Skip to content

Commit c25f324

Browse files
knewbury01knewbury01
committed
Upgrade dataflow library XSJSSqlInjection
1 parent d0bd315 commit c25f324

File tree

3 files changed

+37
-38
lines changed

3 files changed

+37
-38
lines changed

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,14 +12,20 @@ class XSJSDBConnectionPrepareStatementArgument extends DataFlow::ValueNode {
1212
predicate isConcatenated() { this.getAPredecessor+() instanceof StringOps::ConcatenationNode }
1313
}
1414

15-
class Configuration extends SqlInjection::Configuration {
16-
override predicate isSource(DataFlow::Node start) {
17-
super.isSource(start)
15+
module Configuration implements DataFlow::ConfigSig {
16+
predicate isSource(DataFlow::Node start) {
17+
SqlInjection::SqlInjectionConfig::isSource(start)
1818
or
1919
start instanceof RemoteFlowSource
2020
}
2121

22-
override predicate isSink(DataFlow::Node end) {
22+
predicate isSink(DataFlow::Node end) {
2323
end.(XSJSDBConnectionPrepareStatementArgument).isConcatenated()
2424
}
25+
26+
predicate isBarrier(DataFlow::Node node) { SqlInjection::SqlInjectionConfig::isBarrier(node) }
27+
28+
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
29+
SqlInjection::SqlInjectionConfig::isAdditionalFlowStep(node1, node2)
30+
}
2531
}

javascript/frameworks/xsjs/src/XSJSSqlInjection/XSJSSqlInjection.ql

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,11 @@
1212

1313
import javascript
1414
import advanced_security.javascript.frameworks.xsjs.XSJSSqlInjectionQuery
15-
import DataFlow::PathGraph
1615

17-
from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
18-
where config.hasFlowPath(source, sink)
16+
module ConfigurationFlow = TaintTracking::Global<Configuration>;
17+
18+
import ConfigurationFlow::PathGraph
19+
20+
from ConfigurationFlow::PathNode source, ConfigurationFlow::PathNode sink
21+
where ConfigurationFlow::flowPath(source, sink)
1922
select sink, source, sink, "This query depends on a $@.", source, "user-provided value"

javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected

Lines changed: 21 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1,35 +1,25 @@
1-
WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSSqlInjection.ql:15,8-27)
2-
WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSSqlInjection.ql:17,28-46)
3-
WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSSqlInjection.ql:17,55-73)
4-
nodes
5-
| XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 |
6-
| XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) |
7-
| XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") |
8-
| XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") |
9-
| XSJSSqlInjection.xsjs:9:7:9:79 | someParameterValue2 |
10-
| XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) |
11-
| XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") |
12-
| XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") |
13-
| XSJSSqlInjection.xsjs:10:7:10:106 | query |
14-
| XSJSSqlInjection.xsjs:10:15:10:106 | "INSERT ... 2 + ")" |
15-
| XSJSSqlInjection.xsjs:10:32:10:50 | someParameterValue1 |
16-
| XSJSSqlInjection.xsjs:10:82:10:100 | someParameterValue2 |
17-
| XSJSSqlInjection.xsjs:13:57:13:61 | query |
18-
| XSJSSqlInjection.xsjs:13:57:13:61 | query |
191
edges
20-
| XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 | XSJSSqlInjection.xsjs:10:32:10:50 | someParameterValue1 |
21-
| XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) | XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 |
22-
| XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") | XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) |
23-
| XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") | XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) |
24-
| XSJSSqlInjection.xsjs:9:7:9:79 | someParameterValue2 | XSJSSqlInjection.xsjs:10:82:10:100 | someParameterValue2 |
25-
| XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) | XSJSSqlInjection.xsjs:9:7:9:79 | someParameterValue2 |
26-
| XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") | XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) |
27-
| XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") | XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) |
28-
| XSJSSqlInjection.xsjs:10:7:10:106 | query | XSJSSqlInjection.xsjs:13:57:13:61 | query |
29-
| XSJSSqlInjection.xsjs:10:7:10:106 | query | XSJSSqlInjection.xsjs:13:57:13:61 | query |
30-
| XSJSSqlInjection.xsjs:10:15:10:106 | "INSERT ... 2 + ")" | XSJSSqlInjection.xsjs:10:7:10:106 | query |
31-
| XSJSSqlInjection.xsjs:10:32:10:50 | someParameterValue1 | XSJSSqlInjection.xsjs:10:15:10:106 | "INSERT ... 2 + ")" |
32-
| XSJSSqlInjection.xsjs:10:82:10:100 | someParameterValue2 | XSJSSqlInjection.xsjs:10:15:10:106 | "INSERT ... 2 + ")" |
2+
| XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 | XSJSSqlInjection.xsjs:10:32:10:50 | someParameterValue1 | provenance | |
3+
| XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) | XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 | provenance | |
4+
| XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") | XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) | provenance | |
5+
| XSJSSqlInjection.xsjs:9:7:9:79 | someParameterValue2 | XSJSSqlInjection.xsjs:10:82:10:100 | someParameterValue2 | provenance | |
6+
| XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) | XSJSSqlInjection.xsjs:9:7:9:79 | someParameterValue2 | provenance | |
7+
| XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") | XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) | provenance | |
8+
| XSJSSqlInjection.xsjs:10:7:10:106 | query | XSJSSqlInjection.xsjs:13:57:13:61 | query | provenance | |
9+
| XSJSSqlInjection.xsjs:10:32:10:50 | someParameterValue1 | XSJSSqlInjection.xsjs:10:7:10:106 | query | provenance | |
10+
| XSJSSqlInjection.xsjs:10:82:10:100 | someParameterValue2 | XSJSSqlInjection.xsjs:10:7:10:106 | query | provenance | |
11+
nodes
12+
| XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 | semmle.label | someParameterValue1 |
13+
| XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) | semmle.label | JSON.pa ... ter1")) |
14+
| XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") | semmle.label | request ... eter1") |
15+
| XSJSSqlInjection.xsjs:9:7:9:79 | someParameterValue2 | semmle.label | someParameterValue2 |
16+
| XSJSSqlInjection.xsjs:9:29:9:79 | JSON.pa ... ter2")) | semmle.label | JSON.pa ... ter2")) |
17+
| XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") | semmle.label | request ... eter2") |
18+
| XSJSSqlInjection.xsjs:10:7:10:106 | query | semmle.label | query |
19+
| XSJSSqlInjection.xsjs:10:32:10:50 | someParameterValue1 | semmle.label | someParameterValue1 |
20+
| XSJSSqlInjection.xsjs:10:82:10:100 | someParameterValue2 | semmle.label | someParameterValue2 |
21+
| XSJSSqlInjection.xsjs:13:57:13:61 | query | semmle.label | query |
22+
subpaths
3323
#select
3424
| XSJSSqlInjection.xsjs:13:57:13:61 | query | XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") | XSJSSqlInjection.xsjs:13:57:13:61 | query | This query depends on a $@. | XSJSSqlInjection.xsjs:8:40:8:78 | request ... eter1") | user-provided value |
3525
| XSJSSqlInjection.xsjs:13:57:13:61 | query | XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") | XSJSSqlInjection.xsjs:13:57:13:61 | query | This query depends on a $@. | XSJSSqlInjection.xsjs:9:40:9:78 | request ... eter2") | user-provided value |

0 commit comments

Comments
 (0)