Refactor categories utils

Author: knewbury01

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPPathInjectionQuery.qll

@@ -7,7 +7,11 @@
 import javascript
 import advanced_security.javascript.frameworks.cap.CDSUtils
 
-abstract class UtilsSink extends DataFlow::Node { }
+abstract class UtilsAccessedPathSink extends DataFlow::Node { }
+
+abstract class UtilsControlledDataSink extends DataFlow::Node { }
+
+abstract class UtilsControlledPathSink extends DataFlow::Node { }
 
 abstract class UtilsExtraFlow extends DataFlow::Node { }
 
@@ -21,12 +25,26 @@ abstract class UtilsExtraFlow extends DataFlow::Node { }
  * {foo:'bar'}
  * ```
  */
-class WrittenData extends UtilsSink {
+class WrittenData extends UtilsControlledDataSink {
   WrittenData() { exists(FileWriters fw | fw.getData() = this) }
 }
 
 /**
- * This represents the filepath in calls as follows:
+ * This represents the filepath accessed as an input for the data in calls as follows:
+ * ```javascript
+ * await copy('db/data').to('dist/db/data')
+ * ```
+ * sinks in this example are:
+ * ```javascript
+ * 'db/data'
+ * ```
+ */
+class AccessedPath extends UtilsAccessedPathSink {
+  AccessedPath() { exists(FileReaderWriters fw | fw.getFromPath() = this) }
+}
+
+/**
+ * This represents the filepath where data is written or a file operation is performed in calls as follows:
  * ```javascript
  * await write ({foo:'bar'}) .to ('some','file.json')
  * ```
@@ -36,11 +54,11 @@ class WrittenData extends UtilsSink {
  * 'file.json'
  * ```
  */
-class WrittenPath extends UtilsSink {
-  WrittenPath() {
+class ControlledInputPath extends UtilsControlledPathSink {
+  ControlledInputPath() {
     exists(FileReaders fw | fw.getPath() = this)
     or
-    exists(FileReaderWriters fw | fw.getPath() = this)
+    exists(FileReaderWriters fw | fw.getToPath() = this)
     or
     exists(FileWriters fw | fw.getPath() = this)
     or

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDSUtils.qll

@@ -129,12 +129,17 @@ class FileReaderWriters extends DataFlow::CallNode {
   }
 
   /**
-   * Gets the arguments to these calls that represent a path.
+   * Gets the arguments to these calls that represent a path from which data is read.
+   */
+  DataFlow::Node getFromPath() { this.getArgument(0) = result }
+
+  /**
+   * Gets the arguments to these calls that represent a path to which data is written.
    * Includes arguments to chained calls `to`, where that argument also represents a path.
    */
-  DataFlow::Node getPath() {
+  DataFlow::Node getToPath() {
     this.getAMemberCall("to").getArgument(_) = result
     or
-    this.getAnArgument() = result
+    this.getArgument(1) = result
   }
 }

javascript/frameworks/cap/test/models/cds/utils/utils.expected

@@ -3,36 +3,36 @@
 | utils.js:9:18:9:27 | "%E0%A4%A" | "%E0%A4%A": additional flow step |
 | utils.js:13:17:13:21 | 'app' | 'app': additional flow step |
 | utils.js:15:19:15:32 | 'package.json' | 'package.json': additional flow step |
-| utils.js:17:22:17:35 | 'package.json' | 'package.json': sink |
-| utils.js:19:26:19:39 | 'package.json' | 'package.json': sink |
-| utils.js:21:20:21:33 | 'package.json' | 'package.json': sink |
-| utils.js:23:20:23:33 | 'package.json' | 'package.json': sink |
-| utils.js:25:14:25:22 | 'db/data' | 'db/data': sink |
-| utils.js:25:28:25:41 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:26:14:26:22 | 'db/data' | 'db/data': sink |
-| utils.js:26:25:26:38 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:28:12:28:20 | 'db/data' | 'db/data': sink |
-| utils.js:28:26:28:39 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:29:12:29:20 | 'db/data' | 'db/data': sink |
-| utils.js:29:23:29:36 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:31:13:31:26 | { foo: 'bar' } | { foo: 'bar' }: sink |
-| utils.js:31:32:31:47 | 'some/file.json' | 'some/file.json': sink |
-| utils.js:32:13:32:28 | 'some/file.json' | 'some/file.json': sink |
-| utils.js:32:31:32:44 | { foo: 'bar' } | { foo: 'bar' }: sink |
-| utils.js:34:14:34:19 | 'dist' | 'dist': sink |
-| utils.js:34:22:34:25 | 'db' | 'db': sink |
-| utils.js:34:28:34:33 | 'data' | 'data': sink |
-| utils.js:35:14:35:27 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:37:13:37:18 | 'dist' | 'dist': sink |
-| utils.js:37:21:37:24 | 'db' | 'db': sink |
-| utils.js:37:27:37:32 | 'data' | 'data': sink |
-| utils.js:38:13:38:26 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:40:14:40:19 | 'dist' | 'dist': sink |
-| utils.js:40:22:40:25 | 'db' | 'db': sink |
-| utils.js:40:28:40:33 | 'data' | 'data': sink |
-| utils.js:41:14:41:27 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:43:10:43:15 | 'dist' | 'dist': sink |
-| utils.js:43:18:43:21 | 'db' | 'db': sink |
-| utils.js:43:24:43:29 | 'data' | 'data': sink |
-| utils.js:44:10:44:23 | 'dist/db/data' | 'dist/db/data': sink |
-| utils.js:52:20:52:28 | 'db/data' | 'db/data': sink |
+| utils.js:17:22:17:35 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:19:26:19:39 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:21:20:21:33 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:23:20:23:33 | 'package.json' | 'package.json': controlled path sink |
+| utils.js:25:14:25:22 | 'db/data' | 'db/data': controlled data sink |
+| utils.js:25:28:25:41 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:26:14:26:22 | 'db/data' | 'db/data': controlled path sink |
+| utils.js:26:25:26:38 | 'dist/db/data' | 'dist/db/data': controlled data sink |
+| utils.js:28:12:28:20 | 'db/data' | 'db/data': accessed path sink |
+| utils.js:28:26:28:39 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:29:12:29:20 | 'db/data' | 'db/data': accessed path sink |
+| utils.js:29:23:29:36 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:31:13:31:26 | { foo: 'bar' } | { foo: 'bar' }: controlled data sink |
+| utils.js:31:32:31:47 | 'some/file.json' | 'some/file.json': controlled path sink |
+| utils.js:32:13:32:28 | 'some/file.json' | 'some/file.json': controlled path sink |
+| utils.js:32:31:32:44 | { foo: 'bar' } | { foo: 'bar' }: controlled data sink |
+| utils.js:34:14:34:19 | 'dist' | 'dist': controlled path sink |
+| utils.js:34:22:34:25 | 'db' | 'db': controlled path sink |
+| utils.js:34:28:34:33 | 'data' | 'data': controlled path sink |
+| utils.js:35:14:35:27 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:37:13:37:18 | 'dist' | 'dist': controlled path sink |
+| utils.js:37:21:37:24 | 'db' | 'db': controlled path sink |
+| utils.js:37:27:37:32 | 'data' | 'data': controlled path sink |
+| utils.js:38:13:38:26 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:40:14:40:19 | 'dist' | 'dist': controlled path sink |
+| utils.js:40:22:40:25 | 'db' | 'db': controlled path sink |
+| utils.js:40:28:40:33 | 'data' | 'data': controlled path sink |
+| utils.js:41:14:41:27 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:43:10:43:15 | 'dist' | 'dist': controlled path sink |
+| utils.js:43:18:43:21 | 'db' | 'db': controlled path sink |
+| utils.js:43:24:43:29 | 'data' | 'data': controlled path sink |
+| utils.js:44:10:44:23 | 'dist/db/data' | 'dist/db/data': controlled path sink |
+| utils.js:52:20:52:28 | 'db/data' | 'db/data': controlled data sink |

javascript/frameworks/cap/test/models/cds/utils/utils.ql

@@ -3,7 +3,11 @@ import advanced_security.javascript.frameworks.cap.CAPPathInjectionQuery
 
 from DataFlow::Node node, string str, string strfull
 where
-  node.(UtilsSink).toString() = str and strfull = str + ": sink"
+  node.(UtilsControlledPathSink).toString() = str and strfull = str + ": controlled path sink"
+  or
+  node.(UtilsAccessedPathSink).toString() = str and strfull = str + ": accessed path sink"
+  or
+  node.(UtilsControlledDataSink).toString() = str and strfull = str + ": controlled data sink"
   or
   node.(UtilsExtraFlow).toString() = str and strfull = str + ": additional flow step"
 select node, strfull