From 44dcf9e866081f871fa62061b29279104fc9efe0 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 28 Mar 2025 16:11:31 -0400 Subject: [PATCH 1/5] Remove uses of configuration of default queries in the custom queries --- .../frameworks/cap/CAPLogInjectionQuery.qll | 9 ++++++-- .../javascript/frameworks/ui5/UI5XssQuery.qll | 22 ++++++++++++------- .../frameworks/xsjs/XSJSReflectedXssQuery.qll | 6 ++--- .../frameworks/xsjs/XSJSSqlInjectionQuery.qll | 5 +++-- .../frameworks/xsjs/XSJSUrlRedirectQuery.qll | 6 ++--- 5 files changed, 30 insertions(+), 18 deletions(-) diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll index 5ef3a1d30..929995824 100644 --- a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll +++ b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll @@ -43,9 +43,14 @@ class CdsLogSink extends DataFlow::Node { } } -class CAPLogInjectionConfiguration extends LogInjectionConfiguration { +class CAPLogInjectionConfiguration extends TaintTracking::Configuration { + CAPLogInjectionConfiguration() { this = "CAP Log Injection" } + override predicate isSource(DataFlow::Node start) { - super.isSource(start) or + exists(LogInjectionConfiguration logInjectionConfiguration | + logInjectionConfiguration.isSource(start) + ) + or start instanceof RemoteFlowSource } diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll index 5fcd8023f..f0ce34972 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll @@ -2,11 +2,14 @@ import javascript import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow import advanced_security.javascript.frameworks.ui5.UI5View import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss -import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect as UrlRedirect -class Configuration extends DomBasedXss::Configuration { +class Configuration extends TaintTracking::Configuration { + Configuration() { this = "UI5 HTML Injection" } + override predicate isSource(DataFlow::Node start) { - super.isSource(start) + exists(DomBasedXss::Configuration domBasedXssConfiguration | + domBasedXssConfiguration.isSource(start) + ) or start instanceof RemoteFlowSource } @@ -16,7 +19,9 @@ class Configuration extends DomBasedXss::Configuration { DataFlow::FlowLabel outLabel ) { /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */ - super.isAdditionalFlowStep(start, end, inLabel, outLabel) + exists(DomBasedXss::Configuration domBasedXssConfiguration | + domBasedXssConfiguration.isAdditionalFlowStep(start, end, inLabel, outLabel) + ) or /* TODO: Legacy code */ /* Handler argument node to handler parameter */ @@ -34,7 +39,9 @@ class Configuration extends DomBasedXss::Configuration { override predicate isBarrier(DataFlow::Node node) { /* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */ - super.isSanitizer(node) + exists(DomBasedXss::Configuration domBasedXssConfiguration | + domBasedXssConfiguration.isSanitizer(node) + ) or /* 2. Value read from a non-string control property */ exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m) @@ -56,7 +63,6 @@ class Configuration extends DomBasedXss::Configuration { override predicate isSink(DataFlow::Node node) { node instanceof UI5ExtHtmlISink or - node instanceof UrlRedirect::LocationSink or node instanceof UI5ModelHtmlISink } } @@ -64,13 +70,13 @@ class Configuration extends DomBasedXss::Configuration { /** * An HTML injection sink associated with a `UI5BoundNode`, typically for library controls acting as sinks. */ -class UI5ModelHtmlISink extends DomBasedXss::Sink { +class UI5ModelHtmlISink extends DataFlow::Node { UI5ModelHtmlISink() { exists(UI5View view | view.getAnHtmlISink().getNode() = this) } } /** * An HTML injection sink typically for custom controls whose RenderManager calls acting as sinks. */ -private class UI5ExtHtmlISink extends DomBasedXss::Sink { +private class UI5ExtHtmlISink extends DataFlow::Node { UI5ExtHtmlISink() { this = ModelOutput::getASinkNode("ui5-html-injection").asSink() } } diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll index 8ffdd3643..db63d223f 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll @@ -17,13 +17,13 @@ class Configuration extends TaintTracking::Configuration { Configuration() { this = "XSJS Reflected XSS Query" } override predicate isSource(DataFlow::Node start) { - super.isSource(start) or + exists(DomBasedXss::Configuration domBasedXssConfiguration | + domBasedXssConfiguration.isSource(start) + ) or start instanceof RemoteFlowSource } override predicate isSink(DataFlow::Node end) { - super.isSink(end) - or exists(XSJSResponseSetBodyCall setBody, XSJSResponse thisOrAnotherXSJSResponse | thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse() or thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse().getAPredOrSuccResponse() diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll index 5b8e878ed..76231c794 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll @@ -16,12 +16,13 @@ class Configuration extends TaintTracking::Configuration { Configuration() { this = "XSJS SQL Injection Query" } override predicate isSource(DataFlow::Node start) { - super.isSource(start) or + exists(SqlInjection::Configuration sqlInjectionConfiguration | + sqlInjectionConfiguration.isSource(start) + ) or start instanceof RemoteFlowSource } override predicate isSink(DataFlow::Node end) { - super.isSink(end) or end.(XSJSDBConnectionPrepareStatementArgument).isConcatenated() } } diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll index b65384ca3..fc37380bf 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll @@ -6,13 +6,13 @@ class Configuration extends TaintTracking::Configuration { Configuration() { this = "XSJS URL Redirect Query" } override predicate isSource(DataFlow::Node start) { - super.isSource(start) or + exists(UrlRedirect::Configuration urlRedirectConfiguration | + urlRedirectConfiguration.isSource(start) + ) or start instanceof RemoteFlowSource } override predicate isSink(DataFlow::Node end) { - super.isSink(end) - or exists(XSJSRequestOrResponseHeaders headers | end = headers.getHeaderSetCall("location").getArgument(1) ) From a6509fe68067334334b3c8c8a77c68856de10332 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 28 Mar 2025 17:55:33 -0400 Subject: [PATCH 2/5] Update expected results of `UI5Xss` --- .../test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected | 2 -- 1 file changed, 2 deletions(-) diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected index 2081b0e31..95c99043e 100644 --- a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected +++ b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected @@ -12,7 +12,6 @@ nodes | XssTest.js:18:9:18:44 | value1 | | XssTest.js:18:18:18:44 | jQuery. ... (value) | | XssTest.js:18:39:18:43 | value | -| XssTest.js:19:20:19:25 | value1 | | XssTest.js:20:27:20:32 | value1 | edges | XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | @@ -23,7 +22,6 @@ edges | XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | | XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value | | XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | -| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | | XssTest.js:18:9:18:44 | value1 | XssTest.js:20:27:20:32 | value1 | | XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 | | XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) | From c4eb9a4d9e4a2e322fd113fbe3c66ce3f6600d7b Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Thu, 3 Apr 2025 15:10:50 -0400 Subject: [PATCH 3/5] Make the `TaintTracking::Configuration` s extend the default configurations again --- .../frameworks/cap/CAPLogInjectionQuery.qll | 6 ++---- .../javascript/frameworks/ui5/UI5XssQuery.qll | 14 ++++---------- .../frameworks/xsjs/XSJSReflectedXssQuery.qll | 6 ++---- .../frameworks/xsjs/XSJSSqlInjectionQuery.qll | 7 +++---- .../frameworks/xsjs/XSJSUrlRedirectQuery.qll | 7 +++---- 5 files changed, 14 insertions(+), 26 deletions(-) diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll index 929995824..8dd17275e 100644 --- a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll +++ b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll @@ -43,13 +43,11 @@ class CdsLogSink extends DataFlow::Node { } } -class CAPLogInjectionConfiguration extends TaintTracking::Configuration { +class CAPLogInjectionConfiguration extends LogInjectionConfiguration { CAPLogInjectionConfiguration() { this = "CAP Log Injection" } override predicate isSource(DataFlow::Node start) { - exists(LogInjectionConfiguration logInjectionConfiguration | - logInjectionConfiguration.isSource(start) - ) + super.isSource(start) or start instanceof RemoteFlowSource } diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll index f0ce34972..73e3b06bd 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll @@ -3,13 +3,11 @@ import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataF import advanced_security.javascript.frameworks.ui5.UI5View import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss -class Configuration extends TaintTracking::Configuration { +class Configuration extends DomBasedXss::Configuration { Configuration() { this = "UI5 HTML Injection" } override predicate isSource(DataFlow::Node start) { - exists(DomBasedXss::Configuration domBasedXssConfiguration | - domBasedXssConfiguration.isSource(start) - ) + super.isSource(start) or start instanceof RemoteFlowSource } @@ -19,9 +17,7 @@ class Configuration extends TaintTracking::Configuration { DataFlow::FlowLabel outLabel ) { /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */ - exists(DomBasedXss::Configuration domBasedXssConfiguration | - domBasedXssConfiguration.isAdditionalFlowStep(start, end, inLabel, outLabel) - ) + super.isAdditionalFlowStep(start, end, inLabel, outLabel) or /* TODO: Legacy code */ /* Handler argument node to handler parameter */ @@ -39,9 +35,7 @@ class Configuration extends TaintTracking::Configuration { override predicate isBarrier(DataFlow::Node node) { /* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */ - exists(DomBasedXss::Configuration domBasedXssConfiguration | - domBasedXssConfiguration.isSanitizer(node) - ) + super.isSanitizer(node) or /* 2. Value read from a non-string control property */ exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m) diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll index db63d223f..d9c541ca1 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll @@ -13,13 +13,11 @@ class XSJSResponseSetBodyCall extends MethodCallNode { XSJSResponse getParentXSJSResponse() { result = response } } -class Configuration extends TaintTracking::Configuration { +class Configuration extends DomBasedXss::Configuration { Configuration() { this = "XSJS Reflected XSS Query" } override predicate isSource(DataFlow::Node start) { - exists(DomBasedXss::Configuration domBasedXssConfiguration | - domBasedXssConfiguration.isSource(start) - ) or + super.isSource(start) or start instanceof RemoteFlowSource } diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll index 76231c794..7f9fcaafa 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll @@ -12,13 +12,12 @@ class XSJSDBConnectionPrepareStatementArgument extends DataFlow::ValueNode { predicate isConcatenated() { this.getAPredecessor+() instanceof StringOps::ConcatenationNode } } -class Configuration extends TaintTracking::Configuration { +class Configuration extends SqlInjection::Configuration { Configuration() { this = "XSJS SQL Injection Query" } override predicate isSource(DataFlow::Node start) { - exists(SqlInjection::Configuration sqlInjectionConfiguration | - sqlInjectionConfiguration.isSource(start) - ) or + super.isSource(start) + or start instanceof RemoteFlowSource } diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll index fc37380bf..6c65065ed 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll @@ -2,13 +2,12 @@ import javascript import advanced_security.javascript.frameworks.xsjs.AsyncXSJS import semmle.javascript.security.dataflow.ServerSideUrlRedirectQuery as UrlRedirect -class Configuration extends TaintTracking::Configuration { +class Configuration extends UrlRedirect::Configuration { Configuration() { this = "XSJS URL Redirect Query" } override predicate isSource(DataFlow::Node start) { - exists(UrlRedirect::Configuration urlRedirectConfiguration | - urlRedirectConfiguration.isSource(start) - ) or + super.isSource(start) + or start instanceof RemoteFlowSource } From cab928d554cb5734db1ec31701504d656b28cdd9 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Thu, 3 Apr 2025 15:54:28 -0400 Subject: [PATCH 4/5] Remove the overriding characteristic predicates --- .../javascript/frameworks/cap/CAPLogInjectionQuery.qll | 2 -- .../javascript/frameworks/ui5/UI5XssQuery.qll | 2 -- .../queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected | 2 ++ .../javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll | 6 ++---- .../javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll | 2 -- .../javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll | 2 -- 6 files changed, 4 insertions(+), 12 deletions(-) diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll index 8dd17275e..f207e4435 100644 --- a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll +++ b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll @@ -44,8 +44,6 @@ class CdsLogSink extends DataFlow::Node { } class CAPLogInjectionConfiguration extends LogInjectionConfiguration { - CAPLogInjectionConfiguration() { this = "CAP Log Injection" } - override predicate isSource(DataFlow::Node start) { super.isSource(start) or diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll index 73e3b06bd..7261e4587 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll @@ -4,8 +4,6 @@ import advanced_security.javascript.frameworks.ui5.UI5View import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss class Configuration extends DomBasedXss::Configuration { - Configuration() { this = "UI5 HTML Injection" } - override predicate isSource(DataFlow::Node start) { super.isSource(start) or diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected index 95c99043e..2081b0e31 100644 --- a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected +++ b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected @@ -12,6 +12,7 @@ nodes | XssTest.js:18:9:18:44 | value1 | | XssTest.js:18:18:18:44 | jQuery. ... (value) | | XssTest.js:18:39:18:43 | value | +| XssTest.js:19:20:19:25 | value1 | | XssTest.js:20:27:20:32 | value1 | edges | XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | @@ -22,6 +23,7 @@ edges | XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | | XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value | | XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | +| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | | XssTest.js:18:9:18:44 | value1 | XssTest.js:20:27:20:32 | value1 | | XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 | | XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) | diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll index d9c541ca1..1ebfea821 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll @@ -1,6 +1,6 @@ import javascript import advanced_security.javascript.frameworks.xsjs.AsyncXSJS -import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss +import semmle.javascript.security.dataflow.ReflectedXssQuery as ReflectedXssQuery class XSJSResponseSetBodyCall extends MethodCallNode { XSJSResponse response; @@ -13,9 +13,7 @@ class XSJSResponseSetBodyCall extends MethodCallNode { XSJSResponse getParentXSJSResponse() { result = response } } -class Configuration extends DomBasedXss::Configuration { - Configuration() { this = "XSJS Reflected XSS Query" } - +class Configuration extends ReflectedXssQuery::Configuration { override predicate isSource(DataFlow::Node start) { super.isSource(start) or start instanceof RemoteFlowSource diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll index 7f9fcaafa..6e2b1fc25 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll @@ -13,8 +13,6 @@ class XSJSDBConnectionPrepareStatementArgument extends DataFlow::ValueNode { } class Configuration extends SqlInjection::Configuration { - Configuration() { this = "XSJS SQL Injection Query" } - override predicate isSource(DataFlow::Node start) { super.isSource(start) or diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll index 6c65065ed..83bdadff7 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll @@ -3,8 +3,6 @@ import advanced_security.javascript.frameworks.xsjs.AsyncXSJS import semmle.javascript.security.dataflow.ServerSideUrlRedirectQuery as UrlRedirect class Configuration extends UrlRedirect::Configuration { - Configuration() { this = "XSJS URL Redirect Query" } - override predicate isSource(DataFlow::Node start) { super.isSource(start) or From 883aed5e1cd5eb64912c2c2693ac0f4e718f59cf Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Thu, 3 Apr 2025 16:12:44 -0400 Subject: [PATCH 5/5] Update .expected of `XSJSReflectedXss` --- .../XSJSReflectedXss.expected | 33 ------------------- 1 file changed, 33 deletions(-) diff --git a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected index 07e5fa02f..e4135b83f 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected @@ -3,49 +3,16 @@ WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSR WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSReflectedXss.ql:17,55-73) nodes | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | -| XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | -| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | -| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | -| XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | -| XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | -| XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | -| XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 | -| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") | -| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") | -| XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) | -| XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) | -| XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 | -| XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 | -| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") | -| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") | -| XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) | -| XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) | -| XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | edges | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | -| XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | -| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | -| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | -| XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | -| XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | -| XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 | XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 | -| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") | XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 | -| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") | XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 | -| XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 | XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) | -| XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 | XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) | -| XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 | XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | -| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") | XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 | -| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") | XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 | -| XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) | -| XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) | #select | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | Reflected XSS vulnerability due to $@. | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | user-provided value |