WIP: preparing for TaintedPath query

garbervetsky · Oct 16, 2020 · 960bb16 · 960bb16
1 parent 3c82b3b
commit 960bb16
Show file tree

Hide file tree

Showing 8 changed files with 710 additions and 14 deletions.
diff --git a/constraintsolving/compute_metrics.py b/constraintsolving/compute_metrics.py
@@ -198,19 +198,22 @@ def createReprPredicate(ctx, project_name:str, query_type:str, reprScoresFiles =
 
     print(tsm_repr_pred_file)
     print(repr_scores_path)
-    with open(repr_scores_path, "r", encoding='utf-8') as reprscores:
-        with open(tsm_repr_pred_file , "w", encoding='utf-8') as reprPrFile:
-            reprPrFile.writelines([
-                "module TsmRepr {",
-                "float getReprScore(string repr, string t){\n"])
-            reprscores = reprscores.readlines()
-            if len(reprscores)>0:
-                reprPrFile.writelines(reprscores)
-            else:
-                reprPrFile.write('\t result = 0 and (t = "src" or t = "snk" or t = "san") and repr = ""\n')
-            reprPrFile.writelines(["}","}"])
-    # create a TSM query in the results dir
-    createTSMQuery(ctx, project_name, query_type)
+    try:
+        with open(repr_scores_path, "r", encoding='utf-8') as reprscores:
+            with open(tsm_repr_pred_file , "w", encoding='utf-8') as reprPrFile:
+                reprPrFile.writelines([
+                    "module TsmRepr {",
+                    "float getReprScore(string repr, string t){\n"])
+                reprscores = reprscores.readlines()
+                if len(reprscores)>0:
+                    reprPrFile.writelines(reprscores)
+                else:
+                    reprPrFile.write('\t result = 0 and (t = "src" or t = "snk" or t = "san") and repr = ""\n')
+                reprPrFile.writelines(["}","}"])
+        # create a TSM query in the results dir
+        createTSMQuery(ctx, project_name, query_type)
+    except Exception as e:
+        print(e)
 
 def createTSMQuery(ctx, project_name: str, query_type: str):
     tsm_folder = os.path.join(global_config.sources_root, "javascript", "ql", "src", "TSM")

diff --git a/constraintsolving/generation/data.py b/constraintsolving/generation/data.py
@@ -19,7 +19,7 @@
 SINKS = "Sinks"
 SANITIZERS = "Sanitizers"
 
-SUPPORTED_QUERY_TYPES = ["NoSql", "Sql", "Xss", "Sel"]
+SUPPORTED_QUERY_TYPES = ["NoSql", "Sql", "Xss", "Sel", "Path"]
 
 
 class GenerateEntitiesStep(OrchestrationStep):

diff --git a/javascript/ql/src/TSM/Path/Sanitizers-Path.ql b/javascript/ql/src/TSM/Path/Sanitizers-Path.ql
@@ -0,0 +1,13 @@
+/**
+ * @kind graph
+ */
+import javascript
+import TSM.TSM
+
+query predicate sanitizerSqlClasses(DataFlow::Node nd, string q, string repr){
+    (           
+        nd instanceof TaintedPath::Sanitizer and q="TaintedPath" or
+        nd instanceof TaintedPathWorse::Sanitizer and q="TaintedPathWorse"       
+    ) and
+    repr = PropagationGraph::getconcatrep(nd)
+}
diff --git a/javascript/ql/src/TSM/Path/Sinks-Path.ql b/javascript/ql/src/TSM/Path/Sinks-Path.ql
@@ -0,0 +1,12 @@
+/**
+ * @kind graph
+ */
+import javascript
+import TSM.TSM
+
+query predicate sinkSqlClasses(DataFlow::Node nd, string q, string repr){
+    (nd instanceof TaintedPath::Sink and q="TaintedPath" or
+    nd instanceof TaintedPathWorse::Sink and q="TaintedPathWorse"
+    ) and    
+    repr = PropagationGraph::getconcatrep(nd)
+}
diff --git a/javascript/ql/src/TSM/Path/Sources-Path.ql b/javascript/ql/src/TSM/Path/Sources-Path.ql
@@ -0,0 +1,12 @@
+/**
+ * @kind graph
+ */
+import javascript
+import TSM.TSM
+
+query predicate sourcePathClasses(DataFlow::Node nd, string q, string repr){
+    (nd instanceof TaintedPath::Source and q="TaintedPath" or  
+    nd instanceof  TaintedPathWorse::Source and q="TaintedPathWorse" 
+    ) and  
+    repr = PropagationGraph::getconcatrep(nd)
+}
diff --git a/javascript/ql/src/TSM/Sinks.qll b/javascript/ql/src/TSM/Sinks.qll
@@ -38,6 +38,7 @@ import semmle.javascript.security.dataflow.SeldonCustomizationsWorse
 import semmle.javascript.security.dataflow.StackTraceExposureCustomizations
 import semmle.javascript.security.dataflow.TaintedFormatStringCustomizations
 import semmle.javascript.security.dataflow.TaintedPathCustomizations
+import semmle.javascript.security.dataflow.TaintedPathCustomizationsWorse
 import semmle.javascript.security.dataflow.TypeConfusionThroughParameterTamperingCustomizations
 import semmle.javascript.security.dataflow.UnsafeDeserializationCustomizations
 import semmle.javascript.security.dataflow.UnsafeDynamicMethodAccessCustomizations