codeql/javascript/ql/src/meta/internal/TaintMetrics.qll at e48158b9ad1596320da3e574c8d29010de39b50c · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/**
 * Provides predicates for measuring taint-tracking coverage.
 */

private import javascript
import meta.MetaMetrics
private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations
private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
private import semmle.javascript.security.dataflow.Xss as Xss
private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
private import semmle.javascript.security.dataflow.PrototypePollutionCustomizations
private import semmle.javascript.security.dataflow.RegExpInjectionCustomizations
private import semmle.javascript.security.dataflow.RequestForgeryCustomizations
private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
private import semmle.javascript.security.dataflow.TaintedPathCustomizations
private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations
private import semmle.javascript.security.dataflow.XmlBombCustomizations
private import semmle.javascript.security.dataflow.XpathInjectionCustomizations
private import semmle.javascript.security.dataflow.XxeCustomizations
private import semmle.javascript.security.dataflow.ZipSlipCustomizations

/**
 * Gets a relevant taint sink.
 *
 * To ensure this metric isn't dominated by a few queries with a huge number of sinks,
 * we only include sinks for queries that have fairly specific sinks and/or have high severity
 * relative to the number of sinks.
 *
 * Examples of excluded queries:
 * - UnsafeDynamicMethodAccess: high severity (RCE) but has way too many sinks (every callee).
 * - ClearTextLogging: not severe enough relative to number of sinks.
 *
 * `kind` is bound to the name of the module containing the query sinks.
 */
DataFlow::Node relevantTaintSink(string kind) {
  not result.getFile() instanceof IgnoredFile and
  (
    kind = "ClientSideUrlRedirect" and result instanceof ClientSideUrlRedirect::Sink
    or
    kind = "CodeInjection" and result instanceof CodeInjection::Sink
    or
    kind = "CommandInjection" and result instanceof CommandInjection::Sink
    or
    kind = "Xss" and result instanceof Xss::Shared::Sink
    or
    kind = "NosqlInjection" and result instanceof NosqlInjection::Sink
    or
    kind = "PrototypePollution" and result instanceof PrototypePollution::Sink
    or
    kind = "RegExpInjection" and result instanceof RegExpInjection::Sink
    or
    kind = "RequestForgery" and result instanceof RequestForgery::Sink
    or
    kind = "ServerSideUrlRedirect" and result instanceof ServerSideUrlRedirect::Sink
    or
    kind = "SqlInjection" and result instanceof SqlInjection::Sink
    or
    kind = "TaintedPath" and result instanceof TaintedPath::Sink
    or
    kind = "UnsafeDeserialization" and result instanceof UnsafeDeserialization::Sink
    or
    kind = "XmlBomb" and result instanceof XmlBomb::Sink
    or
    kind = "XpathInjection" and result instanceof XpathInjection::Sink
    or
    kind = "Xxe" and result instanceof Xxe::Sink
    or
    kind = "ZipSlip" and result instanceof ZipSlip::Sink
  )
}

/** Gets a relevant taint sink. See `relevantTaintSink/1` for more information. */
DataFlow::Node relevantTaintSink() { result = relevantTaintSink(_) }

/**
 * Gets a relevant remote flow source.
 */
RemoteFlowSource relevantTaintSource() { not result.getFile() instanceof IgnoredFile }

/**
 * Gets the output of a call that shows intent to sanitize a value
 * (indicating a likely vulnerability if the sanitizer was removed).
 *
 * Currently we only recognize HTML sanitizers.
 */
DataFlow::Node relevantSanitizerOutput() {
  result = any(HtmlSanitizerCall call) and
  not result.getFile() instanceof IgnoredFile
}

/**
 * Gets the input to a call that shows intent to sanitize a value
 * (indicating a likely vulnerability if the sanitizer was removed).
 *
 * Currently we only recognize HTML sanitizers.
 */
DataFlow::Node relevantSanitizerInput() {
  result = any(HtmlSanitizerCall call).getInput() and
  not result.getFile() instanceof IgnoredFile
}