JS: Update some queries that used data as source

asgerf · asgerf · commit 739384469988 · 2020-03-18T11:55:13.000Z
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -23,7 +23,7 @@ module CleartextLogging {
    * A data flow sink for clear-text logging of sensitive information.
    */
   abstract class Sink extends DataFlow::Node {
-    DataFlow::FlowLabel getLabel() { result.isDataOrTaint() }
+    DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /**
@@ -127,7 +127,7 @@ module CleartextLogging {
 
     override string describe() { result = "an access to " + name }
 
-    override DataFlow::FlowLabel getLabel() { result.isData() }
+    override DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /** An access to a variable or property that might contain a password. */
@@ -153,7 +153,7 @@ module CleartextLogging {
 
     override string describe() { result = "an access to " + name }
 
-    override DataFlow::FlowLabel getLabel() { result.isData() }
+    override DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /** A call that might return a password. */
@@ -167,7 +167,7 @@ module CleartextLogging {
 
     override string describe() { result = "a call to " + name }
 
-    override DataFlow::FlowLabel getLabel() { result.isData() }
+    override DataFlow::FlowLabel getLabel() { result.isTaint() }
   }
 
   /** An access to the sensitive object `process.env`. */
@@ -177,7 +177,7 @@ module CleartextLogging {
     override string describe() { result = "process environment" }
 
     override DataFlow::FlowLabel getLabel() {
-      result.isData() or
+      result.isTaint() or
       result instanceof PartiallySensitiveMap
     }
   }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
@@ -53,7 +53,7 @@ module UnsafeDynamicMethodAccess {
         hasUnsafeMethods(read.getBase().getALocalSource()) and
         src = read.getPropertyNameExpr().flow() and
         dst = read and
-        (srclabel = data() or srclabel = taint()) and
+        srclabel.isTaint() and
         dstlabel = unsafeFunction()
       )
       or
@@ -62,7 +62,7 @@ module UnsafeDynamicMethodAccess {
         not PropertyInjection::isPrototypeLessObject(proj.getObject().getALocalSource()) and
         src = proj.getASelector() and
         dst = proj and
-        (srclabel = data() or srclabel = taint()) and
+        srclabel.isTaint() and
         dstlabel = unsafeFunction()
       )
     }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll
@@ -19,7 +19,7 @@ module UnsafeDynamicMethodAccess {
     /**
      * Gets the flow label relevant for this source.
      */
-    DataFlow::FlowLabel getFlowLabel() { result = data() }
+    DataFlow::FlowLabel getFlowLabel() { result = taint() }
   }
 
   /**
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll
@@ -40,7 +40,7 @@ module UnvalidatedDynamicMethodCall {
       exists(DataFlow::PropRead read |
         src = read.getPropertyNameExpr().flow() and
         dst = read and
-        (srclabel = data() or srclabel = taint()) and
+        srclabel.isTaint() and
         (
           dstlabel instanceof MaybeNonFunction
           or
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll
@@ -19,9 +19,9 @@ module UnvalidatedDynamicMethodCall {
     /**
      * Gets the flow label relevant for this source.
      */
-    DataFlow::FlowLabel getFlowLabel() { result = data() }
+    DataFlow::FlowLabel getFlowLabel() { result = taint() }
   }
-
+  
   /**
    * A data flow sink for unvalidated dynamic method calls.
    */
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -65,8 +65,6 @@ nodes
 | promises.js:5:44:5:57 | req.query.data |
 | promises.js:5:44:5:57 | req.query.data |
 | promises.js:6:11:6:11 | x |
-| promises.js:6:11:6:11 | x |
-| promises.js:6:25:6:25 | x |
 | promises.js:6:25:6:25 | x |
 | promises.js:6:25:6:25 | x |
 | tst2.js:6:7:6:30 | p |
@@ -148,8 +146,6 @@ edges
 | promises.js:5:44:5:57 | req.query.data | promises.js:6:11:6:11 | x |
 | promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
 | promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
-| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
-| promises.js:6:11:6:11 | x | promises.js:6:25:6:25 | x |
 | tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p |
 | tst2.js:6:7:6:30 | p | tst2.js:7:12:7:12 | p |
 | tst2.js:6:7:6:30 | r | tst2.js:8:12:8:12 | r |
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected b/javascript/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected
@@ -89,8 +89,6 @@ nodes
 | passwords.js:123:31:123:38 | password |
 | passwords.js:123:31:123:48 | password.valueOf() |
 | passwords.js:127:9:132:5 | config |
-| passwords.js:127:9:132:5 | config |
-| passwords.js:127:18:132:5 | {\\n      ... )\\n    } |
 | passwords.js:127:18:132:5 | {\\n      ... )\\n    } |
 | passwords.js:127:18:132:5 | {\\n      ... )\\n    } |
 | passwords.js:130:12:130:19 | password |
@@ -99,7 +97,6 @@ nodes
 | passwords.js:131:12:131:24 | getPassword() |
 | passwords.js:135:17:135:22 | config |
 | passwords.js:135:17:135:22 | config |
-| passwords.js:135:17:135:22 | config |
 | passwords.js:136:17:136:24 | config.x |
 | passwords.js:136:17:136:24 | config.x |
 | passwords.js:137:17:137:24 | config.y |
@@ -226,9 +223,6 @@ edges
 | passwords.js:123:31:123:48 | password.valueOf() | passwords.js:123:17:123:48 | name +  ... lueOf() |
 | passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config |
 | passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config |
-| passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config |
-| passwords.js:127:9:132:5 | config | passwords.js:135:17:135:22 | config |
-| passwords.js:127:18:132:5 | {\\n      ... )\\n    } | passwords.js:127:9:132:5 | config |
 | passwords.js:127:18:132:5 | {\\n      ... )\\n    } | passwords.js:127:9:132:5 | config |
 | passwords.js:127:18:132:5 | {\\n      ... )\\n    } | passwords.js:127:9:132:5 | config |
 | passwords.js:130:12:130:19 | password | passwords.js:127:18:132:5 | {\\n      ... )\\n    } |

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ module CleartextLogging {`
`23`	`23`	`* A data flow sink for clear-text logging of sensitive information.`
`24`	`24`	`*/`
`25`	`25`	`abstract class Sink extends DataFlow::Node {`
`26`		`- DataFlow::FlowLabel getLabel() { result.isDataOrTaint() }`
	`26`	`+ DataFlow::FlowLabel getLabel() { result.isTaint() }`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`/**`
`@@ -127,7 +127,7 @@ module CleartextLogging {`
`127`	`127`
`128`	`128`	`override string describe() { result = "an access to " + name }`
`129`	`129`
`130`		`- override DataFlow::FlowLabel getLabel() { result.isData() }`
	`130`	`+ override DataFlow::FlowLabel getLabel() { result.isTaint() }`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`/** An access to a variable or property that might contain a password. */`
`@@ -153,7 +153,7 @@ module CleartextLogging {`
`153`	`153`
`154`	`154`	`override string describe() { result = "an access to " + name }`
`155`	`155`
`156`		`- override DataFlow::FlowLabel getLabel() { result.isData() }`
	`156`	`+ override DataFlow::FlowLabel getLabel() { result.isTaint() }`
`157`	`157`	`}`
`158`	`158`
`159`	`159`	`/** A call that might return a password. */`
`@@ -167,7 +167,7 @@ module CleartextLogging {`
`167`	`167`
`168`	`168`	`override string describe() { result = "a call to " + name }`
`169`	`169`
`170`		`- override DataFlow::FlowLabel getLabel() { result.isData() }`
	`170`	`+ override DataFlow::FlowLabel getLabel() { result.isTaint() }`
`171`	`171`	`}`
`172`	`172`
`173`	`173`	/** An access to the sensitive object `process.env`. */
`@@ -177,7 +177,7 @@ module CleartextLogging {`
`177`	`177`	`override string describe() { result = "process environment" }`
`178`	`178`
`179`	`179`	`override DataFlow::FlowLabel getLabel() {`
`180`		`- result.isData() or`
	`180`	`+ result.isTaint() or`
`181`	`181`	`result instanceof PartiallySensitiveMap`
`182`	`182`	`}`
`183`	`183`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ module UnsafeDynamicMethodAccess {`
`53`	`53`	`hasUnsafeMethods(read.getBase().getALocalSource()) and`
`54`	`54`	`src = read.getPropertyNameExpr().flow() and`
`55`	`55`	`dst = read and`
`56`		`- (srclabel = data() or srclabel = taint()) and`
	`56`	`+ srclabel.isTaint() and`
`57`	`57`	`dstlabel = unsafeFunction()`
`58`	`58`	`)`
`59`	`59`	`or`
`@@ -62,7 +62,7 @@ module UnsafeDynamicMethodAccess {`
`62`	`62`	`not PropertyInjection::isPrototypeLessObject(proj.getObject().getALocalSource()) and`
`63`	`63`	`src = proj.getASelector() and`
`64`	`64`	`dst = proj and`
`65`		`- (srclabel = data() or srclabel = taint()) and`
	`65`	`+ srclabel.isTaint() and`
`66`	`66`	`dstlabel = unsafeFunction()`
`67`	`67`	`)`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ module UnsafeDynamicMethodAccess {`
`19`	`19`	`/**`
`20`	`20`	`* Gets the flow label relevant for this source.`
`21`	`21`	`*/`
`22`		`- DataFlow::FlowLabel getFlowLabel() { result = data() }`
	`22`	`+ DataFlow::FlowLabel getFlowLabel() { result = taint() }`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ module UnvalidatedDynamicMethodCall {`
`40`	`40`	`exists(DataFlow::PropRead read \|`
`41`	`41`	`src = read.getPropertyNameExpr().flow() and`
`42`	`42`	`dst = read and`
`43`		`- (srclabel = data() or srclabel = taint()) and`
	`43`	`+ srclabel.isTaint() and`
`44`	`44`	`(`
`45`	`45`	`dstlabel instanceof MaybeNonFunction`
`46`	`46`	`or`