 changes: 62 additions & 75 deletions ...eql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst
View file
Original file line number Diff line number Diff line change
@@ -204,58 +204,45 @@ data flow solver that can check whether there is (global) data flow from a sourc
Optionally, configurations may specify extra data flow edges to be added to the data flow graph, and may also specify `barriers`. Barriers are data flow nodes or edges through
which data should not be tracked for the purposes of this analysis.

To define a configuration, extend the class ``DataFlow::Configuration`` as follows:
To define a configuration, add a module that implements the signature ``DataFlow::ConfigSig`` and pass it to ``DataFlow::Global`` as follows:

.. code-block:: ql

class MyDataFlowConfiguration extends DataFlow::Configuration {
MyDataFlowConfiguration() { this = "MyDataFlowConfiguration" }
module MyAnalysisConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { /* ... */ }

override predicate isSource(DataFlow::Node source) { /* ... */ }
predicate isSink(DataFlow::Node sink) { /* ... */ }

override predicate isSink(DataFlow::Node sink) { /* ... */ }

// optional overrides:
override predicate isBarrier(DataFlow::Node nd) { /* ... */ }
override predicate isBarrierEdge(DataFlow::Node pred, DataFlow::Node succ) { /* ... */ }
override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { /* ... */ }
// optional predicates:
predicate isBarrier(DataFlow::Node nd) { /* ... */ }
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { /* ... */ }
}

The characteristic predicate ``MyDataFlowConfiguration()`` defines the name of the configuration, so ``"MyDataFlowConfiguration"`` should be replaced by a suitable
name describing your particular analysis configuration.
module MyAnalysisFlow = DataFlow::Global<MyAnalysisConfig>

The data flow analysis is performed using the predicate ``hasFlow(source, sink)``:
The data flow analysis is performed using the predicate ``MyAnalysisFlow::flow(source, sink)``:

.. code-block:: ql

from MyDataFlowConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink
where dataflow.hasFlow(source, sink)
from DataFlow::Node source, DataFlow::Node sink
where MyAnalysisFlow::flow(source, sink)
select source, "Data flow from $@ to $@.", source, source.toString(), sink, sink.toString()

Using global taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Global taint tracking extends global data flow with additional non-value-preserving steps, such as flow through string-manipulating operations. To use it, simply extend
``TaintTracking::Configuration`` instead of ``DataFlow::Configuration``:
Global taint tracking extends global data flow with additional non-value-preserving steps, such as flow through string-manipulating operations. To use it, simply
use ``TaintTracking::Global<...>`` instead of ``DataFlow::Global<...>``:

.. code-block:: ql

class MyTaintTrackingConfiguration extends TaintTracking::Configuration {
MyTaintTrackingConfiguration() { this = "MyTaintTrackingConfiguration" }

override predicate isSource(DataFlow::Node source) { /* ... */ }

override predicate isSink(DataFlow::Node sink) { /* ... */ }
module MyAnalysisConfig implements DataFlow::ConfigSig {
/* ... */
}

Analogous to ``isAdditionalFlowStep``, there is a predicate ``isAdditionalTaintStep`` that you can override to specify custom flow steps to consider in the analysis.
Instead of the ``isBarrier`` and ``isBarrierEdge`` predicates, the taint tracking configuration includes ``isSanitizer`` and ``isSanitizerEdge`` predicates that specify
data flow nodes or edges that act as taint sanitizers and hence stop flow from a source to a sink.
module MyAnalysisFlow = TaintTracking::Global<MyAnalysisConfig>

Similar to global data flow, the characteristic predicate ``MyTaintTrackingConfiguration()`` defines the unique name of the configuration, so ``"MyTaintTrackingConfiguration"``
should be replaced by an appropriate descriptive name.

The taint tracking analysis is again performed using the predicate ``hasFlow(source, sink)``.
The taint tracking analysis is again performed using the predicate ``MyAnalysisFlow::flow(source, sink)``.

Examples
~~~~~~~~
@@ -267,20 +254,20 @@ time using global taint tracking.

import javascript

class CommandLineFileNameConfiguration extends TaintTracking::Configuration {
CommandLineFileNameConfiguration() { this = "CommandLineFileNameConfiguration" }

override predicate isSource(DataFlow::Node source) {
module CommandLineFileNameConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
DataFlow::globalVarRef("process").getAPropertyRead("argv").getAPropertyRead() = source
}

override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
DataFlow::moduleMember("fs", "readFile").getACall().getArgument(0) = sink
}
}

from CommandLineFileNameConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
module CommandLineFileNameFlow = TaintTracking::Global<CommandLineFileNameConfig>;

from DataFlow::Node source, DataFlow::Node sink
where CommandLineFileNameFlow::flow(source, sink)
select source, sink

This query will now find flows that involve inter-procedural steps, like in the following example (where the individual steps have been marked with comments
@@ -325,15 +312,15 @@ with an error if it does not. We could then use that function in ``readFileHelpe
}

For the purposes of our above analysis, ``checkPath`` is a `sanitizer`: its output is always untainted, even if its input is tainted. To model this
we can add an override of ``isSanitizer`` to our taint-tracking configuration like this:
we can add an ``isBarrier`` predicate to our taint-tracking configuration like this:

.. code-block:: ql

class CommandLineFileNameConfiguration extends TaintTracking::Configuration {
module CommandLineFileNameConfig implements DataFlow::ConfigSig {

// ...

override predicate isSanitizer(DataFlow::Node nd) {
predicate isBarrier(DataFlow::Node nd) {
nd.(DataFlow::CallNode).getCalleeName() = "checkPath"
}
}
@@ -359,36 +346,36 @@ Note that ``checkPath`` is now no longer a sanitizer in the sense described abov
through ``checkPath`` any more. The flow is, however, `guarded` by ``checkPath`` in the sense that the expression ``checkPath(p)`` has to evaluate
to ``true`` (or, more precisely, to a truthy value) in order for the flow to happen.

Such sanitizer guards can be supported by defining a new subclass of ``TaintTracking::SanitizerGuardNode`` and overriding the predicate
``isSanitizerGuard`` in the taint-tracking configuration class to add all instances of this class as sanitizer guards to the configuration.
Such sanitizer guards can be supported by defining a class with a ``blocksExpr`` predicate and using the `DataFlow::MakeBarrierGuard`` module
to implement the ``isBarrier`` predicate.

For our above example, we would begin by defining a subclass of ``SanitizerGuardNode`` that identifies guards of the form ``checkPath(...)``:
For our above example, we would begin by defining a subclass of ``DataFlow::CallNode`` that identifies guards of the form ``checkPath(...)``:

.. code-block:: ql

class CheckPathSanitizerGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
class CheckPathSanitizerGuard extends DataFlow::CallNode {
CheckPathSanitizerGuard() { this.getCalleeName() = "checkPath" }

override predicate sanitizes(boolean outcome, Expr e) {
predicate blocksExpr(boolean outcome, Expr e) {
outcome = true and
e = getArgument(0).asExpr()
e = this.getArgument(0).asExpr()
}
}

The characteristic predicate of this class checks that the sanitizer guard is a call to a function named ``checkPath``. The overriding definition
of ``sanitizes`` says such a call sanitizes its first argument (that is, ``getArgument(0)``) if it evaluates to ``true`` (or rather, a truthy
The characteristic predicate of this class checks that the sanitizer guard is a call to a function named ``checkPath``. The definition
of ``blocksExpr`` says such a call sanitizes its first argument (that is, ``getArgument(0)``) if it evaluates to ``true`` (or rather, a truthy
value).

Now we can override ``isSanitizerGuard`` to add these sanitizer guards to our configuration:
Now we can implement ``isBarrier`` to add this sanitizer guard to our configuration:

.. code-block:: ql

class CommandLineFileNameConfiguration extends TaintTracking::Configuration {
module CommandLineFileNameConfig implements DataFlow::ConfigSig {

// ...

override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {
nd instanceof CheckPathSanitizerGuard
predicate isBarrier(DataFlow::Node node) {
node = DataFlow::MakeBarrierGuard<CheckPathSanitizerGuard>::getABarrierNode()
}
}

@@ -399,7 +386,7 @@ reach there if ``checkPath(p)`` evaluates to a truthy value. Consequently, there
Additional taint steps
~~~~~~~~~~~~~~~~~~~~~~

Sometimes the default data flow and taint steps provided by ``DataFlow::Configuration`` and ``TaintTracking::Configuration`` are not sufficient
Sometimes the default data flow and taint steps provided by the data flow library are not sufficient
and we need to add additional flow or taint steps to our configuration to make it find the expected flow. For example, this can happen because
the analyzed program uses a function from an external library whose source code is not available to the analysis, or because it uses a function
that is too difficult to analyze.
@@ -420,20 +407,20 @@ to resolve any symlinks in the path ``p`` before passing it to ``readFile``:
Resolving symlinks does not make an unsafe path any safer, so we would still like our query to flag this, but since the standard library does
not have a model of ``resolve-symlinks`` it will no longer return any results.

We can fix this quite easily by adding an overriding definition of the ``isAdditionalTaintStep`` predicate to our configuration, introducing an
We can fix this quite easily by adding a definition of the ``isAdditionalFlowStep`` predicate to our configuration, introducing an
additional taint step from the first argument of ``resolveSymlinks`` to its result:

.. code-block:: ql

class CommandLineFileNameConfiguration extends TaintTracking::Configuration {
module CommandLineFileNameConfig implements DataFlow::ConfigSig {

// ...

override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(DataFlow::CallNode c |
c = DataFlow::moduleImport("resolve-symlinks").getACall() and
pred = c.getArgument(0) and
succ = c
node1 = c.getArgument(0) and
node2 = c
)
}
}
@@ -444,11 +431,11 @@ to wrap it in a new subclass of ``TaintTracking::SharedTaintStep`` like this:
.. code-block:: ql

class StepThroughResolveSymlinks extends TaintTracking::SharedTaintStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
exists(DataFlow::CallNode c |
c = DataFlow::moduleImport("resolve-symlinks").getACall() and
pred = c.getArgument(0) and
succ = c
node1 = c.getArgument(0) and
node2 = c
)
}
}
@@ -494,18 +481,18 @@ Exercise 2

import javascript

class HardCodedTagNameConfiguration extends DataFlow::Configuration {
HardCodedTagNameConfiguration() { this = "HardCodedTagNameConfiguration" }

override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof ConstantString }
module HardCodedTagNameConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof ConstantString }

override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink = DataFlow::globalVarRef("document").getAMethodCall("createElement").getArgument(0)
}
}

from HardCodedTagNameConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
module HardCodedTagNameFlow = DataFlow::Global<HardCodedTagNameConfig>;

from DataFlow::Node source, DataFlow::Node sink
where HardCodedTagNameFlow::flow(source, sink)
select source, sink

Exercise 3
@@ -540,18 +527,18 @@ Exercise 4
}
}

class HardCodedTagNameConfiguration extends DataFlow::Configuration {
HardCodedTagNameConfiguration() { this = "HardCodedTagNameConfiguration" }
module HardCodedTagNameConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ArrayEntryCallResult }

override predicate isSource(DataFlow::Node source) { source instanceof ArrayEntryCallResult }

override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink = DataFlow::globalVarRef("document").getAMethodCall("createElement").getArgument(0)
}
}

from HardCodedTagNameConfiguration cfg, DataFlow::Node source, DataFlow::Node sink
where cfg.hasFlow(source, sink)
module HardCodedTagNameFlow = DataFlow::Global<HardCodedTagNameConfig>;

from DataFlow::Node source, DataFlow::Node sink
where HardCodedTagNameFlow::flow(source, sink)
select source, sink

Further reading
5 changes: 4 additions & 1 deletion docs/codeql/codeql-language-guides/codeql-for-javascript.rst
View file
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
abstract-syntax-tree-classes-for-working-with-javascript-and-typescript-programs
data-flow-cheat-sheet-for-javascript
customizing-library-models-for-javascript
migrating-javascript-dataflow-queries

- :doc:`Basic query for JavaScript and TypeScript code <basic-query-for-javascript-code>`: Learn to write and run a simple CodeQL query.

@@ -37,4 +38,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat

- :doc:`Data flow cheat sheet for JavaScript <data-flow-cheat-sheet-for-javascript>`: This article describes parts of the JavaScript libraries commonly used for variant analysis and in data flow queries.

- :doc:`Customizing library models for JavaScript <customizing-library-models-for-javascript>`: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs.
- :doc:`Customizing library models for JavaScript <customizing-library-models-for-javascript>`: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs.

- :doc:`Migrating JavaScript dataflow queries <migrating-javascript-dataflow-queries>`: Guide on migrating data flow queries to the new data flow library.
Loading