forked from shuvendu-lahiri/ql
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
960bb16
commit 9a7a91c
Showing
528 changed files
with
33,572 additions
and
0 deletions.
There are no files selected for viewing
20 changes: 20 additions & 0 deletions
20
...t/ql/src/TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/TSM.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
/** | ||
* @name General TSM query | ||
* @description Checking unsanitized flows | ||
* @kind path-problem | ||
* @problem.severity error | ||
* @precision high | ||
* @id js/tsm-query | ||
*/ | ||
|
||
import tsm_config | ||
import DataFlow::PathGraph | ||
|
||
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink | ||
where | ||
( | ||
cfg instanceof TSMConfig::Configuration | ||
) and | ||
cfg.hasFlowPath(source, sink) | ||
select sink.getNode(), source, sink, "This query depends on $@.", source.getNode(), | ||
"a user-provided value" |
57 changes: 57 additions & 0 deletions
57
.../ql/src/TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/tsm.qll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
import javascript | ||
|
||
import TSM.NodeRepresentation | ||
import tsm_repr_pred | ||
|
||
module TSM { | ||
private import TsmRepr | ||
|
||
predicate isSourceCandidate(DataFlow::Node nd) { | ||
nd instanceof DataFlow::CallNode or | ||
nd instanceof DataFlow::PropRead or | ||
nd instanceof DataFlow::ParameterNode | ||
} | ||
|
||
predicate isSanitizerCandidate(DataFlow::Node nd) { | ||
nd instanceof DataFlow::CallNode | ||
} | ||
|
||
predicate isSinkCandidate(DataFlow::Node nd) { | ||
( | ||
exists(DataFlow::InvokeNode invk | | ||
nd = invk.getAnArgument() | ||
or | ||
nd = invk.(DataFlow::MethodCallNode).getReceiver() | ||
) | ||
or | ||
nd = any(DataFlow::PropWrite pw).getRhs() | ||
) | ||
} | ||
|
||
string rep(DataFlow::Node node){ | ||
result = candidateRep(node, _) | ||
} | ||
|
||
predicate isSink(DataFlow::Node node, float score){ | ||
isSinkCandidate(node) and | ||
(exists(rep(node)) and score = sum(doGetReprScore(rep(node), "snk"))/count(rep(node)) or | ||
not exists(rep(node)) and score = 0) | ||
} | ||
|
||
predicate isSource(DataFlow::Node node, float score){ | ||
isSourceCandidate(node) and | ||
(exists(rep(node)) and score = sum(doGetReprScore(rep(node), "src"))/count(rep(node)) or | ||
not exists(rep(node)) and score = 0) | ||
} | ||
|
||
predicate isSanitizer(DataFlow::Node node, float score){ | ||
isSanitizerCandidate(node) and | ||
(exists(rep(node)) and | ||
score = sum(doGetReprScore(rep(node), "san"))/count(rep(node)) or | ||
not exists(rep(node)) and score = 0) | ||
} | ||
|
||
float doGetReprScore(string repr, string t){ | ||
result = TsmRepr::getReprScore(repr, t) | ||
} | ||
} |
40 changes: 40 additions & 0 deletions
40
.../TSM/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/tsm_config.qll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/** | ||
* Provides a taint tracking configuration for reasoning about Seldon's paper example | ||
* | ||
*/ | ||
|
||
import javascript | ||
import semmle.javascript.security.dataflow.NosqlInjectionCustomizations | ||
private float minScore_snk() { result = 0.1} | ||
private float minScore_src() { result = 0.1} | ||
// Score>1 to ignore sanitizers | ||
private float minScore_san() { result = 1.1} | ||
|
||
module TSMConfig { | ||
import tsm | ||
|
||
/** | ||
* A taint-tracking configuration for reasoning about SQL injection vulnerabilities. | ||
*/ | ||
class Configuration extends TaintTracking::Configuration { | ||
Configuration() { this = "TSMConfig" } | ||
|
||
override predicate isSource(DataFlow::Node source) { | ||
exists (float score | TSM::isSource(source, score) and score>=minScore_src()) | ||
//or | ||
//source instanceof NosqlInjection::Source | ||
} | ||
|
||
override predicate isSink(DataFlow::Node sink) { | ||
exists (float score | TSM::isSink(sink, score) and score>=minScore_snk()) | ||
//or | ||
//sink instanceof NosqlInjection::Sink | ||
} | ||
|
||
override predicate isSanitizer(DataFlow::Node node) { | ||
exists (float score | TSM::isSanitizer(node, score) and score>=minScore_san()) | ||
or | ||
node instanceof NosqlInjection::Sanitizer | ||
} | ||
} | ||
} |
41 changes: 41 additions & 0 deletions
41
...M/query/NoSql/1046224544_fontend_19c10c3/NosqlInjectionWorse-1602380390/tsm_repr_pred.qll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
module TsmRepr {float getReprScore(string repr, string t){ | ||
repr = "(member body (parameter req *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(return (member toUpperCase (member title *)))" and t = "san" and result = 0.4705882353 or | ||
repr = "(return (member trim *))" and t = "san" and result = 1.0000000000 or | ||
repr = "(member audio *)" and t = "src" and result = 1.0000000000 or | ||
repr = "(member src (member query (parameter req *)))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member avatar (member query (parameter req *)))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member audio (member query (parameter req *)))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member _id *)" and t = "snk" and result = 1.0000000000 or | ||
repr = "(member name (member query (parameter req *)))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member src (member query *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member email (member query (parameter req *)))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member avatar (member query *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(parameter 1 (return (member findOneAndUpdate *)))" and t = "snk" and result = 0.2500000000 or | ||
repr = "(member body (parameter req (parameter 1 (return (member post *)))))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member email *)" and t = "src" and result = 1.0000000000 or | ||
repr = "(member from_id *)" and t = "snk" and result = 0.5000000000 or | ||
repr = "(member src *)" and t = "src" and result = 1.0000000000 or | ||
repr = "(parameter 0 (return (member find *)))" and t = "snk" and result = 1.0000000000 or | ||
repr = "(member email (member query *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(return (member trim (member search *)))" and t = "san" and result = 1.0000000000 or | ||
repr = "(return (member findOneAndUpdate *))" and t = "san" and result = 0.7500000000 or | ||
repr = "(member audio (member query *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member img *)" and t = "src" and result = 1.0000000000 or | ||
repr = "(member img (member query (parameter req *)))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member body (parameter 0 (parameter 2 (return (member post *)))))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member body (parameter req (parameter 2 (return (member post *)))))" and t = "src" and result = 1.0000000000 or | ||
repr = "(parameter 0 (return (member send (parameter res *))))" and t = "snk" and result = 0.5000000000 or | ||
repr = "(member name (member query *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member _id (parameter 0 (parameter 0 (return (member then *)))))" and t = "snk" and result = 1.0000000000 or | ||
repr = "(parameter 0 (return (member findOne *)))" and t = "snk" and result = 0.2500000000 or | ||
repr = "(member img (member query *))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member _id (parameter 0 (return (member findOne *))))" and t = "san" and result = 0.4705882353 or | ||
repr = "(return (member findOne *))" and t = "san" and result = 0.7500000000 or | ||
repr = "(member body (parameter 0 (parameter 1 (return (member post *)))))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member body *)" and t = "src" and result = 1.0000000000 or | ||
repr = "(member avatar *)" and t = "src" and result = 1.0000000000 or | ||
repr = "(member title *)" and t = "san" and result = 1.0000000000 or | ||
repr = "(member email (parameter 0 (return (member findOne *))))" and t = "src" and result = 1.0000000000 or | ||
repr = "(member name *)" and t = "src" and result = 1.0000000000 | ||
}} |
20 changes: 20 additions & 0 deletions
20
...3dbeb41841bfbfcc24d55143816cf7f1_atl-wdi-10_2f0c30b/NosqlInjectionWorse-1602380390/TSM.ql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
/** | ||
* @name General TSM query | ||
* @description Checking unsanitized flows | ||
* @kind path-problem | ||
* @problem.severity error | ||
* @precision high | ||
* @id js/tsm-query | ||
*/ | ||
|
||
import tsm_config | ||
import DataFlow::PathGraph | ||
|
||
from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink | ||
where | ||
( | ||
cfg instanceof TSMConfig::Configuration | ||
) and | ||
cfg.hasFlowPath(source, sink) | ||
select sink.getNode(), source, sink, "This query depends on $@.", source.getNode(), | ||
"a user-provided value" |
57 changes: 57 additions & 0 deletions
57
...dbeb41841bfbfcc24d55143816cf7f1_atl-wdi-10_2f0c30b/NosqlInjectionWorse-1602380390/tsm.qll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
import javascript | ||
|
||
import TSM.NodeRepresentation | ||
import tsm_repr_pred | ||
|
||
module TSM { | ||
private import TsmRepr | ||
|
||
predicate isSourceCandidate(DataFlow::Node nd) { | ||
nd instanceof DataFlow::CallNode or | ||
nd instanceof DataFlow::PropRead or | ||
nd instanceof DataFlow::ParameterNode | ||
} | ||
|
||
predicate isSanitizerCandidate(DataFlow::Node nd) { | ||
nd instanceof DataFlow::CallNode | ||
} | ||
|
||
predicate isSinkCandidate(DataFlow::Node nd) { | ||
( | ||
exists(DataFlow::InvokeNode invk | | ||
nd = invk.getAnArgument() | ||
or | ||
nd = invk.(DataFlow::MethodCallNode).getReceiver() | ||
) | ||
or | ||
nd = any(DataFlow::PropWrite pw).getRhs() | ||
) | ||
} | ||
|
||
string rep(DataFlow::Node node){ | ||
result = candidateRep(node, _) | ||
} | ||
|
||
predicate isSink(DataFlow::Node node, float score){ | ||
isSinkCandidate(node) and | ||
(exists(rep(node)) and score = sum(doGetReprScore(rep(node), "snk"))/count(rep(node)) or | ||
not exists(rep(node)) and score = 0) | ||
} | ||
|
||
predicate isSource(DataFlow::Node node, float score){ | ||
isSourceCandidate(node) and | ||
(exists(rep(node)) and score = sum(doGetReprScore(rep(node), "src"))/count(rep(node)) or | ||
not exists(rep(node)) and score = 0) | ||
} | ||
|
||
predicate isSanitizer(DataFlow::Node node, float score){ | ||
isSanitizerCandidate(node) and | ||
(exists(rep(node)) and | ||
score = sum(doGetReprScore(rep(node), "san"))/count(rep(node)) or | ||
not exists(rep(node)) and score = 0) | ||
} | ||
|
||
float doGetReprScore(string repr, string t){ | ||
result = TsmRepr::getReprScore(repr, t) | ||
} | ||
} |
40 changes: 40 additions & 0 deletions
40
...41bfbfcc24d55143816cf7f1_atl-wdi-10_2f0c30b/NosqlInjectionWorse-1602380390/tsm_config.qll
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/** | ||
* Provides a taint tracking configuration for reasoning about Seldon's paper example | ||
* | ||
*/ | ||
|
||
import javascript | ||
import semmle.javascript.security.dataflow.NosqlInjectionCustomizations | ||
private float minScore_snk() { result = 0.1} | ||
private float minScore_src() { result = 0.1} | ||
// Score>1 to ignore sanitizers | ||
private float minScore_san() { result = 1.1} | ||
|
||
module TSMConfig { | ||
import tsm | ||
|
||
/** | ||
* A taint-tracking configuration for reasoning about SQL injection vulnerabilities. | ||
*/ | ||
class Configuration extends TaintTracking::Configuration { | ||
Configuration() { this = "TSMConfig" } | ||
|
||
override predicate isSource(DataFlow::Node source) { | ||
exists (float score | TSM::isSource(source, score) and score>=minScore_src()) | ||
//or | ||
//source instanceof NosqlInjection::Source | ||
} | ||
|
||
override predicate isSink(DataFlow::Node sink) { | ||
exists (float score | TSM::isSink(sink, score) and score>=minScore_snk()) | ||
//or | ||
//sink instanceof NosqlInjection::Sink | ||
} | ||
|
||
override predicate isSanitizer(DataFlow::Node node) { | ||
exists (float score | TSM::isSanitizer(node, score) and score>=minScore_san()) | ||
or | ||
node instanceof NosqlInjection::Sanitizer | ||
} | ||
} | ||
} |
Oops, something went wrong.