Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
Original file line number Diff line number Diff line change
Expand Up @@ -881,14 +881,29 @@ class PathNode extends TPathNode {
/** Gets the summary of the path underlying this path node. */
PathSummary getPathSummary() { result = summary }

/** Gets a successor node of this path node. */
PathNode getASuccessor() {
/**
* Gets a successor node of this path node, including hidden nodes.
*/
private PathNode getASuccessorInternal() {
exists(DataFlow::Node succ, PathSummary newSummary |
flowStep(nd, id(cfg), succ, newSummary) and
result = MkPathNode(succ, id(cfg), summary.append(newSummary))
)
}

/**
* Gets a successor of this path node, if it is a hidden node.
*/
private PathNode getAHiddenSuccessor() {
isHidden() and
result = getASuccessorInternal()
}

/** Gets a successor node of this path node. */
PathNode getASuccessor() {
result = getASuccessorInternal().getAHiddenSuccessor*()
}

/** Gets a textual representation of this path node. */
string toString() { result = nd.toString() }

Expand All @@ -904,6 +919,19 @@ class PathNode extends TPathNode {
) {
nd.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}

/**
* Holds if this node is hidden from paths in path explanation queries, except
* in cases where it is the source or sink.
*/
predicate isHidden() {
// Skip phi, refinement, and capture nodes
nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition() instanceof SsaImplicitDefinition
or
// Skip to the top of big left-leaning string concatenation trees.
nd = any(AddExpr add).flow() and
nd = any(AddExpr add).getAnOperand().flow()
}
}

/**
Expand All @@ -925,7 +953,11 @@ class SinkPathNode extends PathNode {
*/
module PathGraph {
/** Holds if `nd` is a node in the graph of data flow path explanations. */
query predicate nodes(PathNode nd) { any() }
query predicate nodes(PathNode nd) {
not nd.isHidden() or
nd instanceof SourcePathNode or

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Edge case: the SourcePathNode character is independent of the path. So you may display a hidden SourcePathNode in the middle of your path. I suppose we can live with that.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with that.

nd instanceof SinkPathNode
}

/** Holds if `pred` → `succ` is an edge in the graph of data flow path explanations. */
query predicate edges(PathNode pred, PathNode succ) { pred.getASuccessor() = succ }
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,6 @@ nodes
| TaintedPath.js:19:33:19:36 | path |
| TaintedPath.js:23:33:23:36 | path |
| TaintedPath.js:27:33:27:36 | path |
| TaintedPath.js:30:7:30:24 | path |
| TaintedPath.js:34:3:34:3 | path |
| TaintedPath.js:34:7:34:24 | path |
| TaintedPath.js:34:29:34:46 | path |
| TaintedPath.js:38:3:38:3 | path |
| TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:45:3:45:44 | path |
| TaintedPath.js:45:10:45:33 | url.par ... , true) |
Expand Down Expand Up @@ -112,18 +104,54 @@ edges
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:23:33:23:36 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:33:27:36 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:7:30:24 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:3:34:3 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:7:34:24 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:34:29:34:46 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:3:38:3 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:9:14:9:37 | url.par ... , true) | TaintedPath.js:9:14:9:43 | url.par ... ).query |
| TaintedPath.js:9:14:9:43 | url.par ... ).query | TaintedPath.js:9:14:9:48 | url.par ... ry.path |
| TaintedPath.js:9:14:9:48 | url.par ... ry.path | TaintedPath.js:9:7:9:48 | path |
| TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:9:14:9:37 | url.par ... , true) |
| TaintedPath.js:15:45:15:48 | path | TaintedPath.js:15:29:15:48 | "/home/user/" + path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:3:34:3 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:7:34:24 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:34:29:34:46 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:3:38:3 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:30:7:30:24 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:7:34:24 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:34:29:34:46 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:3:38:3 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:34:3:34:3 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:34:29:34:46 | path |
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:3:38:3 | path |
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:34:7:34:24 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:3:38:3 | path |
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:34:29:34:46 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:7:38:24 | path |
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:38:3:38:3 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:38:29:38:46 | path |
| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:38:7:38:24 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:5:39:5 | path |
| TaintedPath.js:38:29:38:46 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:39:5:39:5 | path | TaintedPath.js:39:31:39:34 | path |
| TaintedPath.js:45:3:45:44 | path | TaintedPath.js:47:49:47:52 | path |
| TaintedPath.js:45:3:45:44 | path | TaintedPath.js:49:48:49:51 | path |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,12 @@ nodes
| child_process-test.js:21:14:21:16 | cmd |
| child_process-test.js:22:18:22:20 | cmd |
| child_process-test.js:23:13:23:15 | cmd |
| child_process-test.js:25:13:25:23 | "foo" + cmd |
| child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
| child_process-test.js:25:21:25:23 | cmd |
| child_process-test.js:36:7:36:20 | sh |
| child_process-test.js:36:12:36:20 | 'cmd.exe' |
| child_process-test.js:38:7:38:20 | sh |
| child_process-test.js:38:12:38:20 | '/bin/sh' |
| child_process-test.js:39:5:39:5 | sh |
| child_process-test.js:39:14:39:15 | sh |
| child_process-test.js:39:18:39:30 | [ flag, cmd ] |
| child_process-test.js:39:26:39:28 | cmd |
Expand All @@ -39,7 +37,6 @@ nodes
| child_process-test.js:56:12:56:14 | cmd |
| child_process-test.js:56:17:56:20 | args |
| execSeries.js:3:20:3:22 | arr |
| execSeries.js:5:4:5:3 | arr |
| execSeries.js:6:14:6:16 | arr |
| execSeries.js:6:14:6:21 | arr[i++] |
| execSeries.js:13:19:13:26 | commands |
Expand Down Expand Up @@ -71,9 +68,12 @@ edges
| child_process-test.js:6:25:6:31 | req.url | child_process-test.js:6:15:6:38 | url.par ... , true) |
| child_process-test.js:25:13:25:23 | "foo" + cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:23 | "foo" + cmd |
| child_process-test.js:25:21:25:23 | cmd | child_process-test.js:25:13:25:31 | "foo" + cmd + "bar" |
| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:5:39:5 | sh |
| child_process-test.js:36:7:36:20 | sh | child_process-test.js:39:14:39:15 | sh |
| child_process-test.js:36:12:36:20 | 'cmd.exe' | child_process-test.js:36:7:36:20 | sh |
| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:5:39:5 | sh |
| child_process-test.js:38:7:38:20 | sh | child_process-test.js:39:14:39:15 | sh |
| child_process-test.js:38:12:38:20 | '/bin/sh' | child_process-test.js:38:7:38:20 | sh |
| child_process-test.js:39:5:39:5 | sh | child_process-test.js:39:14:39:15 | sh |
| child_process-test.js:41:9:41:17 | args | child_process-test.js:44:30:44:33 | args |
Expand All @@ -86,6 +86,7 @@ edges
| child_process-test.js:55:14:55:16 | cmd | child_process-test.js:56:12:56:14 | cmd |
| child_process-test.js:55:19:55:22 | args | child_process-test.js:56:17:56:20 | args |
| execSeries.js:3:20:3:22 | arr | execSeries.js:5:4:5:3 | arr |
| execSeries.js:3:20:3:22 | arr | execSeries.js:6:14:6:16 | arr |
| execSeries.js:5:4:5:3 | arr | execSeries.js:6:14:6:16 | arr |
| execSeries.js:6:14:6:16 | arr | execSeries.js:6:14:6:21 | arr[i++] |
| execSeries.js:6:14:6:21 | arr[i++] | execSeries.js:14:24:14:30 | command |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ nodes
| ReflectedXss.js:8:33:8:45 | req.params.id |
| etherpad.js:9:5:9:53 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp |
| etherpad.js:9:16:9:36 | req.que ... p + "(" |
| etherpad.js:9:16:9:47 | req.que ... esponse |
| etherpad.js:9:16:9:53 | req.que ... e + ")" |
| etherpad.js:11:3:11:3 | response |
| etherpad.js:11:12:11:19 | response |
| formatting.js:4:9:4:29 | evil |
| formatting.js:4:16:4:29 | req.query.evil |
Expand Down Expand Up @@ -45,8 +42,12 @@ nodes
edges
| ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:3:11:3 | response |
| etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response |
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:36 | req.que ... p + "(" |
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:47 | req.que ... esponse |
| etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:16:9:53 | req.que ... e + ")" |
| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:47 | req.que ... esponse |
| etherpad.js:9:16:9:36 | req.que ... p + "(" | etherpad.js:9:16:9:53 | req.que ... e + ")" |
| etherpad.js:9:16:9:47 | req.que ... esponse | etherpad.js:9:16:9:53 | req.que ... e + ")" |
| etherpad.js:9:16:9:53 | req.que ... e + ")" | etherpad.js:9:5:9:53 | response |
| etherpad.js:11:3:11:3 | response | etherpad.js:11:12:11:19 | response |
Expand Down
14 changes: 8 additions & 6 deletions javascript/ql/test/query-tests/Security/CWE-079/Xss.expected
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ nodes
| jquery.js:2:17:2:33 | document.location |
| jquery.js:2:17:2:40 | documen ... .search |
| jquery.js:4:5:4:11 | tainted |
| jquery.js:7:5:7:26 | "<div i ... tainted |
| jquery.js:7:5:7:34 | "<div i ... + "\\">" |
| jquery.js:7:20:7:26 | tainted |
| jquery.js:8:18:8:34 | "XSS: " + tainted |
Expand Down Expand Up @@ -54,12 +53,10 @@ nodes
| tst.js:2:16:2:32 | document.location |
| tst.js:2:16:2:39 | documen ... .search |
| tst.js:5:18:5:23 | target |
| tst.js:8:18:8:114 | "<OPTIO ... t=")+8) |
| tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
| tst.js:8:37:8:53 | document.location |
| tst.js:8:37:8:58 | documen ... on.href |
| tst.js:8:37:8:114 | documen ... t=")+8) |
| tst.js:12:5:12:33 | '<div s ... target |
| tst.js:12:5:12:42 | '<div s ... 'px">' |
| tst.js:12:28:12:33 | target |
| tst.js:19:25:19:41 | document.location |
Expand Down Expand Up @@ -100,7 +97,6 @@ nodes
| tst.js:73:3:73:19 | document.location |
| tst.js:73:3:73:26 | documen ... .search |
| tst.js:73:46:73:46 | x |
| tst.js:74:7:74:7 | x |
| tst.js:76:20:76:20 | x |
| tst.js:80:49:80:65 | document.location |
| tst.js:80:49:80:72 | documen ... .search |
Expand Down Expand Up @@ -147,9 +143,7 @@ nodes
| tst.js:194:19:194:42 | documen ... .search |
| tst.js:196:67:196:73 | tainted |
| tst.js:197:67:197:73 | tainted |
| tst.js:200:20:200:19 | tainted |
| tst.js:201:35:201:41 | tainted |
| tst.js:203:27:203:26 | tainted |
| tst.js:203:46:203:52 | tainted |
| tst.js:204:38:204:44 | tainted |
| tst.js:205:35:205:41 | tainted |
Expand Down Expand Up @@ -196,6 +190,7 @@ edges
| jquery.js:2:17:2:40 | documen ... .search | jquery.js:2:7:2:40 | tainted |
| jquery.js:7:5:7:26 | "<div i ... tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:26 | "<div i ... tainted |
| jquery.js:7:20:7:26 | tainted | jquery.js:7:5:7:34 | "<div i ... + "\\">" |
| jquery.js:8:28:8:34 | tainted | jquery.js:8:18:8:34 | "XSS: " + tainted |
| nodemailer.js:13:50:13:66 | req.query.message | nodemailer.js:13:11:13:69 | `Hi, yo ... sage}.` |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
Expand Down Expand Up @@ -232,8 +227,10 @@ edges
| tst.js:8:37:8:53 | document.location | tst.js:8:37:8:58 | documen ... on.href |
| tst.js:8:37:8:58 | documen ... on.href | tst.js:8:37:8:114 | documen ... t=")+8) |
| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:114 | "<OPTIO ... t=")+8) |
| tst.js:8:37:8:114 | documen ... t=")+8) | tst.js:8:18:8:126 | "<OPTIO ... PTION>" |
| tst.js:12:5:12:33 | '<div s ... target | tst.js:12:5:12:42 | '<div s ... 'px">' |
| tst.js:12:28:12:33 | target | tst.js:12:5:12:33 | '<div s ... target |
| tst.js:12:28:12:33 | target | tst.js:12:5:12:42 | '<div s ... 'px">' |
| tst.js:19:25:19:41 | document.location | tst.js:20:18:20:35 | params.get('name') |
| tst.js:23:42:23:47 | target | tst.js:23:42:23:60 | target.substring(1) |
| tst.js:23:42:23:60 | target.substring(1) | tst.js:24:18:24:41 | searchP ... 'name') |
Expand Down Expand Up @@ -263,6 +260,7 @@ edges
| tst.js:73:3:73:19 | document.location | tst.js:73:3:73:26 | documen ... .search |
| tst.js:73:3:73:26 | documen ... .search | tst.js:73:1:73:27 | [,docum ... search] |
| tst.js:73:46:73:46 | x | tst.js:74:7:74:7 | x |
| tst.js:73:46:73:46 | x | tst.js:76:20:76:20 | x |
| tst.js:74:7:74:7 | x | tst.js:76:20:76:20 | x |
| tst.js:80:49:80:65 | document.location | tst.js:80:49:80:72 | documen ... .search |
| tst.js:84:26:84:42 | document.location | tst.js:84:26:84:49 | documen ... .search |
Expand Down Expand Up @@ -294,7 +292,11 @@ edges
| tst.js:194:9:194:42 | tainted | tst.js:196:67:196:73 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:197:67:197:73 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:200:20:200:19 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:201:35:201:41 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:203:27:203:26 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:203:46:203:52 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:204:38:204:44 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:205:35:205:41 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:233:35:233:41 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:235:20:235:26 | tainted |
| tst.js:194:9:194:42 | tainted | tst.js:237:23:237:29 | tainted |
Expand Down
Loading