forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCodeInjectionQuery.qll
54 lines (42 loc) · 1.72 KB
/
CodeInjectionQuery.qll
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
/**
* Provides a taint-tracking configuration for reasoning about code
* injection vulnerabilities.
*
* Note, for performance reasons: only import this file if
* `CodeInjection::Configuration` is needed, otherwise
* `CodeInjectionCustomizations` should be imported instead.
*/
import javascript
import CodeInjectionCustomizations::CodeInjection
/**
* A taint-tracking configuration for reasoning about code injection vulnerabilities.
*/
module CodeInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
// HTML sanitizers are insufficient protection against code injection
node1 = node2.(HtmlSanitizerCall).getInput()
}
predicate observeDiffInformedIncrementalMode() { any() }
}
/**
* Taint-tracking for reasoning about code injection vulnerabilities.
*/
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
/**
* DEPRRECATED. Use the `CodeInjectionFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "CodeInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) {
super.isSanitizer(node) or
node instanceof Sanitizer
}
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
CodeInjectionConfig::isAdditionalFlowStep(node1, node2)
}
}