JavaScript: Add queries and libraries for supporting flow summaries#502
Conversation
1e35d33 to
6eeb533
Compare
asger-semmle
left a comment
There was a problem hiding this comment.
I've read the .rst file and tried following its instructions (very nicely written!), but couldn't get it working, possibly because of how I randomly cut off the negative recursion with a blunt axe.
I'll give it a spin next week, and review it once I have a better feeling for how it works.
| or | ||
| spec = "" and | ||
| not config.isBarrier(_) and | ||
| not config.isBarrier(_, _) |
There was a problem hiding this comment.
There seems to be negative recursion going through here.
The characteristic predicate of the dataflow configuration in ImportFromCsv depends on configSpec which depends on the dispatch predicate of isBarrier, which depends on the set of dataflow configurations.
There was a problem hiding this comment.
Oh dear, I wonder when that crept in. I'll take a look on Monday.
There was a problem hiding this comment.
Fixed by removing the two negative conjuncts. They weren't a good idea in the first place.
6eeb533 to
4791db2
Compare
asger-semmle
left a comment
There was a problem hiding this comment.
A few comments so far:
- The two ways to import summaries aren't fundamentally mutually exclusive are they? It seems we could safely add
ImportFromCsvinjavascript.qlland still haveImportFromExternalPredicatesas an optional throw-in when using Eclipse (after a bit of code deduplication to avoid name clashes).
| } | ||
| } | ||
|
|
||
| private class AdditionalFlowStepFromSpec extends DataFlow::Configuration { |
There was a problem hiding this comment.
It would be nice with a dedicated AdditionalFlowStep class for this instead, like with the sources and sinks.
Sort of related: The flow summaries only seem to track TaintTracking::Configuration. Is that deliberate? Is there a reason we can't use AdditionalTaintStep?
There was a problem hiding this comment.
Hm, good point. There isn't a fundamental reason to only track TaintTracking::Configurations, but it's probably the case we are most interested in for now, so I'll just switch this to AdditionalTaintStep.
There was a problem hiding this comment.
Ugh, except that AdditionalTaintStep doesn't currently allow specifying kinds, and it is also cached and should only be extended in the standard library. Bit messy, that.
There was a problem hiding this comment.
Ah, yeah the cached thing is a deal-breaker. Still, it seems a bit sneaky to have this configuration-class here, so if we could add an uncached class for this that would be great.
| p1 = source.getNode().(PortalExitSource).getPortal() and | ||
| p2 = sink.getNode().(PortalEntrySink).getPortal() and | ||
| lbl1 = sink.getPathSummary().getStartLabel() and | ||
| lbl2 = sink.getPathSummary().getStartLabel() and |
There was a problem hiding this comment.
Copy-pasta? The two labels will always be the same, won't they?
There was a problem hiding this comment.
Indeed; my least favourite kind of pasta.
Yes, I think that would be a good idea, but I'll need to check that it doesn't unduly affect performance when there aren't any summaries to import. |
da357e3 to
6644597
Compare
ab2cfc6 to
1eb61f3
Compare
If a summary does not specify a configuration, it is taken to apply to all configurations without custom sanitisers/barriers. If a source summary does not specify a flow label, `data` is assumed. If a sink summary does not specify a flow label, both `data` and `taint` are assumed. Flow step summaries cannot omit flow labels. Note that the standard extraction queries always provide explicit configurations and flow labels, and hence do not exercise this functionality.
… sources and sinks.
In its current form, this query produces way too many results.
…f many configurations with many sources/sinks.
|
Rebased to resolve auto-formatting conflicts. I've experimented with ways of reducing the performance penalty from including This means that flow-summary support is opt-in and requires a local change to |
github#698 removed `document.cookie` as a remote flow source, which some of the tests relied on. We now use `location.search` instead.
|
@asger-semmle: I had to add a commit to resolve a semantic merge conflict ( |
…ally Find latest release of the CLI automatically
This PR introduces queries and libraries that can be used to generate and consume flow summaries for npm packages using the command-line tools and QL4E.
It's still quite experimental and unfinished, but I'm opening this PR anyway to serve as a basis for discussion.
See
flow-summaries.rstincluded in this PR for a brief overview of the various bits of machinery and how to use them.