Skip to content

JavaScript: Add queries and libraries for supporting flow summaries#502

Merged
semmle-qlci merged 20 commits into
github:masterfrom
xiemaisi:js/summaries
Jan 11, 2019
Merged

JavaScript: Add queries and libraries for supporting flow summaries#502
semmle-qlci merged 20 commits into
github:masterfrom
xiemaisi:js/summaries

Conversation

@xiemaisi

Copy link
Copy Markdown

This PR introduces queries and libraries that can be used to generate and consume flow summaries for npm packages using the command-line tools and QL4E.

It's still quite experimental and unfinished, but I'm opening this PR anyway to serve as a basis for discussion.

See flow-summaries.rst included in this PR for a brief overview of the various bits of machinery and how to use them.

@xiemaisi xiemaisi added JS WIP This is a work-in-progress, do not merge yet! labels Nov 20, 2018
@xiemaisi xiemaisi requested a review from a team as a code owner November 20, 2018 15:45

@asger-semmle asger-semmle left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've read the .rst file and tried following its instructions (very nicely written!), but couldn't get it working, possibly because of how I randomly cut off the negative recursion with a blunt axe.

I'll give it a spin next week, and review it once I have a better feeling for how it works.

or
spec = "" and
not config.isBarrier(_) and
not config.isBarrier(_, _)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There seems to be negative recursion going through here.

The characteristic predicate of the dataflow configuration in ImportFromCsv depends on configSpec which depends on the dispatch predicate of isBarrier, which depends on the set of dataflow configurations.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh dear, I wonder when that crept in. I'll take a look on Monday.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed by removing the two negative conjuncts. They weren't a good idea in the first place.

@asger-semmle asger-semmle left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments so far:

  • The two ways to import summaries aren't fundamentally mutually exclusive are they? It seems we could safely add ImportFromCsv in javascript.qll and still have ImportFromExternalPredicates as an optional throw-in when using Eclipse (after a bit of code deduplication to avoid name clashes).

}
}

private class AdditionalFlowStepFromSpec extends DataFlow::Configuration {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice with a dedicated AdditionalFlowStep class for this instead, like with the sources and sinks.

Sort of related: The flow summaries only seem to track TaintTracking::Configuration. Is that deliberate? Is there a reason we can't use AdditionalTaintStep?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, good point. There isn't a fundamental reason to only track TaintTracking::Configurations, but it's probably the case we are most interested in for now, so I'll just switch this to AdditionalTaintStep.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ugh, except that AdditionalTaintStep doesn't currently allow specifying kinds, and it is also cached and should only be extended in the standard library. Bit messy, that.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, yeah the cached thing is a deal-breaker. Still, it seems a bit sneaky to have this configuration-class here, so if we could add an uncached class for this that would be great.

p1 = source.getNode().(PortalExitSource).getPortal() and
p2 = sink.getNode().(PortalEntrySink).getPortal() and
lbl1 = sink.getPathSummary().getStartLabel() and
lbl2 = sink.getPathSummary().getStartLabel() and

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy-pasta? The two labels will always be the same, won't they?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed; my least favourite kind of pasta.

@xiemaisi

xiemaisi commented Dec 3, 2018

Copy link
Copy Markdown
Author

It seems we could safely add ImportFromCsv in javascript.qll

Yes, I think that would be a good idea, but I'll need to check that it doesn't unduly affect performance when there aren't any summaries to import.

@xiemaisi xiemaisi force-pushed the js/summaries branch 2 times, most recently from da357e3 to 6644597 Compare December 13, 2018 10:51
@xiemaisi xiemaisi force-pushed the js/summaries branch 5 times, most recently from ab2cfc6 to 1eb61f3 Compare January 4, 2019 08:26
Max Schaefer added 15 commits January 9, 2019 09:05
If a summary does not specify a configuration, it is taken to apply to all configurations without custom sanitisers/barriers.

If a source summary does not specify a flow label, `data` is assumed.

If a sink summary does not specify a flow label, both `data` and `taint` are assumed.

Flow step summaries cannot omit flow labels.

Note that the standard extraction queries always provide explicit configurations and flow labels, and hence do not exercise this functionality.
In its current form, this query produces way too many results.
…f many configurations with many sources/sinks.
@xiemaisi

xiemaisi commented Jan 9, 2019

Copy link
Copy Markdown
Author

Rebased to resolve auto-formatting conflicts.

I've experimented with ways of reducing the performance penalty from including ImportFromCSV in the standard library, but couldn't bring the overhead down to acceptable levels, so I've reverted that commit. With the revert, no performance or result changes were observed on a full dist-compare run.

This means that flow-summary support is opt-in and requires a local change to javascript.qll, but perhaps that's good enough for now.

@xiemaisi xiemaisi removed the WIP This is a work-in-progress, do not merge yet! label Jan 9, 2019
asger-semmle
asger-semmle previously approved these changes Jan 9, 2019

@asger-semmle asger-semmle left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM then

github#698 removed `document.cookie` as a remote flow source, which some of the tests relied on. We now use `location.search` instead.
@xiemaisi

Copy link
Copy Markdown
Author

@asger-semmle: I had to add a commit to resolve a semantic merge conflict (document.cookie, which was used in one of the tests) is no longer considered a source of remote flow. Could you take a look?

@asger-semmle asger-semmle left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still LGTM

@semmle-qlci semmle-qlci merged commit b0dd3df into github:master Jan 11, 2019
@xiemaisi xiemaisi deleted the js/summaries branch January 17, 2019 09:33
cklin pushed a commit that referenced this pull request May 23, 2022
…ally

Find latest release of the CLI automatically
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants