Skip to content

Commit 44dcf9e

Browse files
committed
Remove uses of configuration of default queries in the custom queries
1 parent 3dc4f40 commit 44dcf9e

File tree

5 files changed

+30
-18
lines changed

5 files changed

+30
-18
lines changed

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,14 @@ class CdsLogSink extends DataFlow::Node {
4343
}
4444
}
4545

46-
class CAPLogInjectionConfiguration extends LogInjectionConfiguration {
46+
class CAPLogInjectionConfiguration extends TaintTracking::Configuration {
47+
CAPLogInjectionConfiguration() { this = "CAP Log Injection" }
48+
4749
override predicate isSource(DataFlow::Node start) {
48-
super.isSource(start) or
50+
exists(LogInjectionConfiguration logInjectionConfiguration |
51+
logInjectionConfiguration.isSource(start)
52+
)
53+
or
4954
start instanceof RemoteFlowSource
5055
}
5156

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,14 @@ import javascript
22
import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow
33
import advanced_security.javascript.frameworks.ui5.UI5View
44
import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
5-
import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect as UrlRedirect
65

7-
class Configuration extends DomBasedXss::Configuration {
6+
class Configuration extends TaintTracking::Configuration {
7+
Configuration() { this = "UI5 HTML Injection" }
8+
89
override predicate isSource(DataFlow::Node start) {
9-
super.isSource(start)
10+
exists(DomBasedXss::Configuration domBasedXssConfiguration |
11+
domBasedXssConfiguration.isSource(start)
12+
)
1013
or
1114
start instanceof RemoteFlowSource
1215
}
@@ -16,7 +19,9 @@ class Configuration extends DomBasedXss::Configuration {
1619
DataFlow::FlowLabel outLabel
1720
) {
1821
/* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
19-
super.isAdditionalFlowStep(start, end, inLabel, outLabel)
22+
exists(DomBasedXss::Configuration domBasedXssConfiguration |
23+
domBasedXssConfiguration.isAdditionalFlowStep(start, end, inLabel, outLabel)
24+
)
2025
or
2126
/* TODO: Legacy code */
2227
/* Handler argument node to handler parameter */
@@ -34,7 +39,9 @@ class Configuration extends DomBasedXss::Configuration {
3439

3540
override predicate isBarrier(DataFlow::Node node) {
3641
/* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */
37-
super.isSanitizer(node)
42+
exists(DomBasedXss::Configuration domBasedXssConfiguration |
43+
domBasedXssConfiguration.isSanitizer(node)
44+
)
3845
or
3946
/* 2. Value read from a non-string control property */
4047
exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m)
@@ -56,21 +63,20 @@ class Configuration extends DomBasedXss::Configuration {
5663

5764
override predicate isSink(DataFlow::Node node) {
5865
node instanceof UI5ExtHtmlISink or
59-
node instanceof UrlRedirect::LocationSink or
6066
node instanceof UI5ModelHtmlISink
6167
}
6268
}
6369

6470
/**
6571
* An HTML injection sink associated with a `UI5BoundNode`, typically for library controls acting as sinks.
6672
*/
67-
class UI5ModelHtmlISink extends DomBasedXss::Sink {
73+
class UI5ModelHtmlISink extends DataFlow::Node {
6874
UI5ModelHtmlISink() { exists(UI5View view | view.getAnHtmlISink().getNode() = this) }
6975
}
7076

7177
/**
7278
* An HTML injection sink typically for custom controls whose RenderManager calls acting as sinks.
7379
*/
74-
private class UI5ExtHtmlISink extends DomBasedXss::Sink {
80+
private class UI5ExtHtmlISink extends DataFlow::Node {
7581
UI5ExtHtmlISink() { this = ModelOutput::getASinkNode("ui5-html-injection").asSink() }
7682
}

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,13 @@ class Configuration extends TaintTracking::Configuration {
1717
Configuration() { this = "XSJS Reflected XSS Query" }
1818

1919
override predicate isSource(DataFlow::Node start) {
20-
super.isSource(start) or
20+
exists(DomBasedXss::Configuration domBasedXssConfiguration |
21+
domBasedXssConfiguration.isSource(start)
22+
) or
2123
start instanceof RemoteFlowSource
2224
}
2325

2426
override predicate isSink(DataFlow::Node end) {
25-
super.isSink(end)
26-
or
2727
exists(XSJSResponseSetBodyCall setBody, XSJSResponse thisOrAnotherXSJSResponse |
2828
thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse() or
2929
thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse().getAPredOrSuccResponse()

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,13 @@ class Configuration extends TaintTracking::Configuration {
1616
Configuration() { this = "XSJS SQL Injection Query" }
1717

1818
override predicate isSource(DataFlow::Node start) {
19-
super.isSource(start) or
19+
exists(SqlInjection::Configuration sqlInjectionConfiguration |
20+
sqlInjectionConfiguration.isSource(start)
21+
) or
2022
start instanceof RemoteFlowSource
2123
}
2224

2325
override predicate isSink(DataFlow::Node end) {
24-
super.isSink(end) or
2526
end.(XSJSDBConnectionPrepareStatementArgument).isConcatenated()
2627
}
2728
}

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,13 @@ class Configuration extends TaintTracking::Configuration {
66
Configuration() { this = "XSJS URL Redirect Query" }
77

88
override predicate isSource(DataFlow::Node start) {
9-
super.isSource(start) or
9+
exists(UrlRedirect::Configuration urlRedirectConfiguration |
10+
urlRedirectConfiguration.isSource(start)
11+
) or
1012
start instanceof RemoteFlowSource
1113
}
1214

1315
override predicate isSink(DataFlow::Node end) {
14-
super.isSink(end)
15-
or
1616
exists(XSJSRequestOrResponseHeaders headers |
1717
end = headers.getHeaderSetCall("location").getArgument(1)
1818
)

0 commit comments

Comments
 (0)