-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathTaintMetrics.qll
More file actions
89 lines (84 loc) · 3.5 KB
/
TaintMetrics.qll
File metadata and controls
89 lines (84 loc) · 3.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/**
* Provides predicates for measuring taint-tracking coverage.
*/
private import javascript
import meta.MetaMetrics
private import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations
private import semmle.javascript.security.dataflow.CodeInjectionCustomizations
private import semmle.javascript.security.dataflow.CommandInjectionCustomizations
private import semmle.javascript.security.dataflow.Xss as Xss
private import semmle.javascript.security.dataflow.NosqlInjectionCustomizations
private import semmle.javascript.security.dataflow.PrototypePollutionCustomizations
private import semmle.javascript.security.dataflow.RegExpInjectionCustomizations
private import semmle.javascript.security.dataflow.RequestForgeryCustomizations
private import semmle.javascript.security.dataflow.ServerSideUrlRedirectCustomizations
private import semmle.javascript.security.dataflow.SqlInjectionCustomizations
private import semmle.javascript.security.dataflow.TaintedPathCustomizations
private import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations
private import semmle.javascript.security.dataflow.XmlBombCustomizations
private import semmle.javascript.security.dataflow.XpathInjectionCustomizations
private import semmle.javascript.security.dataflow.XxeCustomizations
private import semmle.javascript.security.dataflow.ZipSlipCustomizations
/**
* Gets a relevant taint sink.
*
* To ensure this metric isn't dominated by a few queries with a huge number of sinks,
* we only include sinks for queries that have fairly specific sinks and/or have high severity
* relative to the number of sinks.
*
* Examples of excluded queries:
* - UnsafeDynamicMethodAccess: high severity (RCE) but has way too many sinks (every callee).
* - ClearTextLogging: not severe enough relative to number of sinks.
*/
DataFlow::Node relevantTaintSink() {
not result.getFile() instanceof IgnoredFile and
(
result instanceof ClientSideUrlRedirect::Sink or
result instanceof CodeInjection::Sink or
result instanceof CommandInjection::Sink or
result instanceof Xss::Shared::Sink or
result instanceof NosqlInjection::Sink or
result instanceof PrototypePollution::Sink or
result instanceof RegExpInjection::Sink or
result instanceof RequestForgery::Sink or
result instanceof ServerSideUrlRedirect::Sink or
result instanceof SqlInjection::Sink or
result instanceof TaintedPath::Sink or
result instanceof UnsafeDeserialization::Sink or
result instanceof XmlBomb::Sink or
result instanceof XpathInjection::Sink or
result instanceof Xxe::Sink or
result instanceof ZipSlip::Sink
)
}
/**
* Gets a remote flow source or `document.location` source.
*/
DataFlow::Node relevantTaintSource() {
not result.getFile() instanceof IgnoredFile and
(
result instanceof RemoteFlowSource
or
result = DOM::locationSource()
)
}
/**
* Gets the output of a call that shows intent to sanitize a value
* (indicating a likely vulnerability if the sanitizer was removed).
*
* Currently we only recognize HTML sanitizers.
*/
DataFlow::Node relevantSanitizerOutput() {
result = any(HtmlSanitizerCall call) and
not result.getFile() instanceof IgnoredFile
}
/**
* Gets the input to a call that shows intent to sanitize a value
* (indicating a likely vulnerability if the sanitizer was removed).
*
* Currently we only recognize HTML sanitizers.
*/
DataFlow::Node relevantSanitizerInput() {
result = any(HtmlSanitizerCall call).getInput() and
not result.getFile() instanceof IgnoredFile
}