github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

ensure consistent casing of names

This commit is contained in:
erik-krogh 2022-09-09 10:28:57 +02:00
Родитель 9893650f7c
Коммит 26d8553f6e
Не найден ключ, соответствующий данной подписи
230 изменённых файлов: 702 добавлений и 657 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll
Просмотреть файл

@ -1,2 +1,2 @@
private import SSAConstruction as SSA
import SSA::SsaConsistency
private import SSAConstruction as Ssa
import Ssa::SsaConsistency

5
cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll
Просмотреть файл

@ -1135,7 +1135,7 @@ deprecated module SSAConsistency = SsaConsistency;
* These predicates are all just aliases for predicates defined in the `Cached` module. This ensures
* that all of SSA construction will be evaluated in the same stage.
*/
module SSA {
module Ssa {
class MemoryLocation = Alias::MemoryLocation;
predicate hasPhiInstruction = Cached::hasPhiInstructionCached/2;
@ -1144,3 +1144,6 @@ module SSA {
predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
}
/** DEPRECATED: Alias for Ssa */
deprecated module SSA = Ssa;

18
cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll
Просмотреть файл

@ -20,24 +20,24 @@ newtype TInstruction =
IRConstruction::Raw::hasInstruction(tag1, tag2)
} or
TUnaliasedSsaPhiInstruction(
TRawInstruction blockStartInstr, UnaliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, UnaliasedSsa::Ssa::MemoryLocation memoryLocation
) {
UnaliasedSsa::SSA::hasPhiInstruction(blockStartInstr, memoryLocation)
UnaliasedSsa::Ssa::hasPhiInstruction(blockStartInstr, memoryLocation)
} or
TUnaliasedSsaChiInstruction(TRawInstruction primaryInstruction) { none() } or
TUnaliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
UnaliasedSsa::SSA::hasUnreachedInstruction(irFunc)
UnaliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
} or
TAliasedSsaPhiInstruction(
TRawInstruction blockStartInstr, AliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, AliasedSsa::Ssa::MemoryLocation memoryLocation
) {
AliasedSsa::SSA::hasPhiInstruction(blockStartInstr, memoryLocation)
AliasedSsa::Ssa::hasPhiInstruction(blockStartInstr, memoryLocation)
} or
TAliasedSsaChiInstruction(TRawInstruction primaryInstruction) {
AliasedSsa::SSA::hasChiInstruction(primaryInstruction)
AliasedSsa::Ssa::hasChiInstruction(primaryInstruction)
} or
TAliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
AliasedSsa::SSA::hasUnreachedInstruction(irFunc)
AliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
}
/**
@ -50,7 +50,7 @@ module UnaliasedSsaInstructions {
class TPhiInstruction = TUnaliasedSsaPhiInstruction;
TPhiInstruction phiInstruction(
TRawInstruction blockStartInstr, UnaliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, UnaliasedSsa::Ssa::MemoryLocation memoryLocation
) {
result = TUnaliasedSsaPhiInstruction(blockStartInstr, memoryLocation)
}
@ -83,7 +83,7 @@ module AliasedSsaInstructions {
class TPhiInstruction = TAliasedSsaPhiInstruction or TUnaliasedSsaPhiInstruction;
TPhiInstruction phiInstruction(
TRawInstruction blockStartInstr, AliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, AliasedSsa::Ssa::MemoryLocation memoryLocation
) {
result = TAliasedSsaPhiInstruction(blockStartInstr, memoryLocation)
}

4
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll
Просмотреть файл

@ -1,2 +1,2 @@
private import SSAConstruction as SSA
import SSA::SsaConsistency
private import SSAConstruction as Ssa
import Ssa::SsaConsistency

5
cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
Просмотреть файл

@ -1135,7 +1135,7 @@ deprecated module SSAConsistency = SsaConsistency;
* These predicates are all just aliases for predicates defined in the `Cached` module. This ensures
* that all of SSA construction will be evaluated in the same stage.
*/
module SSA {
module Ssa {
class MemoryLocation = Alias::MemoryLocation;
predicate hasPhiInstruction = Cached::hasPhiInstructionCached/2;
@ -1144,3 +1144,6 @@ module SSA {
predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
}
/** DEPRECATED: Alias for Ssa */
deprecated module SSA = Ssa;

2
csharp/ql/lib/semmle/code/cil/CallableReturns.qll
Просмотреть файл

@ -56,7 +56,7 @@ private predicate alwaysNotNullVariableUpdate(VariableUpdate vu) {
/** Holds if expression `expr` always evaluates to non-null. */
private predicate alwaysNotNullExpr(Expr expr) {
expr instanceof Opcodes::Newobj
expr instanceof Opcodes::NewObj
or
expr instanceof Literal and not expr instanceof NullLiteral
or

10
csharp/ql/lib/semmle/code/cil/Instructions.qll
Просмотреть файл

@ -766,7 +766,7 @@ module Opcodes {
}
/** A `newobj` instruction. */
class Newobj extends Call, @cil_newobj {
class NewObj extends Call, @cil_newobj {
override string getOpcodeName() { result = "newobj" }
override int getPushCount() { result = 1 }
@ -788,6 +788,9 @@ module Opcodes {
}
}
/** DEPRECATED: Alias for NewObj */
deprecated class Newobj = NewObj;
/** An `initobj` instruction. */
class Initobj extends Instruction, @cil_initobj {
override string getOpcodeName() { result = "initobj" }
@ -847,10 +850,13 @@ module Opcodes {
}
/** A `rethrow` instruction. */
class Rethrow extends Throw, @cil_rethrow {
class ReThrow extends Throw, @cil_rethrow {
override string getOpcodeName() { result = "rethrow" }
}
/** DEPRECATED: Alias for ReThrow */
deprecated class Rethrow = ReThrow;
/** A `ldlen` instruction. */
class Ldlen extends UnaryExpr, @cil_ldlen {
override string getOpcodeName() { result = "ldlen" }

5
csharp/ql/src/experimental/ir/implementation/internal/AliasedSSAStub.qll
Просмотреть файл

@ -6,7 +6,7 @@
private import IRFunctionBase
private import TInstruction
module SSA {
module Ssa {
class MemoryLocation = boolean;
predicate hasPhiInstruction(TRawInstruction blockStartInstr, MemoryLocation memoryLocation) {
@ -17,3 +17,6 @@ module SSA {
predicate hasUnreachedInstruction(IRFunctionBase irFunc) { none() }
}
/** DEPRECATED: Alias for Ssa */
deprecated module SSA = Ssa;

18
csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll
Просмотреть файл

@ -20,24 +20,24 @@ newtype TInstruction =
IRConstruction::Raw::hasInstruction(tag1, tag2)
} or
TUnaliasedSsaPhiInstruction(
TRawInstruction blockStartInstr, UnaliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, UnaliasedSsa::Ssa::MemoryLocation memoryLocation
) {
UnaliasedSsa::SSA::hasPhiInstruction(blockStartInstr, memoryLocation)
UnaliasedSsa::Ssa::hasPhiInstruction(blockStartInstr, memoryLocation)
} or
TUnaliasedSsaChiInstruction(TRawInstruction primaryInstruction) { none() } or
TUnaliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
UnaliasedSsa::SSA::hasUnreachedInstruction(irFunc)
UnaliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
} or
TAliasedSsaPhiInstruction(
TRawInstruction blockStartInstr, AliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, AliasedSsa::Ssa::MemoryLocation memoryLocation
) {
AliasedSsa::SSA::hasPhiInstruction(blockStartInstr, memoryLocation)
AliasedSsa::Ssa::hasPhiInstruction(blockStartInstr, memoryLocation)
} or
TAliasedSsaChiInstruction(TRawInstruction primaryInstruction) {
AliasedSsa::SSA::hasChiInstruction(primaryInstruction)
AliasedSsa::Ssa::hasChiInstruction(primaryInstruction)
} or
TAliasedSsaUnreachedInstruction(IRFunctionBase irFunc) {
AliasedSsa::SSA::hasUnreachedInstruction(irFunc)
AliasedSsa::Ssa::hasUnreachedInstruction(irFunc)
}
/**
@ -50,7 +50,7 @@ module UnaliasedSsaInstructions {
class TPhiInstruction = TUnaliasedSsaPhiInstruction;
TPhiInstruction phiInstruction(
TRawInstruction blockStartInstr, UnaliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, UnaliasedSsa::Ssa::MemoryLocation memoryLocation
) {
result = TUnaliasedSsaPhiInstruction(blockStartInstr, memoryLocation)
}
@ -83,7 +83,7 @@ module AliasedSsaInstructions {
class TPhiInstruction = TAliasedSsaPhiInstruction or TUnaliasedSsaPhiInstruction;
TPhiInstruction phiInstruction(
TRawInstruction blockStartInstr, AliasedSsa::SSA::MemoryLocation memoryLocation
TRawInstruction blockStartInstr, AliasedSsa::Ssa::MemoryLocation memoryLocation
) {
result = TAliasedSsaPhiInstruction(blockStartInstr, memoryLocation)
}

4
csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll
Просмотреть файл

@ -1,2 +1,2 @@
private import SSAConstruction as SSA
import SSA::SsaConsistency
private import SSAConstruction as Ssa
import Ssa::SsaConsistency

5
csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
Просмотреть файл

@ -1135,7 +1135,7 @@ deprecated module SSAConsistency = SsaConsistency;
* These predicates are all just aliases for predicates defined in the `Cached` module. This ensures
* that all of SSA construction will be evaluated in the same stage.
*/
module SSA {
module Ssa {
class MemoryLocation = Alias::MemoryLocation;
predicate hasPhiInstruction = Cached::hasPhiInstructionCached/2;
@ -1144,3 +1144,6 @@ module SSA {
predicate hasUnreachedInstruction = Cached::hasUnreachedInstructionCached/1;
}
/** DEPRECATED: Alias for Ssa */
deprecated module SSA = Ssa;

9
go/ql/lib/semmle/go/concepts/HTTP.qll
Просмотреть файл

@ -5,7 +5,7 @@
import go
/** Provides classes for modeling HTTP-related APIs. */
module HTTP {
module Http {
/** Provides a class for modeling new HTTP response-writer APIs. */
module ResponseWriter {
/**
@ -191,7 +191,7 @@ module HTTP {
/** Gets a content-type associated with this body. */
string getAContentType() {
exists(HTTP::HeaderWrite hw | hw = this.getResponseWriter().getAHeaderWrite() |
exists(Http::HeaderWrite hw | hw = this.getResponseWriter().getAHeaderWrite() |
hw.getHeaderName() = "content-type" and
result = hw.getHeaderValue()
)
@ -201,7 +201,7 @@ module HTTP {
/** Gets a dataflow node for a content-type associated with this body. */
DataFlow::Node getAContentTypeNode() {
exists(HTTP::HeaderWrite hw | hw = this.getResponseWriter().getAHeaderWrite() |
exists(Http::HeaderWrite hw | hw = this.getResponseWriter().getAHeaderWrite() |
hw.getHeaderName() = "content-type" and
result = hw.getValue()
)
@ -378,3 +378,6 @@ module HTTP {
predicate guardedBy(DataFlow::Node check) { self.guardedBy(check) }
}
}
/** DEPRECATED: Alias for Http */
deprecated module HTTP = Http;

24
go/ql/lib/semmle/go/frameworks/Beego.qll
Просмотреть файл

@ -114,7 +114,7 @@ module Beego {
}
}
private class BeegoOutputInstance extends HTTP::ResponseWriter::Range {
private class BeegoOutputInstance extends Http::ResponseWriter::Range {
SsaWithFields v;
BeegoOutputInstance() {
@ -131,7 +131,7 @@ module Beego {
}
}
private class BeegoHeaderWrite extends HTTP::HeaderWrite::Range, DataFlow::MethodCallNode {
private class BeegoHeaderWrite extends Http::HeaderWrite::Range, DataFlow::MethodCallNode {
string methodName;
BeegoHeaderWrite() {
@ -142,7 +142,7 @@ module Beego {
override DataFlow::Node getName() { methodName = "Header" and result = this.getArgument(0) }
override string getHeaderName() {
result = HTTP::HeaderWrite::Range.super.getHeaderName()
result = Http::HeaderWrite::Range.super.getHeaderName()
or
methodName = "ContentType" and result = "content-type"
}
@ -153,12 +153,12 @@ module Beego {
else result = this.getArgument(1)
}
override HTTP::ResponseWriter getResponseWriter() {
override Http::ResponseWriter getResponseWriter() {
result.(BeegoOutputInstance).getAHeaderObject() = this
}
}
private class BeegoResponseBody extends HTTP::ResponseBody::Range {
private class BeegoResponseBody extends Http::ResponseBody::Range {
DataFlow::MethodCallNode call;
string methodName;
@ -170,7 +170,7 @@ module Beego {
methodName in ["Body", "JSON", "JSONP", "ServeFormatted", "XML", "YAML"]
}
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = call.getReceiver() }
override Http::ResponseWriter getResponseWriter() { result.getANode() = call.getReceiver() }
override string getAContentType() {
// Super-method provides content-types for `Body`, which requires us to search
@ -192,7 +192,7 @@ module Beego {
}
}
private class ControllerResponseBody extends HTTP::ResponseBody::Range {
private class ControllerResponseBody extends Http::ResponseBody::Range {
string name;
ControllerResponseBody() {
@ -203,7 +203,7 @@ module Beego {
)
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
override string getAContentType() {
// Actually SetData can serve JSON, XML or YAML depending on the incoming
@ -213,7 +213,7 @@ module Beego {
}
}
private class ContextResponseBody extends HTTP::ResponseBody::Range {
private class ContextResponseBody extends Http::ResponseBody::Range {
string name;
ContextResponseBody() {
@ -224,7 +224,7 @@ module Beego {
)
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
// Neither method is likely to be used with well-typed data such as JSON output,
// because there are better methods to do this. Assume the Content-Type could
@ -314,7 +314,7 @@ module Beego {
}
}
private class RedirectMethods extends HTTP::Redirect::Range, DataFlow::CallNode {
private class RedirectMethods extends Http::Redirect::Range, DataFlow::CallNode {
string package;
string className;
@ -333,7 +333,7 @@ module Beego {
className = "Context" and result = this.getArgument(1)
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
private class UtilsTaintPropagators extends TaintTracking::FunctionModel {

14
go/ql/lib/semmle/go/frameworks/Echo.qll
Просмотреть файл

@ -29,7 +29,7 @@ private module Echo {
/**
* Data from a `Context` interface method that is not generally exploitable for open-redirect attacks.
*/
private class EchoContextRedirectUnexploitableSource extends HTTP::Redirect::UnexploitableSource {
private class EchoContextRedirectUnexploitableSource extends Http::Redirect::UnexploitableSource {
EchoContextRedirectUnexploitableSource() {
exists(DataFlow::MethodCallNode call, string methodName |
methodName = ["FormValue", "FormParams", "FormFile", "MultipartForm", "Cookie", "Cookies"] and
@ -77,14 +77,14 @@ private module Echo {
/**
* `echo.Context` methods which set the content-type to `text/html` and write a result in one operation.
*/
private class EchoHtmlOutputs extends HTTP::ResponseBody::Range {
private class EchoHtmlOutputs extends Http::ResponseBody::Range {
EchoHtmlOutputs() {
exists(Method m | m.hasQualifiedName(packagePath(), "Context", ["HTML", "HTMLBlob"]) |
this = m.getACall().getArgument(1)
)
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
override string getAContentType() { result = "text/html" }
}
@ -92,7 +92,7 @@ private module Echo {
/**
* `echo.Context` methods which take a content-type as a parameter.
*/
private class EchoParameterizedOutputs extends HTTP::ResponseBody::Range {
private class EchoParameterizedOutputs extends Http::ResponseBody::Range {
DataFlow::CallNode callNode;
EchoParameterizedOutputs() {
@ -101,7 +101,7 @@ private module Echo {
)
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
override DataFlow::Node getAContentTypeNode() { result = callNode.getArgument(1) }
}
@ -109,7 +109,7 @@ private module Echo {
/**
* The `echo.Context.Redirect` method.
*/
private class EchoRedirectMethod extends HTTP::Redirect::Range, DataFlow::CallNode {
private class EchoRedirectMethod extends Http::Redirect::Range, DataFlow::CallNode {
EchoRedirectMethod() {
exists(Method m | m.hasQualifiedName(packagePath(), "Context", "Redirect") |
this = m.getACall()
@ -118,6 +118,6 @@ private module Echo {
override DataFlow::Node getUrl() { result = this.getArgument(1) }
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
}

18
go/ql/lib/semmle/go/frameworks/ElazarlGoproxy.qll
Просмотреть файл

@ -11,7 +11,7 @@ module ElazarlGoproxy {
/** Gets the package name. */
string packagePath() { result = package("github.com/elazarl/goproxy", "") }
private class NewResponse extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class NewResponse extends Http::HeaderWrite::Range, DataFlow::CallNode {
NewResponse() { this.getTarget().hasQualifiedName(packagePath(), "NewResponse") }
override string getHeaderName() { this.definesHeader(result, _) }
@ -28,21 +28,21 @@ module ElazarlGoproxy {
header = "content-type" and value = this.getArgument(1).getStringValue()
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
/** A body argument to a `NewResponse` call. */
private class NewResponseBody extends HTTP::ResponseBody::Range {
private class NewResponseBody extends Http::ResponseBody::Range {
NewResponse call;
NewResponseBody() { this = call.getArgument(3) }
override DataFlow::Node getAContentTypeNode() { result = call.getArgument(1) }
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
private class TextResponse extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class TextResponse extends Http::HeaderWrite::Range, DataFlow::CallNode {
TextResponse() { this.getTarget().hasQualifiedName(packagePath(), "TextResponse") }
override string getHeaderName() { this.definesHeader(result, _) }
@ -59,22 +59,22 @@ module ElazarlGoproxy {
header = "content-type" and value = "text/plain"
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
/** A body argument to a `TextResponse` call. */
private class TextResponseBody extends HTTP::ResponseBody::Range, TextResponse {
private class TextResponseBody extends Http::ResponseBody::Range, TextResponse {
TextResponse call;
TextResponseBody() { this = call.getArgument(2) }
override DataFlow::Node getAContentTypeNode() { result = call.getArgument(1) }
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
/** A handler attached to a goproxy proxy type. */
private class ProxyHandler extends HTTP::RequestHandler::Range {
private class ProxyHandler extends Http::RequestHandler::Range {
DataFlow::MethodCallNode handlerReg;
ProxyHandler() {

6
go/ql/lib/semmle/go/frameworks/Macaron.qll
Просмотреть файл

@ -5,7 +5,7 @@
import go
private module Macaron {
private class Context extends HTTP::ResponseWriter::Range {
private class Context extends Http::ResponseWriter::Range {
SsaWithFields v;
Context() {
@ -18,13 +18,13 @@ private module Macaron {
override DataFlow::Node getANode() { result = v.similar().getAUse().getASuccessor*() }
}
private class RedirectCall extends HTTP::Redirect::Range, DataFlow::MethodCallNode {
private class RedirectCall extends Http::Redirect::Range, DataFlow::MethodCallNode {
RedirectCall() {
this.getTarget().hasQualifiedName("gopkg.in/macaron.v1", "Context", "Redirect")
}
override DataFlow::Node getUrl() { result = this.getArgument(0) }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
override Http::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
}
}

12
go/ql/lib/semmle/go/frameworks/Revel.qll
Просмотреть файл

@ -114,7 +114,7 @@ module Revel {
* We look particularly for html file extensions, since these are the only ones we currently have special rules
* for (in particular, detecting XSS vulnerabilities).
*/
private class ControllerRenderMethods extends HTTP::ResponseBody::Range {
private class ControllerRenderMethods extends Http::ResponseBody::Range {
string contentType;
ControllerRenderMethods() {
@ -149,7 +149,7 @@ module Revel {
)
}
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
override string getAContentType() { result = contentType }
}
@ -174,7 +174,7 @@ module Revel {
* It is currently assumed that a tainted `value` in `Redirect(url, value)`, which calls `Sprintf(url, value)`
* internally, cannot lead to an open redirect vulnerability.
*/
private class ControllerRedirectMethod extends HTTP::Redirect::Range, DataFlow::CallNode {
private class ControllerRedirectMethod extends Http::Redirect::Range, DataFlow::CallNode {
ControllerRedirectMethod() {
exists(Method m | m.hasQualifiedName(packagePath(), "Controller", "Redirect") |
this = m.getACall()
@ -183,7 +183,7 @@ module Revel {
override DataFlow::Node getUrl() { result = this.getArgument(0) }
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
}
/**
@ -226,7 +226,7 @@ module Revel {
/**
* A write to a template argument field that is read raw inside of a template.
*/
private class RawTemplateArgument extends HTTP::TemplateResponseBody::Range {
private class RawTemplateArgument extends Http::TemplateResponseBody::Range {
RawTemplateRead read;
RawTemplateArgument() {
@ -261,7 +261,7 @@ module Revel {
override string getAContentType() { result = "text/html" }
override HTTP::ResponseWriter getResponseWriter() { none() }
override Http::ResponseWriter getResponseWriter() { none() }
override HtmlTemplate::TemplateRead getRead() { result = read }
}

5
go/ql/lib/semmle/go/frameworks/Stdlib.qll
Просмотреть файл

@ -128,7 +128,7 @@ module IntegerParser {
}
/** Provides models of commonly used functions in the `net/url` package. */
module URL {
module Url {
/** The `PathEscape` or `QueryEscape` function. */
class Escaper extends TaintTracking::FunctionModel {
Escaper() {
@ -263,3 +263,6 @@ module URL {
}
}
}
/** DEPRECATED: Alias for Url */
deprecated module URL = Url;

38
go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
Просмотреть файл

@ -35,7 +35,7 @@ module NetHttp {
}
/** The declaration of a variable which either is or has a field that implements the http.ResponseWriter type */
private class StdlibResponseWriter extends HTTP::ResponseWriter::Range {
private class StdlibResponseWriter extends Http::ResponseWriter::Range {
SsaWithFields v;
StdlibResponseWriter() {
@ -52,7 +52,7 @@ module NetHttp {
}
}
private class HeaderWriteCall extends HTTP::HeaderWrite::Range, DataFlow::MethodCallNode {
private class HeaderWriteCall extends Http::HeaderWrite::Range, DataFlow::MethodCallNode {
HeaderWriteCall() {
this.getTarget().hasQualifiedName("net/http", "Header", "Add") or
this.getTarget().hasQualifiedName("net/http", "Header", "Set")
@ -62,7 +62,7 @@ module NetHttp {
override DataFlow::Node getValue() { result = this.getArgument(1) }
override HTTP::ResponseWriter getResponseWriter() {
override Http::ResponseWriter getResponseWriter() {
// find `v` in
// ```
// header := v.Header()
@ -72,7 +72,7 @@ module NetHttp {
}
}
private class MapWrite extends HTTP::HeaderWrite::Range, DataFlow::Node {
private class MapWrite extends Http::HeaderWrite::Range, DataFlow::Node {
Write write;
DataFlow::Node index;
DataFlow::Node rhs;
@ -86,7 +86,7 @@ module NetHttp {
override DataFlow::Node getValue() { result = rhs }
override HTTP::ResponseWriter getResponseWriter() {
override Http::ResponseWriter getResponseWriter() {
// find `v` in
// ```
// header := v.Header()
@ -96,7 +96,7 @@ module NetHttp {
}
}
private class ResponseWriteHeaderCall extends HTTP::HeaderWrite::Range, DataFlow::MethodCallNode {
private class ResponseWriteHeaderCall extends Http::HeaderWrite::Range, DataFlow::MethodCallNode {
ResponseWriteHeaderCall() {
this.getTarget().implements("net/http", "ResponseWriter", "WriteHeader")
}
@ -107,10 +107,10 @@ module NetHttp {
override DataFlow::Node getValue() { result = this.getArgument(0) }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
override Http::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
}
private class ResponseErrorCall extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class ResponseErrorCall extends Http::HeaderWrite::Range, DataFlow::CallNode {
ResponseErrorCall() { this.getTarget().hasQualifiedName("net/http", "Error") }
override string getHeaderName() { result = "status" }
@ -119,10 +119,10 @@ module NetHttp {
override DataFlow::Node getValue() { result = this.getArgument(2) }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getArgument(0) }
override Http::ResponseWriter getResponseWriter() { result.getANode() = this.getArgument(0) }
}
private class RequestBody extends HTTP::RequestBody::Range, DataFlow::ExprNode {
private class RequestBody extends Http::RequestBody::Range, DataFlow::ExprNode {
RequestBody() {
exists(Function newRequest |
newRequest.hasQualifiedName("net/http", "NewRequest") and
@ -137,7 +137,7 @@ module NetHttp {
}
}
private class ResponseBody extends HTTP::ResponseBody::Range, DataFlow::ArgumentNode {
private class ResponseBody extends Http::ResponseBody::Range, DataFlow::ArgumentNode {
DataFlow::Node responseWriter;
ResponseBody() {
@ -156,19 +156,19 @@ module NetHttp {
)
}
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = responseWriter }
override Http::ResponseWriter getResponseWriter() { result.getANode() = responseWriter }
}
private class RedirectCall extends HTTP::Redirect::Range, DataFlow::CallNode {
private class RedirectCall extends Http::Redirect::Range, DataFlow::CallNode {
RedirectCall() { this.getTarget().hasQualifiedName("net/http", "Redirect") }
override DataFlow::Node getUrl() { result = this.getArgument(2) }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getArgument(0) }
override Http::ResponseWriter getResponseWriter() { result.getANode() = this.getArgument(0) }
}
/** A call to a function in the `net/http` package that performs an HTTP request to a URL. */
private class RequestCall extends HTTP::ClientRequest::Range, DataFlow::CallNode {
private class RequestCall extends Http::ClientRequest::Range, DataFlow::CallNode {
RequestCall() {
exists(string functionName |
(
@ -185,7 +185,7 @@ module NetHttp {
}
/** A call to the Client.Do function in the `net/http` package. */
private class ClientDo extends HTTP::ClientRequest::Range, DataFlow::MethodCallNode {
private class ClientDo extends Http::ClientRequest::Range, DataFlow::MethodCallNode {
ClientDo() { this.getTarget().hasQualifiedName("net/http", "Client", "Do") }
override DataFlow::Node getUrl() {
@ -212,7 +212,7 @@ module NetHttp {
}
/** A call to the `Transport.RoundTrip` function in the `net/http` package. */
private class TransportRoundTrip extends HTTP::ClientRequest::Range, DataFlow::MethodCallNode {
private class TransportRoundTrip extends Http::ClientRequest::Range, DataFlow::MethodCallNode {
TransportRoundTrip() { this.getTarget().hasQualifiedName("net/http", "Transport", "RoundTrip") }
override DataFlow::Node getUrl() {
@ -239,7 +239,7 @@ module NetHttp {
}
/** Fields and methods of `net/http.Request` that are not generally exploitable in an open-redirect attack. */
private class RedirectUnexploitableRequestFields extends HTTP::Redirect::UnexploitableSource {
private class RedirectUnexploitableRequestFields extends Http::Redirect::UnexploitableSource {
RedirectUnexploitableRequestFields() {
exists(Field f, string fieldName |
f.hasQualifiedName("net/http", "Request", fieldName) and
@ -257,7 +257,7 @@ module NetHttp {
}
}
private class Handler extends HTTP::RequestHandler::Range {
private class Handler extends Http::RequestHandler::Range {
DataFlow::CallNode handlerReg;
Handler() {

6
go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
Просмотреть файл

@ -56,7 +56,7 @@ module OpenUrlRedirect {
UntrustedFlowAsSource() {
// exclude some fields and methods of URLs that are generally not attacker-controllable for
// open redirect exploits
not this instanceof HTTP::Redirect::UnexploitableSource
not this instanceof Http::Redirect::UnexploitableSource
}
}
@ -64,7 +64,7 @@ module OpenUrlRedirect {
* An HTTP redirect, considered as a sink for `Configuration`.
*/
class RedirectSink extends Sink, DataFlow::Node {
RedirectSink() { this = any(HTTP::Redirect redir).getUrl() }
RedirectSink() { this = any(Http::Redirect redir).getUrl() }
}
/**
@ -73,7 +73,7 @@ module OpenUrlRedirect {
*/
class LocationHeaderSink extends Sink, DataFlow::Node {
LocationHeaderSink() {
exists(HTTP::HeaderWrite hw | hw.getHeaderName() = "location" | this = hw.getValue())
exists(Http::HeaderWrite hw | hw.getHeaderName() = "location" | this = hw.getValue())
}
}

2
go/ql/lib/semmle/go/security/RequestForgeryCustomizations.qll
Просмотреть файл

@ -48,7 +48,7 @@ module RequestForgery {
* The URL of an HTTP request, viewed as a sink for request forgery.
*/
private class ClientRequestUrlAsSink extends Sink {
HTTP::ClientRequest request;
Http::ClientRequest request;
ClientRequestUrlAsSink() { this = request.getUrl() }

2
go/ql/lib/semmle/go/security/SafeUrlFlowCustomizations.qll
Просмотреть файл

@ -27,7 +27,7 @@ module SafeUrlFlow {
/**
* A method on a `net/url.URL` that is considered unsafe to use.
*/
private class UnsafeUrlMethod extends URL::UrlGetter {
private class UnsafeUrlMethod extends Url::UrlGetter {
UnsafeUrlMethod() { this.getName() = "Query" }
}

8
go/ql/lib/semmle/go/security/Xss.qll
Просмотреть файл

@ -46,14 +46,14 @@ module SharedXss {
* a content type that does not (case-insensitively) contain the string "html". This
* is to prevent us from flagging plain-text or JSON responses as vulnerable.
*/
class HttpResponseBodySink extends Sink, HTTP::ResponseBody {
class HttpResponseBodySink extends Sink, Http::ResponseBody {
HttpResponseBodySink() { not nonHtmlContentType(this) }
}
/**
* An expression that is rendered as part of a template.
*/
class RawTemplateInstantiationSink extends HttpResponseBodySink, HTTP::TemplateResponseBody {
class RawTemplateInstantiationSink extends HttpResponseBodySink, Http::TemplateResponseBody {
override string getSinkKind() { result = "rawtemplate" }
override Locatable getAssociatedLoc() { result = this.getRead().getEnclosingTextNode() }
@ -62,7 +62,7 @@ module SharedXss {
/**
* Holds if `body` may send a response with a content type other than HTML.
*/
private predicate nonHtmlContentType(HTTP::ResponseBody body) {
private predicate nonHtmlContentType(Http::ResponseBody body) {
not htmlTypeSpecified(body) and
(
exists(body.getAContentType())
@ -90,7 +90,7 @@ module SharedXss {
/**
* Holds if `body` specifies the response's content type to be HTML.
*/
private predicate htmlTypeSpecified(HTTP::ResponseBody body) {
private predicate htmlTypeSpecified(Http::ResponseBody body) {
body.getAContentType().regexpMatch("(?i).*html.*")
}

6
go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
Просмотреть файл

@ -33,7 +33,7 @@ predicate isIncompleteHostNameRegexpPattern(string pattern, string hostPart) {
/** Holds if `b` sets the HTTP status code (represented by a pseudo-header named `status`) */
predicate writesHttpError(ReachableBasicBlock b) {
forex(HTTP::HeaderWrite hw |
forex(Http::HeaderWrite hw |
hw.getHeaderName() = "status" and hw.asInstruction().getBasicBlock() = b
|
exists(string code | code.matches("4__") or code.matches("5__") |
@ -65,7 +65,7 @@ DataFlow::Node getASafeHandler() {
}
/** Holds if `regexp` is used in a check before `handler` is called. */
predicate regexpGuardsHandler(RegexpPattern regexp, HTTP::RequestHandler handler) {
predicate regexpGuardsHandler(RegexpPattern regexp, Http::RequestHandler handler) {
handler.guardedBy(DataFlow::exprNode(regexp.getAUse().asExpr().getParent*()))
}
@ -99,7 +99,7 @@ class Config extends DataFlow::Configuration {
override predicate isSink(DataFlow::Node sink) {
sink instanceof RegexpPattern and
forall(HTTP::RequestHandler handler | regexpGuardsHandler(sink, handler) |
forall(Http::RequestHandler handler | regexpGuardsHandler(sink, handler) |
not handler = getASafeHandler()
) and
not regexpGuardsError(sink)

2
go/ql/src/Security/CWE-209/StackTraceExposure.ql
Просмотреть файл

@ -60,7 +60,7 @@ class StackTraceExposureConfig extends TaintTracking::Configuration {
node = any(DebugStackFunction f).getACall().getResult()
}
override predicate isSink(DataFlow::Node node) { node instanceof HTTP::ResponseBody }
override predicate isSink(DataFlow::Node node) { node instanceof Http::ResponseBody }
override predicate isSanitizer(DataFlow::Node node) {
// Sanitise everything controlled by an is-debug-mode check.

2
go/ql/src/experimental/CWE-918/SSRF.qll
Просмотреть файл

@ -74,7 +74,7 @@ module ServerSideRequestForgery {
* The URL of an HTTP request, viewed as a sink for request forgery.
*/
private class ClientRequestUrlAsSink extends Sink {
HTTP::ClientRequest request;
Http::ClientRequest request;
ClientRequestUrlAsSink() { this = request.getUrl() }

4
go/ql/src/experimental/CWE-942/CorsMisconfiguration.ql
Просмотреть файл

@ -41,14 +41,14 @@ string headerAllowCredentials() { result = "Access-Control-Allow-Credentials".to
/**
* An `Access-Control-Allow-Origin` header write.
*/
class AllowOriginHeaderWrite extends HTTP::HeaderWrite {
class AllowOriginHeaderWrite extends Http::HeaderWrite {
AllowOriginHeaderWrite() { this.getHeaderName() = headerAllowOrigin() }
}
/**
* An `Access-Control-Allow-Credentials` header write.
*/
class AllowCredentialsHeaderWrite extends HTTP::HeaderWrite {
class AllowCredentialsHeaderWrite extends Http::HeaderWrite {
AllowCredentialsHeaderWrite() { this.getHeaderName() = headerAllowCredentials() }
}

28
go/ql/src/experimental/frameworks/CleverGo.qll
Просмотреть файл

@ -174,7 +174,7 @@ private module CleverGo {
/**
* Models HTTP redirects.
*/
private class HttpRedirect extends HTTP::Redirect::Range, DataFlow::CallNode {
private class HttpRedirect extends Http::Redirect::Range, DataFlow::CallNode {
string package;
DataFlow::Node urlNode;
@ -191,13 +191,13 @@ private module CleverGo {
override DataFlow::Node getUrl() { result = urlNode }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
override Http::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
}
/**
* Models HTTP ResponseBody where the content-type is static and non-modifiable.
*/
private class HttpResponseBodyStaticContentType extends HTTP::ResponseBody::Range {
private class HttpResponseBodyStaticContentType extends Http::ResponseBody::Range {
string contentTypeString;
DataFlow::Node receiverNode;
@ -209,7 +209,7 @@ private module CleverGo {
override string getAContentType() { result = contentTypeString }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the body; the content-type is implicitly set.
@ -304,7 +304,7 @@ private module CleverGo {
/**
* Models HTTP ResponseBody where the content-type can be dynamically set by the caller.
*/
private class HttpResponseBodyDynamicContentType extends HTTP::ResponseBody::Range {
private class HttpResponseBodyDynamicContentType extends Http::ResponseBody::Range {
DataFlow::Node contentTypeNode;
DataFlow::Node receiverNode;
@ -316,7 +316,7 @@ private module CleverGo {
override DataFlow::Node getAContentTypeNode() { result = contentTypeNode }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the body; the content-type is a parameter.
@ -352,7 +352,7 @@ private module CleverGo {
/**
* Models HTTP ResponseBody where only the body is set.
*/
private class HttpResponseBodyNoContentType extends HTTP::ResponseBody::Range {
private class HttpResponseBodyNoContentType extends Http::ResponseBody::Range {
DataFlow::Node receiverNode;
HttpResponseBodyNoContentType() {
@ -361,7 +361,7 @@ private module CleverGo {
)
}
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the body. The content-type is not defined.
@ -394,7 +394,7 @@ private module CleverGo {
* Models HTTP header writers.
* The write is done with a call where you can set both the key and the value of the header.
*/
private class HeaderWrite extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class HeaderWrite extends Http::HeaderWrite::Range, DataFlow::CallNode {
DataFlow::Node receiverNode;
DataFlow::Node headerNameNode;
DataFlow::Node headerValueNode;
@ -407,7 +407,7 @@ private module CleverGo {
override DataFlow::Node getValue() { result = headerValueNode }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets a header with a key-value combination.
@ -437,7 +437,7 @@ private module CleverGo {
/**
* Models an HTTP static content-type header setter.
*/
private class StaticContentTypeHeaderSetter extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class StaticContentTypeHeaderSetter extends Http::HeaderWrite::Range, DataFlow::CallNode {
DataFlow::Node receiverNode;
string valueString;
@ -453,7 +453,7 @@ private module CleverGo {
override DataFlow::Node getValue() { none() }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the content-type header (implicit).
@ -494,7 +494,7 @@ private module CleverGo {
/**
* Models an HTTP dynamic content-type header setter.
*/
private class DynamicContentTypeHeaderSetter extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class DynamicContentTypeHeaderSetter extends Http::HeaderWrite::Range, DataFlow::CallNode {
DataFlow::Node receiverNode;
DataFlow::Node valueNode;
@ -508,7 +508,7 @@ private module CleverGo {
override DataFlow::Node getValue() { result = valueNode }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the content-type header via a parameter.

16
go/ql/src/experimental/frameworks/Fiber.qll
Просмотреть файл

@ -129,7 +129,7 @@ private module Fiber {
/**
* Models HTTP redirects.
*/
private class Redirect extends HTTP::Redirect::Range, DataFlow::CallNode {
private class Redirect extends Http::Redirect::Range, DataFlow::CallNode {
string package;
DataFlow::Node urlNode;
@ -146,14 +146,14 @@ private module Fiber {
override DataFlow::Node getUrl() { result = urlNode }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
override Http::ResponseWriter getResponseWriter() { result.getANode() = this.getReceiver() }
}
/**
* Models HTTP header writers.
* The write is done with a call where you can set both the key and the value of the header.
*/
private class HeaderWrite extends HTTP::HeaderWrite::Range, DataFlow::CallNode {
private class HeaderWrite extends Http::HeaderWrite::Range, DataFlow::CallNode {
DataFlow::Node receiverNode;
DataFlow::Node headerNameNode;
DataFlow::Node headerValueNode;
@ -166,7 +166,7 @@ private module Fiber {
override DataFlow::Node getValue() { result = headerValueNode }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets a header with a key-value combination.
@ -201,7 +201,7 @@ private module Fiber {
/**
* Models HTTP ResponseBody where the content-type is static and non-modifiable.
*/
private class ResponseBodyStaticContentType extends HTTP::ResponseBody::Range {
private class ResponseBodyStaticContentType extends Http::ResponseBody::Range {
string contentTypeString;
DataFlow::Node receiverNode;
@ -213,7 +213,7 @@ private module Fiber {
override string getAContentType() { result = contentTypeString }
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the body; the content-type is implicitly set.
@ -248,7 +248,7 @@ private module Fiber {
/**
* Models HTTP ResponseBody where only the body is set.
*/
private class ResponseBodyNoContentType extends HTTP::ResponseBody::Range {
private class ResponseBodyNoContentType extends Http::ResponseBody::Range {
DataFlow::Node receiverNode;
ResponseBodyNoContentType() {
@ -257,7 +257,7 @@ private module Fiber {
)
}
override HTTP::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
override Http::ResponseWriter getResponseWriter() { result.getANode() = receiverNode }
}
// Holds for a call that sets the body. The content-type is not defined.

6
go/ql/test/experimental/frameworks/CleverGo/HeaderWrite.ql
Просмотреть файл

@ -11,7 +11,7 @@ class HttpHeaderWriteTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
// Dynamic key-value header:
exists(HTTP::HeaderWrite hw |
exists(Http::HeaderWrite hw |
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(
@ -26,7 +26,7 @@ class HttpHeaderWriteTest extends InlineExpectationsTest {
)
or
// Static key, dynamic value header:
exists(HTTP::HeaderWrite hw |
exists(Http::HeaderWrite hw |
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(
@ -41,7 +41,7 @@ class HttpHeaderWriteTest extends InlineExpectationsTest {
)
or
// Static key, static value header:
exists(HTTP::HeaderWrite hw |
exists(Http::HeaderWrite hw |
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(

2
go/ql/test/experimental/frameworks/CleverGo/HttpRedirect.ql
Просмотреть файл

@ -9,7 +9,7 @@ class HttpRedirectTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "redirectUrl" and
exists(HTTP::Redirect rd |
exists(Http::Redirect rd |
rd.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
element = rd.getUrl().toString() and

2
go/ql/test/experimental/frameworks/CleverGo/HttpResponseBody.ql
Просмотреть файл

@ -8,7 +8,7 @@ class HttpResponseBodyTest extends InlineExpectationsTest {
override string getARelevantTag() { result = ["contentType", "responseBody"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(HTTP::ResponseBody rd |
exists(Http::ResponseBody rd |
rd.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(

6
go/ql/test/experimental/frameworks/Fiber/HeaderWrite.ql
Просмотреть файл

@ -11,7 +11,7 @@ class HttpHeaderWriteTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
// Dynamic key-value header:
exists(HTTP::HeaderWrite hw |
exists(Http::HeaderWrite hw |
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(
@ -26,7 +26,7 @@ class HttpHeaderWriteTest extends InlineExpectationsTest {
)
or
// Static key, dynamic value header:
exists(HTTP::HeaderWrite hw |
exists(Http::HeaderWrite hw |
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(
@ -41,7 +41,7 @@ class HttpHeaderWriteTest extends InlineExpectationsTest {
)
or
// Static key, static value header:
exists(HTTP::HeaderWrite hw |
exists(Http::HeaderWrite hw |
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(

2
go/ql/test/experimental/frameworks/Fiber/Redirect.ql
Просмотреть файл

@ -9,7 +9,7 @@ class HttpRedirectTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "redirectUrl" and
exists(HTTP::Redirect rd |
exists(Http::Redirect rd |
rd.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
element = rd.getUrl().toString() and

2
go/ql/test/experimental/frameworks/Fiber/ResponseBody.ql
Просмотреть файл

@ -8,7 +8,7 @@ class HttpResponseBodyTest extends InlineExpectationsTest {
override string getARelevantTag() { result = ["contentType", "responseBody"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
exists(HTTP::ResponseBody rd |
exists(Http::ResponseBody rd |
rd.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
(

2
go/ql/test/library-tests/semmle/go/concepts/HTTP/Handler.ql
Просмотреть файл

@ -8,7 +8,7 @@ class HttpHandler extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "handler" and
exists(HTTP::RequestHandler h, DataFlow::Node check |
exists(Http::RequestHandler h, DataFlow::Node check |
element = h.toString() and value = check.toString()
|
h.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),

2
go/ql/test/library-tests/semmle/go/concepts/HTTP/Header.ql
Просмотреть файл

@ -1,6 +1,6 @@
import go
from HTTP::HeaderWrite headerWrite, string name, string value, string definedName, string definedVal
from Http::HeaderWrite headerWrite, string name, string value, string definedName, string definedVal
where
(
name = headerWrite.getName().toString()

2
go/ql/test/library-tests/semmle/go/concepts/HTTP/RequestBody.ql
Просмотреть файл

@ -1,4 +1,4 @@
import go
from HTTP::RequestBody rb
from Http::RequestBody rb
select rb

2
go/ql/test/library-tests/semmle/go/concepts/HTTP/ResponseBody.ql
Просмотреть файл

@ -1,4 +1,4 @@
import go
from HTTP::ResponseBody rb
from Http::ResponseBody rb
select rb

2
go/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/test.ql
Просмотреть файл

@ -23,7 +23,7 @@ class HeaderWriteTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "headerwrite" and
exists(HTTP::HeaderWrite hw, string name, string val | element = hw.toString() |
exists(Http::HeaderWrite hw, string name, string val | element = hw.toString() |
hw.definesHeader(name, val) and
value = name + ":" + val and
hw.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),

2
go/ql/test/library-tests/semmle/go/frameworks/Macaron/Redirect.ql
Просмотреть файл

@ -1,4 +1,4 @@
import go
from HTTP::Redirect redir
from Http::Redirect redir
select redir, redir.getResponseWriter()

2
go/ql/test/library-tests/semmle/go/frameworks/Revel/test.ql
Просмотреть файл

@ -39,7 +39,7 @@ class HttpResponseBodyTest extends InlineExpectationsTest {
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "responsebody" and
exists(HTTP::ResponseBody rb |
exists(Http::ResponseBody rb |
rb.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
element = rb.toString() and

4
javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll
Просмотреть файл

@ -42,10 +42,10 @@ module SinkEndpointFilter {
result = "modeled database access"
or
// Remove calls to APIs that aren't relevant to NoSQL injection
call.getReceiver() instanceof HTTP::RequestNode and
call.getReceiver() instanceof Http::RequestNode and
result = "receiver is a HTTP request expression"
or
call.getReceiver() instanceof HTTP::ResponseNode and
call.getReceiver() instanceof Http::ResponseNode and
result = "receiver is a HTTP response expression"
)
or

2
javascript/ql/lib/semmle/javascript/ApiGraphs.qll
Просмотреть файл

@ -652,7 +652,7 @@ module API {
exports(m, _, _)
or
exists(NodeModule nm | nm = mod |
exists(SSA::implicitInit([nm.getModuleVariable(), nm.getExportsVariable()]))
exists(Ssa::implicitInit([nm.getModuleVariable(), nm.getExportsVariable()]))
)
)
} or

4
javascript/ql/lib/semmle/javascript/RangeAnalysis.qll
Просмотреть файл

@ -103,7 +103,7 @@ module RangeAnalysis {
* the given increment/decrement expression.
*/
private DataFlow::Node updateExprResult(UpdateExpr expr) {
result = DataFlow::ssaDefinitionNode(SSA::definition(expr))
result = DataFlow::ssaDefinitionNode(Ssa::definition(expr))
or
expr.isPrefix() and
result = expr.flow()
@ -113,7 +113,7 @@ module RangeAnalysis {
* Gets a data flow node holding the result of the given componund assignment.
*/
private DataFlow::Node compoundAssignResult(CompoundAssignExpr expr) {
result = DataFlow::ssaDefinitionNode(SSA::definition(expr))
result = DataFlow::ssaDefinitionNode(Ssa::definition(expr))
or
result = expr.flow()
}

12
javascript/ql/lib/semmle/javascript/Routing.qll
Просмотреть файл

@ -282,7 +282,7 @@ module Routing {
* Gets an HTTP method name which this node will accept, or nothing if the node accepts all HTTP methods, not
* taking into account the context from ancestors or children nodes.
*/
HTTP::RequestMethodName getOwnHttpMethod() { none() } // Overridden in subclass
Http::RequestMethodName getOwnHttpMethod() { none() } // Overridden in subclass
private Node getAUseSiteInRouteSetup() {
if this.getParent() instanceof RouteSetup
@ -383,7 +383,7 @@ module Routing {
* Gets an HTTP request method name (in upper case) matched by this node, or nothing
* if all HTTP request method names are accepted.
*/
HTTP::RequestMethodName getHttpMethod() { none() }
Http::RequestMethodName getHttpMethod() { none() }
}
private class ValueNodeImpl extends Node, MkValueNode {
@ -407,7 +407,7 @@ module Routing {
override string getRelativePath() { result = range.getRelativePath() }
override HTTP::RequestMethodName getOwnHttpMethod() { result = range.getHttpMethod() }
override Http::RequestMethodName getOwnHttpMethod() { result = range.getHttpMethod() }
}
private StepSummary routeStepSummary() {
@ -434,7 +434,7 @@ module Routing {
or
StepSummary::smallstep(result, this, routeStepSummary())
or
HTTP::routeHandlerStep(result, this)
Http::routeHandlerStep(result, this)
or
RouteHandlerTrackingStep::step(result, this)
or
@ -599,7 +599,7 @@ module Routing {
* Gets an HTTP request method name (in upper case) matched by this node, or nothing
* if all HTTP request method names are accepted.
*/
HTTP::RequestMethodName getHttpMethod() { none() }
Http::RequestMethodName getHttpMethod() { none() }
/**
* Holds if this route setup targets `router` and occurs at the given `cfgNode`.
@ -635,7 +635,7 @@ module Routing {
override string getRelativePath() { result = range.getRelativePath() }
override HTTP::RequestMethodName getOwnHttpMethod() { result = range.getHttpMethod() }
override Http::RequestMethodName getOwnHttpMethod() { result = range.getHttpMethod() }
}
/**

5
javascript/ql/lib/semmle/javascript/SSA.qll
Просмотреть файл

@ -737,7 +737,7 @@ class SsaRefinementNode extends SsaPseudoDefinition, TRefinement {
}
}
module SSA {
module Ssa {
/** Gets the SSA definition corresponding to the implicit initialization of `v`. */
SsaImplicitInit implicitInit(SsaSourceVariable v) { result.getSourceVariable() = v }
@ -747,3 +747,6 @@ module SSA {
/** Gets the SSA variable corresponding to `d`. */
SsaVariable variable(VarDef d) { result.getDefinition() = definition(d) }
}
/** DEPRECATED: Alias for Ssa */
deprecated module SSA = Ssa;

4
javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
Просмотреть файл

@ -770,7 +770,7 @@ private class FlowStepThroughImport extends SharedFlowStep {
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
exists(ImportSpecifier specifier |
pred = DataFlow::valueNode(specifier) and
succ = DataFlow::ssaDefinitionNode(SSA::definition(specifier))
succ = DataFlow::ssaDefinitionNode(Ssa::definition(specifier))
)
}
}
@ -1777,7 +1777,7 @@ class MidPathNode extends PathNode, MkMidNode {
SsaImplicitDefinition
or
// Skip SSA definition of parameter as its location coincides with the parameter node
nd = DataFlow::ssaDefinitionNode(SSA::definition(any(SimpleParameter p)))
nd = DataFlow::ssaDefinitionNode(Ssa::definition(any(SimpleParameter p)))
or
// Skip to the top of big left-leaning string concatenation trees.
nd = any(AddExpr add).flow() and

2
javascript/ql/lib/semmle/javascript/dataflow/Sources.qll
Просмотреть файл

@ -348,7 +348,7 @@ private class NodeModuleSourcesNodes extends SourceNode::Range {
NodeModuleSourcesNodes() {
exists(NodeModule m |
this = DataFlow::ssaDefinitionNode(SSA::implicitInit(v)) and
this = DataFlow::ssaDefinitionNode(Ssa::implicitInit(v)) and
v = [m.getModuleVariable(), m.getExportsVariable()]
)
}

2
javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
Просмотреть файл

@ -112,7 +112,7 @@ module ClientRequest {
/**
* Gets the name of an HTTP request method, in all-lowercase.
*/
private string httpMethodName() { result = any(HTTP::RequestMethodName m).toLowerCase() }
private string httpMethodName() { result = any(Http::RequestMethodName m).toLowerCase() }
/**
* Gets a model of an instance of the `request` library, or one of

6
javascript/ql/lib/semmle/javascript/frameworks/Connect.qll
Просмотреть файл

@ -10,7 +10,7 @@ module Connect {
/**
* An expression that creates a new Connect server.
*/
class ServerDefinition extends HTTP::Servers::StandardServerDefinition, DataFlow::CallNode {
class ServerDefinition extends Http::Servers::StandardServerDefinition, DataFlow::CallNode {
ServerDefinition() {
// `app = connect()`
this = DataFlow::moduleImport("connect").getAnInvocation()
@ -61,7 +61,7 @@ module Connect {
/**
* A call to a Connect method that sets up a route.
*/
class RouteSetup extends DataFlow::MethodCallNode, HTTP::Servers::StandardRouteSetup {
class RouteSetup extends DataFlow::MethodCallNode, Http::Servers::StandardRouteSetup {
ServerDefinition server;
RouteSetup() {
@ -125,7 +125,7 @@ module Connect {
/**
* An access to a user-controlled Connect request input.
*/
private class RequestInputAccess extends HTTP::RequestInputAccess instanceof DataFlow::MethodCallNode {
private class RequestInputAccess extends Http::RequestInputAccess instanceof DataFlow::MethodCallNode {
RequestNode request;
string kind;

2
javascript/ql/lib/semmle/javascript/frameworks/ConnectExpressShared.qll
Просмотреть файл

@ -115,7 +115,7 @@ module ConnectExpressShared {
*
* For example, this could be the function `function(req, res, next){...}`.
*/
class RouteHandlerCandidate extends HTTP::RouteHandlerCandidate {
class RouteHandlerCandidate extends Http::RouteHandlerCandidate {
RouteHandlerCandidate() {
matchesSignature(this, _) and
not (

2
javascript/ql/lib/semmle/javascript/frameworks/CookieLibraries.qll
Просмотреть файл

@ -368,7 +368,7 @@ private class HttpCookieWrite extends CookieWrites::CookieWrite {
string header;
HttpCookieWrite() {
exists(HTTP::CookieDefinition setCookie |
exists(Http::CookieDefinition setCookie |
this = setCookie.getHeaderArgument() and
not this instanceof DataFlow::ArrayCreationNode
or

54
javascript/ql/lib/semmle/javascript/frameworks/Express.qll
Просмотреть файл

@ -70,7 +70,7 @@ module Express {
result = "param" or
result = "all" or
result = "use" or
result = any(HTTP::RequestMethodName m).toLowerCase() or
result = any(Http::RequestMethodName m).toLowerCase() or
// deprecated methods
result = "error" or
result = "del"
@ -92,7 +92,7 @@ module Express {
result = this.getArgument(0).getStringValue()
}
override HTTP::RequestMethodName getHttpMethod() { result.toLowerCase() = this.getMethodName() }
override Http::RequestMethodName getHttpMethod() { result.toLowerCase() = this.getMethodName() }
}
/**
@ -136,7 +136,7 @@ module Express {
/**
* A call to an Express router method that sets up a route.
*/
class RouteSetup extends HTTP::Servers::StandardRouteSetup, DataFlow::MethodCallNode {
class RouteSetup extends Http::Servers::StandardRouteSetup, DataFlow::MethodCallNode {
RouteSetup() {
isRouter(this.getReceiver()) and
this.getMethodName() = routeSetupMethodName()
@ -219,7 +219,7 @@ module Express {
|
result = succ.backtrack(t2, t)
or
HTTP::routeHandlerStep(result, succ) and
Http::routeHandlerStep(result, succ) and
t = t2
)
}
@ -233,7 +233,7 @@ module Express {
*
* Has no result for `use`, `all`, or `param` calls.
*/
HTTP::RequestMethodName getRequestMethod() { result.toLowerCase() = this.getMethodName() }
Http::RequestMethodName getRequestMethod() { result.toLowerCase() = this.getMethodName() }
/**
* Holds if this registers a route for all request methods.
@ -260,7 +260,7 @@ module Express {
/**
* A call that sets up a Passport router that includes the request object.
*/
private class PassportRouteSetup extends HTTP::Servers::StandardRouteSetup, DataFlow::CallNode {
private class PassportRouteSetup extends Http::Servers::StandardRouteSetup, DataFlow::CallNode {
DataFlow::ModuleImportNode importNode;
DataFlow::FunctionNode callback;
@ -285,7 +285,7 @@ module Express {
/**
* The callback given to passport in PassportRouteSetup.
*/
private class PassportRouteHandler extends RouteHandler, HTTP::Servers::StandardRouteHandler,
private class PassportRouteHandler extends RouteHandler, Http::Servers::StandardRouteHandler,
DataFlow::FunctionNode {
PassportRouteHandler() { this = any(PassportRouteSetup setup).getARouteHandler() }
@ -470,7 +470,7 @@ module Express {
* but support for other kinds of route handlers can be added by implementing
* additional subclasses of this class.
*/
abstract class RouteHandler extends HTTP::RouteHandler {
abstract class RouteHandler extends Http::RouteHandler {
/**
* Gets the parameter of kind `kind` of this route handler.
*
@ -501,7 +501,7 @@ module Express {
/**
* An Express route handler installed by a route setup.
*/
class StandardRouteHandler extends RouteHandler, HTTP::Servers::StandardRouteHandler,
class StandardRouteHandler extends RouteHandler, Http::Servers::StandardRouteHandler,
DataFlow::FunctionNode {
RouteSetup routeSetup;
@ -530,7 +530,7 @@ module Express {
}
/** An Express response source. */
abstract class ResponseSource extends HTTP::Servers::ResponseSource { }
abstract class ResponseSource extends Http::Servers::ResponseSource { }
/**
* An Express response source, that is, the response parameter of a
@ -561,7 +561,7 @@ module Express {
}
/** An Express request source. */
abstract class RequestSource extends HTTP::Servers::RequestSource { }
abstract class RequestSource extends Http::Servers::RequestSource { }
/**
* An Express request source, that is, the request parameter of a
@ -632,7 +632,7 @@ module Express {
}
/** The input parameter to an `app.param()` route handler. */
private class ParamHandlerInputAccess extends HTTP::RequestInputAccess {
private class ParamHandlerInputAccess extends Http::RequestInputAccess {
RouteHandler rh;
ParamHandlerInputAccess() {
@ -641,7 +641,7 @@ module Express {
)
}
override HTTP::RouteHandler getRouteHandler() { result = rh }
override Http::RouteHandler getRouteHandler() { result = rh }
override string getKind() { result = "parameter" }
}
@ -675,7 +675,7 @@ module Express {
/**
* An access to a user-controlled Express request input.
*/
class RequestInputAccess extends HTTP::RequestInputAccess {
class RequestInputAccess extends Http::RequestInputAccess {
RequestSource request;
string kind;
@ -733,7 +733,7 @@ module Express {
/**
* An access to a header on an Express request.
*/
private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
private class RequestHeaderAccess extends Http::RequestHeaderAccess {
RequestSource request;
RequestHeaderAccess() {
@ -762,7 +762,7 @@ module Express {
/**
* HTTP headers created by Express calls
*/
abstract private class ExplicitHeader extends HTTP::ExplicitHeaderDefinition { }
abstract private class ExplicitHeader extends Http::ExplicitHeaderDefinition { }
/**
* Holds if `e` is an HTTP request object.
@ -781,7 +781,7 @@ module Express {
RequestBodyAccess() { any(RouteHandler h).getARequestBodyAccess() = this }
}
abstract private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
abstract private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {
HeaderDefinition() { isResponse(this.getReceiver()) }
override RouteHandler getRouteHandler() { this.getReceiver() = result.getAResponseNode() }
@ -790,7 +790,7 @@ module Express {
/**
* An invocation of the `redirect` method of an HTTP response object.
*/
private class RedirectInvocation extends HTTP::RedirectInvocation, DataFlow::MethodCallNode {
private class RedirectInvocation extends Http::RedirectInvocation, DataFlow::MethodCallNode {
ResponseSource response;
RedirectInvocation() { this = response.ref().getAMethodCall("redirect") }
@ -854,7 +854,7 @@ module Express {
/**
* An argument passed to the `send` or `end` method of an HTTP response object.
*/
private class ResponseSendArgument extends HTTP::ResponseSendArgument {
private class ResponseSendArgument extends Http::ResponseSendArgument {
ResponseSource response;
ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0) }
@ -865,7 +865,7 @@ module Express {
/**
* An invocation of the `cookie` method on an HTTP response object.
*/
class SetCookie extends HTTP::CookieDefinition, DataFlow::MethodCallNode {
class SetCookie extends Http::CookieDefinition, DataFlow::MethodCallNode {
ResponseSource response;
SetCookie() { this = response.ref().getAMethodCall("cookie") }
@ -881,7 +881,7 @@ module Express {
* An expression passed to the `render` method of an HTTP response object
* as the value of a template variable.
*/
private class TemplateInput extends HTTP::ResponseBody {
private class TemplateInput extends Http::ResponseBody {
TemplateObjectInput obj;
TemplateInput() {
@ -913,13 +913,13 @@ module Express {
/**
* An Express server application.
*/
private class Application extends HTTP::ServerDefinition {
private class Application extends Http::ServerDefinition {
Application() { this = appCreation() }
/**
* Gets a route handler of the application, regardless of nesting.
*/
override HTTP::RouteHandler getARouteHandler() {
override Http::RouteHandler getARouteHandler() {
result = this.(RouterDefinition).getASubRouter*().getARouteHandler()
}
}
@ -960,7 +960,7 @@ module Express {
*
* Example: `fun` for `router1.use(fun)` or `router.use("/route", fun)`
*/
HTTP::RouteHandler getARouteHandler() {
Http::RouteHandler getARouteHandler() {
result.(DataFlow::SourceNode).flowsTo(this.getARouteSetup().getAnArgument())
}
@ -1044,7 +1044,7 @@ module Express {
* A function that flows to a route setup.
*/
private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler,
HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
RouteSetup routeSetup;
TrackedRouteHandlerCandidateWithSetup() { this = routeSetup.getARouteHandler() }
@ -1063,14 +1063,14 @@ module Express {
* `router.post(handler)` where it is unknown if `router` is an
* Express router.
*/
class RouteSetupCandidate extends HTTP::RouteSetupCandidate, DataFlow::MethodCallNode {
class RouteSetupCandidate extends Http::RouteSetupCandidate, DataFlow::MethodCallNode {
DataFlow::ValueNode routeHandlerArg;
RouteSetupCandidate() {
exists(string methodName |
methodName = "all" or
methodName = "use" or
methodName = any(HTTP::RequestMethodName m).toLowerCase()
methodName = any(Http::RequestMethodName m).toLowerCase()
|
this.getMethodName() = methodName and
exists(DataFlow::ValueNode arg | arg = this.getAnArgument() |

30
javascript/ql/lib/semmle/javascript/frameworks/ExpressModules.qll
Просмотреть файл

@ -18,25 +18,25 @@ module ExpressLibraries {
/**
* A header produced by a route handler of the "x-frame-options" module.
*/
class XFrameOptionsRouteHandlerHeader extends HTTP::ImplicitHeaderDefinition {
class XFrameOptionsRouteHandlerHeader extends Http::ImplicitHeaderDefinition {
XFrameOptionsRouteHandlerHeader() { this instanceof XFrameOptionsRouteHandler }
override predicate defines(string headerName, string headerValue) {
xFrameOptionsDefaultImplicitHeaderDefinition(headerName, headerValue)
}
override HTTP::RouteHandler getRouteHandler() { result = this }
override Http::RouteHandler getRouteHandler() { result = this }
}
/**
* A route handler from the "x-frame-options" module.
*/
class XFrameOptionsRouteHandler extends HTTP::RouteHandler {
class XFrameOptionsRouteHandler extends Http::RouteHandler {
XFrameOptionsRouteHandler() {
this = DataFlow::moduleImport("x-frame-options").getAnInvocation()
}
override HTTP::HeaderDefinition getAResponseHeader(string name) {
override Http::HeaderDefinition getAResponseHeader(string name) {
name = this.(XFrameOptionsRouteHandlerHeader).getAHeaderName() and
result = this
}
@ -45,23 +45,23 @@ module ExpressLibraries {
/**
* A header produced by a route handler of the "frameguard" module.
*/
class FrameGuardRouteHandlerHeader extends HTTP::ImplicitHeaderDefinition {
class FrameGuardRouteHandlerHeader extends Http::ImplicitHeaderDefinition {
FrameGuardRouteHandlerHeader() { this instanceof FrameGuardRouteHandler }
override predicate defines(string headerName, string headerValue) {
xFrameOptionsDefaultImplicitHeaderDefinition(headerName, headerValue)
}
override HTTP::RouteHandler getRouteHandler() { result = this }
override Http::RouteHandler getRouteHandler() { result = this }
}
/**
* A route handler from the "frameguard" module.
*/
class FrameGuardRouteHandler extends HTTP::RouteHandler {
class FrameGuardRouteHandler extends Http::RouteHandler {
FrameGuardRouteHandler() { this = DataFlow::moduleImport("frameguard").getAnInvocation() }
override HTTP::HeaderDefinition getAResponseHeader(string name) {
override Http::HeaderDefinition getAResponseHeader(string name) {
name = this.(FrameGuardRouteHandlerHeader).getAHeaderName() and
result = this
}
@ -70,20 +70,20 @@ module ExpressLibraries {
/**
* A header produced by a route handler of the "helmet" module.
*/
class HelmetRouteHandlerHeader extends HTTP::ImplicitHeaderDefinition {
class HelmetRouteHandlerHeader extends Http::ImplicitHeaderDefinition {
HelmetRouteHandlerHeader() { this instanceof HelmetRouteHandler }
override predicate defines(string headerName, string headerValue) {
xFrameOptionsDefaultImplicitHeaderDefinition(headerName, headerValue)
}
override HTTP::RouteHandler getRouteHandler() { result = this }
override Http::RouteHandler getRouteHandler() { result = this }
}
/**
* A route handler from the "helmet" module.
*/
class HelmetRouteHandler extends HTTP::RouteHandler {
class HelmetRouteHandler extends Http::RouteHandler {
HelmetRouteHandler() {
exists(DataFlow::ModuleImportNode m | "helmet" = m.getPath() |
this = m.getAnInvocation() or
@ -91,7 +91,7 @@ module ExpressLibraries {
)
}
override HTTP::HeaderDefinition getAResponseHeader(string name) {
override Http::HeaderDefinition getAResponseHeader(string name) {
name = this.(HelmetRouteHandlerHeader).getAHeaderName() and
result = this
}
@ -108,7 +108,7 @@ module ExpressLibraries {
/**
* A call that creates an `express-session` middleware instance.
*/
class MiddlewareInstance extends DataFlow::InvokeNode, HTTP::CookieMiddlewareInstance {
class MiddlewareInstance extends DataFlow::InvokeNode, Http::CookieMiddlewareInstance {
MiddlewareInstance() { this = expressSession().getACall() }
/**
@ -135,7 +135,7 @@ module ExpressLibraries {
/**
* A call that creates a `cookie-parser` middleware instance.
*/
class MiddlewareInstance extends DataFlow::InvokeNode, HTTP::CookieMiddlewareInstance {
class MiddlewareInstance extends DataFlow::InvokeNode, Http::CookieMiddlewareInstance {
MiddlewareInstance() { this = cookieParser().getACall() }
/**
@ -164,7 +164,7 @@ module ExpressLibraries {
/**
* A call that creates a `cookie-session` middleware instance.
*/
class MiddlewareInstance extends DataFlow::InvokeNode, HTTP::CookieMiddlewareInstance {
class MiddlewareInstance extends DataFlow::InvokeNode, Http::CookieMiddlewareInstance {
MiddlewareInstance() { this = cookieSession().getACall() }
/**

30
javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
Просмотреть файл

@ -12,7 +12,7 @@ module Fastify {
/**
* An expression that creates a new Fastify server.
*/
abstract class ServerDefinition extends HTTP::Servers::StandardServerDefinition { }
abstract class ServerDefinition extends Http::Servers::StandardServerDefinition { }
/**
* A standard way to create a Fastify server.
@ -76,7 +76,7 @@ module Fastify {
* but support for other kinds of route handlers can be added by implementing
* additional subclasses of this class.
*/
abstract class RouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::ValueNode {
abstract class RouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::ValueNode {
/**
* Gets the parameter of the route handler that contains the request object.
*/
@ -103,7 +103,7 @@ module Fastify {
* A Fastify reply source, that is, the `reply` parameter of a
* route handler.
*/
private class ReplySource extends HTTP::Servers::ResponseSource {
private class ReplySource extends Http::Servers::ResponseSource {
RouteHandler rh;
ReplySource() { this = rh.getReplyParameter() }
@ -118,7 +118,7 @@ module Fastify {
* A Fastify request source, that is, the request parameter of a
* route handler.
*/
private class RequestSource extends HTTP::Servers::RequestSource {
private class RequestSource extends Http::Servers::RequestSource {
RouteHandler rh;
RequestSource() { this = rh.getRequestParameter() }
@ -132,7 +132,7 @@ module Fastify {
/**
* A call to a Fastify method that sets up a route.
*/
class RouteSetup extends DataFlow::MethodCallNode, HTTP::Servers::StandardRouteSetup {
class RouteSetup extends DataFlow::MethodCallNode, Http::Servers::StandardRouteSetup {
ServerDefinition server;
string methodName;
@ -176,7 +176,7 @@ module Fastify {
override string getRelativePath() { result = this.getArgument(0).getStringValue() }
override HTTP::RequestMethodName getHttpMethod() { result = this.getMethodName().toUpperCase() }
override Http::RequestMethodName getHttpMethod() { result = this.getMethodName().toUpperCase() }
}
/** Gets the name of the `n`th handler function that can be installed a route setup, in order of execution. */
@ -194,7 +194,7 @@ module Fastify {
override string getRelativePath() { result = this.getOptionArgument(0, "url").getStringValue() }
override HTTP::RequestMethodName getHttpMethod() {
override Http::RequestMethodName getHttpMethod() {
result = this.getOptionArgument(0, "method").getStringValue().toUpperCase()
}
@ -226,7 +226,7 @@ module Fastify {
result = this.pluginBody(DataFlow::TypeBackTracker::end())
}
override HTTP::RequestMethodName getHttpMethod() {
override Http::RequestMethodName getHttpMethod() {
result = this.getOptionArgument(1, "method").getStringValue().toUpperCase()
}
@ -252,7 +252,7 @@ module Fastify {
/**
* An access to a user-controlled Fastify request input.
*/
private class RequestInputAccess extends HTTP::RequestInputAccess {
private class RequestInputAccess extends Http::RequestInputAccess {
RouteHandler rh;
string kind;
@ -308,7 +308,7 @@ module Fastify {
/**
* An access to a header on a Fastify request.
*/
private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
private class RequestHeaderAccess extends Http::RequestHeaderAccess {
RouteHandler rh;
RequestHeaderAccess() {
@ -327,7 +327,7 @@ module Fastify {
/**
* An argument passed to the `send` or `end` method of an HTTP response object.
*/
private class ResponseSendArgument extends HTTP::ResponseSendArgument {
private class ResponseSendArgument extends Http::ResponseSendArgument {
RouteHandler rh;
ResponseSendArgument() {
@ -342,7 +342,7 @@ module Fastify {
/**
* An invocation of the `redirect` method of an HTTP response object.
*/
private class RedirectInvocation extends HTTP::RedirectInvocation, DataFlow::MethodCallNode {
private class RedirectInvocation extends Http::RedirectInvocation, DataFlow::MethodCallNode {
RouteHandler rh;
RedirectInvocation() { this = rh.getAResponseSource().ref().getAMethodCall("redirect") }
@ -355,7 +355,7 @@ module Fastify {
/**
* An invocation that sets a single header of the HTTP response.
*/
private class SetOneHeader extends HTTP::Servers::StandardHeaderDefinition,
private class SetOneHeader extends Http::Servers::StandardHeaderDefinition,
DataFlow::MethodCallNode {
RouteHandler rh;
@ -370,7 +370,7 @@ module Fastify {
/**
* An invocation that sets any number of headers of the HTTP response.
*/
class SetMultipleHeaders extends HTTP::ExplicitHeaderDefinition, DataFlow::MethodCallNode {
class SetMultipleHeaders extends Http::ExplicitHeaderDefinition, DataFlow::MethodCallNode {
RouteHandler rh;
SetMultipleHeaders() {
@ -414,7 +414,7 @@ module Fastify {
override DataFlow::Node getTemplateParamsNode() { result = this.getArgument(1) }
}
private class FastifyCookieMiddleware extends HTTP::CookieMiddlewareInstance {
private class FastifyCookieMiddleware extends Http::CookieMiddlewareInstance {
FastifyCookieMiddleware() {
this = DataFlow::moduleImport(["fastify-cookie", "fastify-session", "fastify-secure-session"])
}

4
javascript/ql/lib/semmle/javascript/frameworks/Firebase.qll
Просмотреть файл

@ -195,7 +195,7 @@ module Firebase {
/**
* A call to a Firebase method that sets up a route.
*/
private class RouteSetup extends HTTP::Servers::StandardRouteSetup, DataFlow::CallNode {
private class RouteSetup extends Http::Servers::StandardRouteSetup, DataFlow::CallNode {
RouteSetup() { this = namespace().getAPropertyRead("https").getAMemberCall("onRequest") }
override DataFlow::SourceNode getARouteHandler() {
@ -215,7 +215,7 @@ module Firebase {
/**
* A function used as a route handler.
*/
private class RouteHandler extends Express::RouteHandler, HTTP::Servers::StandardRouteHandler,
private class RouteHandler extends Express::RouteHandler, Http::Servers::StandardRouteHandler,
DataFlow::FunctionNode {
RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }

9
javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
Просмотреть файл

@ -8,7 +8,7 @@ private import semmle.javascript.dataflow.internal.StepSummary
private import semmle.javascript.dataflow.internal.CallGraphs
private import DataFlow::PseudoProperties as PseudoProperties
module HTTP {
module Http {
/**
* A function invocation that causes a redirect response to be sent.
*/
@ -242,7 +242,7 @@ module HTTP {
DataFlow::functionOneWayForwardingStep(pred.getALocalUse(), succ)
or
// a container containing route-handlers.
exists(HTTP::RouteHandlerCandidateContainer container | pred = container.getRouteHandler(succ))
exists(Http::RouteHandlerCandidateContainer container | pred = container.getRouteHandler(succ))
or
// (function (req, res) {}).bind(this);
exists(DataFlow::PartialInvokeNode call |
@ -677,7 +677,7 @@ module HTTP {
/**
* A collection that contains one or more route potential handlers.
*/
private class ContainerCollection extends HTTP::RouteHandlerCandidateContainer::Range,
private class ContainerCollection extends Http::RouteHandlerCandidateContainer::Range,
DataFlow::NewNode {
ContainerCollection() {
this = DataFlow::globalVarRef("Map").getAnInstantiation() and // restrict to Map for now
@ -699,3 +699,6 @@ module HTTP {
}
}
}
/** DEPRECATED: Alias for Http */
deprecated module HTTP = Http;

26
javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll
Просмотреть файл

@ -9,7 +9,7 @@ module Hapi {
/**
* An expression that creates a new Hapi server.
*/
class ServerDefinition extends HTTP::Servers::StandardServerDefinition, DataFlow::NewNode {
class ServerDefinition extends Http::Servers::StandardServerDefinition, DataFlow::NewNode {
ServerDefinition() {
// `server = new Hapi.Server()`
this = DataFlow::moduleMember("hapi", "Server").getAnInstantiation()
@ -19,7 +19,7 @@ module Hapi {
/**
* A Hapi route handler.
*/
class RouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
class RouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
RouteHandler() { exists(RouteSetup setup | this = setup.getARouteHandler()) }
/**
@ -43,7 +43,7 @@ module Hapi {
* A Hapi response source, that is, an access to the `response` property
* of a request object.
*/
private class ResponseSource extends HTTP::Servers::ResponseSource {
private class ResponseSource extends Http::Servers::ResponseSource {
RequestNode req;
ResponseSource() { this.(DataFlow::PropRead).accesses(req, "response") }
@ -58,7 +58,7 @@ module Hapi {
* A Hapi request source, that is, the request parameter of a
* route handler.
*/
private class RequestSource extends HTTP::Servers::RequestSource {
private class RequestSource extends Http::Servers::RequestSource {
RouteHandler rh;
RequestSource() { this = rh.getRequestParameter() }
@ -80,7 +80,7 @@ module Hapi {
/**
* A Hapi response node.
*/
class ResponseNode extends HTTP::Servers::StandardResponseNode {
class ResponseNode extends Http::Servers::StandardResponseNode {
override ResponseSource src;
}
@ -95,14 +95,14 @@ module Hapi {
/**
* A Hapi request node.
*/
class RequestNode extends HTTP::Servers::StandardRequestNode {
class RequestNode extends Http::Servers::StandardRequestNode {
override RequestSource src;
}
/**
* An access to a user-controlled Hapi request input.
*/
private class RequestInputAccess extends HTTP::RequestInputAccess {
private class RequestInputAccess extends Http::RequestInputAccess {
RouteHandler rh;
string kind;
@ -156,7 +156,7 @@ module Hapi {
/**
* An access to an HTTP header on a Hapi request.
*/
private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
private class RequestHeaderAccess extends Http::RequestHeaderAccess {
RouteHandler rh;
RequestHeaderAccess() {
@ -181,7 +181,7 @@ module Hapi {
/**
* An HTTP header defined in a Hapi server.
*/
private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {
ResponseNode res;
HeaderDefinition() {
@ -195,7 +195,7 @@ module Hapi {
/**
* A call to a Hapi method that sets up a route.
*/
class RouteSetup extends DataFlow::MethodCallNode, HTTP::Servers::StandardRouteSetup {
class RouteSetup extends DataFlow::MethodCallNode, Http::Servers::StandardRouteSetup {
ServerDefinition server;
DataFlow::Node handler;
@ -236,7 +236,7 @@ module Hapi {
*
* For example, this could be the function `function(request, h){...}`.
*/
class RouteHandlerCandidate extends HTTP::RouteHandlerCandidate {
class RouteHandlerCandidate extends Http::RouteHandlerCandidate {
RouteHandlerCandidate() {
exists(string request, string responseToolkit |
(request = "request" or request = "req") and
@ -256,7 +256,7 @@ module Hapi {
* A function that looks like a Hapi route handler and flows to a route setup.
*/
private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler,
HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() }
}
@ -276,7 +276,7 @@ module Hapi {
/**
* A return from a route handler.
*/
private class HandlerReturn extends HTTP::ResponseSendArgument {
private class HandlerReturn extends Http::ResponseSendArgument {
RouteHandler handler;
HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn() }

26
javascript/ql/lib/semmle/javascript/frameworks/Koa.qll
Просмотреть файл

@ -9,7 +9,7 @@ module Koa {
/**
* An expression that creates a new Koa application.
*/
class AppDefinition extends HTTP::Servers::StandardServerDefinition, DataFlow::InvokeNode {
class AppDefinition extends Http::Servers::StandardServerDefinition, DataFlow::InvokeNode {
AppDefinition() {
// `app = new Koa()` / `app = Koa()`
this = DataFlow::moduleImport("koa").getAnInvocation()
@ -19,7 +19,7 @@ module Koa {
/**
* An HTTP header defined in a Koa application.
*/
private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {
RouteHandler rh;
HeaderDefinition() {
@ -36,7 +36,7 @@ module Koa {
/**
* A Koa route handler.
*/
abstract class RouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::SourceNode {
abstract class RouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::SourceNode {
/**
* Gets the parameter of the route handler that contains the context object.
*/
@ -227,7 +227,7 @@ module Koa {
* A Koa request source, that is, an access to the `request` property
* of a context object.
*/
private class RequestSource extends HTTP::Servers::RequestSource instanceof DataFlow::PropRead {
private class RequestSource extends Http::Servers::RequestSource instanceof DataFlow::PropRead {
ContextNode ctx;
RequestSource() { super.accesses(ctx, "request") }
@ -242,7 +242,7 @@ module Koa {
* A Koa request source, accessed through the a request property of a
* generator route handler (deprecated in Koa 3).
*/
private class GeneratorRequestSource extends HTTP::Servers::RequestSource {
private class GeneratorRequestSource extends Http::Servers::RequestSource {
RouteHandler rh;
GeneratorRequestSource() {
@ -262,7 +262,7 @@ module Koa {
* A Koa response source, that is, an access to the `response` property
* of a context object.
*/
private class ResponseSource extends HTTP::Servers::ResponseSource instanceof DataFlow::PropRead {
private class ResponseSource extends Http::Servers::ResponseSource instanceof DataFlow::PropRead {
ContextNode ctx;
ResponseSource() { super.accesses(ctx, "response") }
@ -311,7 +311,7 @@ module Koa {
/**
* An expression that may hold a Koa request object.
*/
class RequestNode extends HTTP::Servers::StandardRequestNode {
class RequestNode extends Http::Servers::StandardRequestNode {
override RequestSource src;
}
@ -326,14 +326,14 @@ module Koa {
/**
* An expression that may hold a Koa response object.
*/
class ResponseNode extends HTTP::Servers::StandardResponseNode {
class ResponseNode extends Http::Servers::StandardResponseNode {
override ResponseSource src;
}
/**
* An access to a user-controlled Koa request input.
*/
private class RequestInputAccess extends HTTP::RequestInputAccess {
private class RequestInputAccess extends Http::RequestInputAccess {
RouteHandler rh;
string kind;
@ -399,7 +399,7 @@ module Koa {
/**
* An access to an HTTP header on a Koa request.
*/
private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
private class RequestHeaderAccess extends Http::RequestHeaderAccess {
RouteHandler rh;
RequestHeaderAccess() {
@ -435,7 +435,7 @@ module Koa {
/**
* A call to a Koa method that sets up a route.
*/
class RouteSetup extends HTTP::Servers::StandardRouteSetup, DataFlow::MethodCallNode {
class RouteSetup extends Http::Servers::StandardRouteSetup, DataFlow::MethodCallNode {
AppDefinition server;
RouteSetup() {
@ -457,7 +457,7 @@ module Koa {
/**
* A value assigned to the body of an HTTP response object.
*/
private class ResponseSendArgument extends HTTP::ResponseSendArgument {
private class ResponseSendArgument extends Http::ResponseSendArgument {
RouteHandler rh;
ResponseSendArgument() {
@ -470,7 +470,7 @@ module Koa {
/**
* An invocation of the `redirect` method of an HTTP response object.
*/
private class RedirectInvocation extends HTTP::RedirectInvocation instanceof DataFlow::MethodCallNode {
private class RedirectInvocation extends Http::RedirectInvocation instanceof DataFlow::MethodCallNode {
RouteHandler rh;
RedirectInvocation() { super.calls(rh.getAResponseOrContextNode(), "redirect") }

4
javascript/ql/lib/semmle/javascript/frameworks/LiveServer.qll
Просмотреть файл

@ -9,7 +9,7 @@ private module LiveServer {
/**
* An expression that imports the live-server package, seen as a server-definition.
*/
class ServerDefinition extends HTTP::Servers::StandardServerDefinition {
class ServerDefinition extends Http::Servers::StandardServerDefinition {
ServerDefinition() { this = DataFlow::moduleImport("live-server") }
API::Node getImportNode() { result.asSource() = this }
@ -30,7 +30,7 @@ private module LiveServer {
/**
* The call to `require("live-server").start()`, seen as a route setup.
*/
class RouteSetup extends HTTP::Servers::StandardRouteSetup instanceof API::CallNode {
class RouteSetup extends Http::Servers::StandardRouteSetup instanceof API::CallNode {
ServerDefinition server;
RouteSetup() { this = server.getImportNode().getMember("start").getACall() }

2
javascript/ql/lib/semmle/javascript/frameworks/Logging.qll
Просмотреть файл

@ -349,7 +349,7 @@ private module Pino {
or
// `pino` is installed as the "log" property on the request object in `Express` and similar libraries.
// in `Hapi` the property is "logger".
exists(HTTP::RequestNode req, API::Node reqNode |
exists(Http::RequestNode req, API::Node reqNode |
reqNode.asSource() = req.getALocalSource() and
result = reqNode.getMember(["log", "logger"])
)

24
javascript/ql/lib/semmle/javascript/frameworks/Micro.qll
Просмотреть файл

@ -42,24 +42,24 @@ private module Micro {
/**
* A function passed to `micro` or `micro.run`.
*/
class MicroRouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
class MicroRouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
MicroRouteHandler() { this = microRouteHandler().getAFunctionValue() }
}
class MicroRequestSource extends HTTP::Servers::RequestSource {
class MicroRequestSource extends Http::Servers::RequestSource {
MicroRouteHandler h;
MicroRequestSource() { this = h.getParameter(0) }
override HTTP::RouteHandler getRouteHandler() { result = h }
override Http::RouteHandler getRouteHandler() { result = h }
}
class MicroResponseSource extends HTTP::Servers::ResponseSource {
class MicroResponseSource extends Http::Servers::ResponseSource {
MicroRouteHandler h;
MicroResponseSource() { this = h.getParameter(1) }
override HTTP::RouteHandler getRouteHandler() { result = h }
override Http::RouteHandler getRouteHandler() { result = h }
}
deprecated class MicroRequestExpr extends NodeJSLib::RequestExpr {
@ -78,19 +78,19 @@ private module Micro {
override MicroResponseSource src;
}
private HTTP::RouteHandler getRouteHandlerFromReqRes(DataFlow::Node node) {
exists(HTTP::Servers::RequestSource src |
private Http::RouteHandler getRouteHandlerFromReqRes(DataFlow::Node node) {
exists(Http::Servers::RequestSource src |
src.ref().flowsTo(node) and
result = src.getRouteHandler()
)
or
exists(HTTP::Servers::ResponseSource src |
exists(Http::Servers::ResponseSource src |
src.ref().flowsTo(node) and
result = src.getRouteHandler()
)
}
class MicroBodyParserCall extends HTTP::RequestInputAccess, DataFlow::CallNode {
class MicroBodyParserCall extends Http::RequestInputAccess, DataFlow::CallNode {
string name;
MicroBodyParserCall() {
@ -100,14 +100,14 @@ private module Micro {
override string getKind() { result = "body" }
override HTTP::RouteHandler getRouteHandler() {
override Http::RouteHandler getRouteHandler() {
result = getRouteHandlerFromReqRes(getArgument(0))
}
override predicate isUserControlledObject() { name = "json" }
}
class MicroSendArgument extends HTTP::ResponseSendArgument {
class MicroSendArgument extends Http::ResponseSendArgument {
CallNode send;
MicroSendArgument() {
@ -115,7 +115,7 @@ private module Micro {
this = send.getLastArgument()
}
override HTTP::RouteHandler getRouteHandler() {
override Http::RouteHandler getRouteHandler() {
result = getRouteHandlerFromReqRes(send.getArgument([0, 1]))
}
}

22
javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
Просмотреть файл

@ -34,7 +34,7 @@ module NestJS {
* }
* ```
*/
private class NestJSRouteHandler extends HTTP::RouteHandler, DataFlow::FunctionNode {
private class NestJSRouteHandler extends Http::RouteHandler, DataFlow::FunctionNode {
NestJSRouteHandler() {
getAFunctionDecorator(this) =
nestjs()
@ -42,7 +42,7 @@ module NestJS {
.getACall()
}
override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
override Http::HeaderDefinition getAResponseHeader(string name) { none() }
/**
* Holds if this has the `@Redirect()` decorator.
@ -257,7 +257,7 @@ module NestJS {
* The type of remote flow depends on which decorator is applied at the parameter, so
* we just classify it as a `RemoteFlowSource`.
*/
private class NestJSCustomPipeInput extends HTTP::RequestInputAccess {
private class NestJSCustomPipeInput extends Http::RequestInputAccess {
CustomPipeClass pipe;
NestJSCustomPipeInput() {
@ -273,7 +273,7 @@ module NestJS {
result = pipe.getAnAffectedParameter().getInputKind()
}
override HTTP::RouteHandler getRouteHandler() {
override Http::RouteHandler getRouteHandler() {
result = pipe.getAnAffectedParameter().getNestRouteHandler()
}
}
@ -295,13 +295,13 @@ module NestJS {
* as a source of untrusted data.
*/
private class NestJSRequestInputAsRequestInputAccess extends NestJSRequestInput,
HTTP::RequestInputAccess {
Http::RequestInputAccess {
NestJSRequestInputAsRequestInputAccess() {
not this.isSanitizedByPipe() and
not this = any(CustomPipeClass cls).getAnAffectedParameter()
}
override HTTP::RouteHandler getRouteHandler() { result = this.getNestRouteHandler() }
override Http::RouteHandler getRouteHandler() { result = this.getNestRouteHandler() }
override string getKind() { result = this.getInputKind() }
@ -316,7 +316,7 @@ module NestJS {
}
private class NestJSHeaderAccess extends NestJSRequestInputAsRequestInputAccess,
HTTP::RequestHeaderAccess {
Http::RequestHeaderAccess {
NestJSHeaderAccess() { decoratorName = "Headers" and decorator.getNumArgument() > 0 }
override string getAHeaderName() {
@ -344,7 +344,7 @@ module NestJS {
* ```
* writes `<b>Hello</b>` to the response.
*/
private class ReturnValueAsResponseSend extends HTTP::ResponseSendArgument {
private class ReturnValueAsResponseSend extends Http::ResponseSendArgument {
NestJSRouteHandler handler;
ReturnValueAsResponseSend() {
@ -357,7 +357,7 @@ module NestJS {
)
}
override HTTP::RouteHandler getRouteHandler() { result = handler }
override Http::RouteHandler getRouteHandler() { result = handler }
}
/**
@ -439,7 +439,7 @@ module NestJS {
/**
* Gets the route handler that handles this request.
*/
override HTTP::RouteHandler getRouteHandler() {
override Http::RouteHandler getRouteHandler() {
result.(DataFlow::FunctionNode).getAParameter() = this
}
}
@ -456,7 +456,7 @@ module NestJS {
/**
* Gets the route handler that handles this request.
*/
override HTTP::RouteHandler getRouteHandler() {
override Http::RouteHandler getRouteHandler() {
result.(DataFlow::FunctionNode).getAParameter() = this
}
}

14
javascript/ql/lib/semmle/javascript/frameworks/Next.qll
Просмотреть файл

@ -153,14 +153,14 @@ module NextJS {
/**
* A Next.js function that is exected on the server for every request, seen as a routehandler.
*/
class NextHttpRouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
class NextHttpRouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
NextHttpRouteHandler() { this = getServerSidePropsFunction(_) or this = getInitialProps(_) }
}
/**
* A function that handles both a request and response from Next.js, seen as a routehandler.
*/
class NextReqResHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
class NextReqResHandler extends Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
DataFlow::ParameterNode req;
DataFlow::ParameterNode res;
@ -182,28 +182,28 @@ module NextJS {
* A NodeJS HTTP request object in a Next.js page.
*/
class NextHttpRequestSource extends NodeJSLib::RequestSource {
HTTP::RouteHandler rh;
Http::RouteHandler rh;
NextHttpRequestSource() {
this = rh.(NextHttpRouteHandler).getParameter(0).getAPropertyRead("req") or
this = rh.(NextReqResHandler).getRequest()
}
override HTTP::RouteHandler getRouteHandler() { result = rh }
override Http::RouteHandler getRouteHandler() { result = rh }
}
/**
* A NodeJS HTTP response object in a Next.js page.
*/
class NextHttpResponseSource extends NodeJSLib::ResponseSource {
HTTP::RouteHandler rh;
Http::RouteHandler rh;
NextHttpResponseSource() {
this = rh.(NextHttpRouteHandler).getParameter(0).getAPropertyRead("res") or
this = rh.(NextReqResHandler).getResponse()
}
override HTTP::RouteHandler getRouteHandler() { result = rh }
override Http::RouteHandler getRouteHandler() { result = rh }
}
/**
@ -222,7 +222,7 @@ module NextJS {
* and we therefore model the routehandler as an Express.js routehandler.
*/
class NextApiRouteHandler extends DataFlow::FunctionNode, Express::RouteHandler,
HTTP::Servers::StandardRouteHandler {
Http::Servers::StandardRouteHandler {
NextApiRouteHandler() {
exists(Module mod | mod.getFile().getParentContainer() = apiFolder() |
this = mod.getAnExportedValue("default").getAFunctionValue()

42
javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
Просмотреть файл

@ -81,7 +81,7 @@ module NodeJSLib {
* A server library that provides an (enhanced) NodesJS HTTP response
* object should implement a library specific subclass of this class.
*/
abstract class ResponseNode extends HTTP::Servers::StandardResponseNode { }
abstract class ResponseNode extends Http::Servers::StandardResponseNode { }
/**
* DEPRECATED: Use `RequestNode` instead.
@ -100,7 +100,7 @@ module NodeJSLib {
* A server library that provides an (enhanced) NodesJS HTTP request
* object should implement a library specific subclass of this class.
*/
abstract class RequestNode extends HTTP::Servers::StandardRequestNode { }
abstract class RequestNode extends Http::Servers::StandardRequestNode { }
/**
* A function used as an Node.js server route handler.
@ -109,7 +109,7 @@ module NodeJSLib {
* but support for other kinds of route handlers can be added by implementing
* additional subclasses of this class.
*/
abstract class RouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
abstract class RouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
/**
* Gets the parameter of the route handler that contains the request object.
*/
@ -131,7 +131,7 @@ module NodeJSLib {
/**
* A Node.js response source.
*/
abstract class ResponseSource extends HTTP::Servers::ResponseSource { }
abstract class ResponseSource extends Http::Servers::ResponseSource { }
/**
* A standard Node.js response source, that is, the response parameter of a
@ -151,7 +151,7 @@ module NodeJSLib {
/**
* A Node.js request source.
*/
abstract class RequestSource extends HTTP::Servers::RequestSource { }
abstract class RequestSource extends Http::Servers::RequestSource { }
/**
* A standard Node.js request source, that is, the request parameter of a
@ -201,7 +201,7 @@ module NodeJSLib {
/**
* An access to a user-controlled Node.js request input.
*/
private class RequestInputAccess extends HTTP::RequestInputAccess {
private class RequestInputAccess extends Http::RequestInputAccess {
RequestNode request;
string kind;
@ -223,7 +223,7 @@ module NodeJSLib {
)
}
override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
override Http::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
override string getKind() { result = kind }
}
@ -231,7 +231,7 @@ module NodeJSLib {
/**
* An access to an HTTP header (other than "Cookie") on an incoming Node.js request object.
*/
private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
private class RequestHeaderAccess extends Http::RequestHeaderAccess {
RequestNode request;
RequestHeaderAccess() {
@ -247,14 +247,14 @@ module NodeJSLib {
result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
}
override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
override Http::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
override string getKind() { result = "header" }
RequestNode getRequest() { result = request }
}
class RouteSetup extends DataFlow::CallNode, HTTP::Servers::StandardRouteSetup {
class RouteSetup extends DataFlow::CallNode, Http::Servers::StandardRouteSetup {
ServerDefinition server;
DataFlow::Node handler;
@ -282,7 +282,7 @@ module NodeJSLib {
result = succ.backtrack(t2, t)
or
t = t2 and
HTTP::routeHandlerStep(result, succ)
Http::routeHandlerStep(result, succ)
)
}
@ -300,12 +300,12 @@ module NodeJSLib {
DataFlow::Node getRouteHandlerNode() { result = handler }
}
abstract private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
abstract private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {
ResponseNode r;
HeaderDefinition() { this.getReceiver() = r }
override HTTP::RouteHandler getRouteHandler() { result = r.getRouteHandler() }
override Http::RouteHandler getRouteHandler() { result = r.getRouteHandler() }
}
/**
@ -403,8 +403,8 @@ module NodeJSLib {
* An expression passed as the first argument to the `write` or `end` method
* of an HTTP response.
*/
private class ResponseSendArgument extends HTTP::ResponseSendArgument {
HTTP::RouteHandler rh;
private class ResponseSendArgument extends Http::ResponseSendArgument {
Http::RouteHandler rh;
ResponseSendArgument() {
exists(DataFlow::MethodCallNode mcn, string m | m = "write" or m = "end" |
@ -415,13 +415,13 @@ module NodeJSLib {
)
}
override HTTP::RouteHandler getRouteHandler() { result = rh }
override Http::RouteHandler getRouteHandler() { result = rh }
}
/**
* An expression that creates a new Node.js server.
*/
class ServerDefinition extends HTTP::Servers::StandardServerDefinition {
class ServerDefinition extends Http::Servers::StandardServerDefinition {
ServerDefinition() { isCreateServer(this) }
}
@ -820,7 +820,7 @@ module NodeJSLib {
*
* For example, this could be the function `function(req, res){...}`.
*/
class RouteHandlerCandidate extends HTTP::RouteHandlerCandidate {
class RouteHandlerCandidate extends Http::RouteHandlerCandidate {
RouteHandlerCandidate() {
exists(string request, string response |
(request = "request" or request = "req") and
@ -840,7 +840,7 @@ module NodeJSLib {
* A function that flows to a route setup.
*/
private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler,
HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() }
}
@ -871,7 +871,7 @@ module NodeJSLib {
* For example, this could be the call `server.on("request", handler)`
* where it is unknown if `server` is a Node.js server.
*/
class RouteSetupCandidate extends HTTP::RouteSetupCandidate, DataFlow::MethodCallNode {
class RouteSetupCandidate extends Http::RouteSetupCandidate, DataFlow::MethodCallNode {
DataFlow::ValueNode arg;
RouteSetupCandidate() {
@ -912,7 +912,7 @@ module NodeJSLib {
exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
(moduleName = "http" or moduleName = "https") and
(
callee = DataFlow::moduleMember(moduleName, any(HTTP::RequestMethodName m).toLowerCase())
callee = DataFlow::moduleMember(moduleName, any(Http::RequestMethodName m).toLowerCase())
or
callee = DataFlow::moduleMember(moduleName, "request")
) and

2
javascript/ql/lib/semmle/javascript/frameworks/Request.qll
Просмотреть файл

@ -17,7 +17,7 @@ module Request {
action = mod.getAnInvocation()
or
// specialized form: `request.get(...)`
action = mod.getAMemberCall(any(HTTP::RequestMethodName n).toLowerCase())
action = mod.getAMemberCall(any(Http::RequestMethodName n).toLowerCase())
)
|
exists(DataFlow::MethodCallNode auth, int argIndex |

16
javascript/ql/lib/semmle/javascript/frameworks/Restify.qll
Просмотреть файл

@ -9,7 +9,7 @@ module Restify {
/**
* An expression that creates a new Restify server.
*/
class ServerDefinition extends HTTP::Servers::StandardServerDefinition, DataFlow::CallNode {
class ServerDefinition extends Http::Servers::StandardServerDefinition, DataFlow::CallNode {
ServerDefinition() {
// `server = restify.createServer()`
this = DataFlow::moduleMember("restify", "createServer").getACall()
@ -19,7 +19,7 @@ module Restify {
/**
* A Restify route handler.
*/
class RouteHandler extends HTTP::Servers::StandardRouteHandler, DataFlow::ValueNode {
class RouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::ValueNode {
Function function;
RouteHandler() {
@ -42,7 +42,7 @@ module Restify {
* A Restify response source, that is, the response parameter of a
* route handler.
*/
private class ResponseSource extends HTTP::Servers::ResponseSource {
private class ResponseSource extends Http::Servers::ResponseSource {
RouteHandler rh;
ResponseSource() { this = DataFlow::parameterNode(rh.getResponseParameter()) }
@ -57,7 +57,7 @@ module Restify {
* A Restify request source, that is, the request parameter of a
* route handler.
*/
private class RequestSource extends HTTP::Servers::RequestSource {
private class RequestSource extends Http::Servers::RequestSource {
RouteHandler rh;
RequestSource() { this = DataFlow::parameterNode(rh.getRequestParameter()) }
@ -101,7 +101,7 @@ module Restify {
/**
* An access to a user-controlled Restify request input.
*/
private class RequestInputAccess extends HTTP::RequestInputAccess {
private class RequestInputAccess extends Http::RequestInputAccess {
RequestNode request;
string kind;
@ -140,7 +140,7 @@ module Restify {
/**
* An HTTP header defined in a Restify server.
*/
private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
private class HeaderDefinition extends Http::Servers::StandardHeaderDefinition {
HeaderDefinition() {
// response.header('Cache-Control', 'no-cache')
this.getReceiver() instanceof ResponseNode and
@ -153,13 +153,13 @@ module Restify {
/**
* A call to a Restify method that sets up a route.
*/
class RouteSetup extends DataFlow::MethodCallNode, HTTP::Servers::StandardRouteSetup {
class RouteSetup extends DataFlow::MethodCallNode, Http::Servers::StandardRouteSetup {
ServerDefinition server;
RouteSetup() {
// server.get('/', fun)
// server.head('/', fun)
server.ref().getAMethodCall(any(HTTP::RequestMethodName m).toLowerCase()) = this
server.ref().getAMethodCall(any(Http::RequestMethodName m).toLowerCase()) = this
}
override DataFlow::SourceNode getARouteHandler() { result.flowsTo(this.getArgument(1)) }

2
javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
Просмотреть файл

@ -151,7 +151,7 @@ module Templating {
/** Gets the data flow node representing the initialization of the given variable in this scope. */
DataFlow::Node getVariableInit(string name) {
result = DataFlow::ssaDefinitionNode(SSA::implicitInit(this.getScope().getVariable(name)))
result = DataFlow::ssaDefinitionNode(Ssa::implicitInit(this.getScope().getVariable(name)))
}
/** Gets a data flow node corresponding to a use of the given template variable within this top-level. */

12
javascript/ql/lib/semmle/javascript/frameworks/WebSocket.qll
Просмотреть файл

@ -226,21 +226,21 @@ module ServerWebSocket {
* A `socket.on("connection", (msg, req) => {})` call seen as a HTTP route handler.
* `req` is a `HTTP::IncomingMessage` instance.
*/
class ConnectionCallAsRouteHandler extends HTTP::RouteHandler, DataFlow::CallNode {
class ConnectionCallAsRouteHandler extends Http::RouteHandler, DataFlow::CallNode {
ConnectionCallAsRouteHandler() { this = getAConnectionCall(_) }
override HTTP::HeaderDefinition getAResponseHeader(string name) { none() }
override Http::HeaderDefinition getAResponseHeader(string name) { none() }
}
/**
* The `req` parameter of a `socket.on("connection", (msg, req) => {})` call.
*/
class ServerHttpRequest extends HTTP::Servers::RequestSource {
class ServerHttpRequest extends Http::Servers::RequestSource {
ConnectionCallAsRouteHandler handler;
ServerHttpRequest() { this = handler.getCallback(1).getParameter(1) }
override HTTP::RouteHandler getRouteHandler() { result = handler }
override Http::RouteHandler getRouteHandler() { result = handler }
}
/** DEPRECATED: Alias for ServerHttpRequest */
@ -249,7 +249,7 @@ module ServerWebSocket {
/**
* An access user-controlled HTTP request input in a request to a WebSocket server.
*/
class WebSocketRequestInput extends HTTP::RequestInputAccess {
class WebSocketRequestInput extends Http::RequestInputAccess {
ServerHttpRequest request;
string kind;
@ -267,7 +267,7 @@ module ServerWebSocket {
override string getKind() { result = kind }
override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
override Http::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
}
/**

8
javascript/ql/lib/semmle/javascript/heuristics/AdditionalRouteHandlers.qll
Просмотреть файл

@ -11,14 +11,14 @@ private import semmle.javascript.frameworks.ConnectExpressShared
* Add `NodeJSLib::RouteHandlerCandidate` to the extent of `NodeJSLib::RouteHandler`.
*/
private class PromotedNodeJSLibCandidate extends NodeJSLib::RouteHandler,
HTTP::Servers::StandardRouteHandler {
Http::Servers::StandardRouteHandler {
PromotedNodeJSLibCandidate() { this instanceof NodeJSLib::RouteHandlerCandidate }
}
/**
* Add `Hapi::RouteHandlerCandidate` to the extent of `Hapi::RouteHandler`.
*/
private class PromotedHapiCandidate extends Hapi::RouteHandler, HTTP::Servers::StandardRouteHandler {
private class PromotedHapiCandidate extends Hapi::RouteHandler, Http::Servers::StandardRouteHandler {
PromotedHapiCandidate() { this instanceof Hapi::RouteHandlerCandidate }
}
@ -26,7 +26,7 @@ private class PromotedHapiCandidate extends Hapi::RouteHandler, HTTP::Servers::S
* Add `ConnectExpressShared::RouteHandlerCandidate` to the extent of `Express::RouteHandler`.
*/
private class PromotedExpressCandidate extends Express::RouteHandler,
HTTP::Servers::StandardRouteHandler {
Http::Servers::StandardRouteHandler {
PromotedExpressCandidate() { this instanceof ConnectExpressShared::RouteHandlerCandidate }
override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
@ -38,7 +38,7 @@ private class PromotedExpressCandidate extends Express::RouteHandler,
* Add `ConnectExpressShared::RouteHandlerCandidate` to the extent of `Connect::RouteHandler`.
*/
private class PromotedConnectCandidate extends Connect::RouteHandler,
HTTP::Servers::StandardRouteHandler {
Http::Servers::StandardRouteHandler {
PromotedConnectCandidate() { this instanceof ConnectExpressShared::RouteHandlerCandidate }
override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {

2
javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
Просмотреть файл

@ -96,7 +96,7 @@ private predicate writesProperty(DataFlow::Node node, string name) {
exists(VarDef v | v.getAVariable().getName() = name |
if exists(v.getSource())
then v.getSource() = node.asExpr()
else node = DataFlow::ssaDefinitionNode(SSA::definition(v))
else node = DataFlow::ssaDefinitionNode(Ssa::definition(v))
)
}

2
javascript/ql/lib/semmle/javascript/security/TaintedObject.qll
Просмотреть файл

@ -75,7 +75,7 @@ module TaintedObject {
/** Request input accesses as a JSON source. */
private class RequestInputAsSource extends Source {
RequestInputAsSource() { this.(HTTP::RequestInputAccess).isUserControlledObject() }
RequestInputAsSource() { this.(Http::RequestInputAccess).isUserControlledObject() }
}
/**

2
javascript/ql/lib/semmle/javascript/security/UselessUseOfCat.qll
Просмотреть файл

@ -127,7 +127,7 @@ class UselessCat extends CommandCall {
or
// `exec` can use 3 parameters, `readFile` can only use two, so it is OK to have a third parameter if it is unused,
func.getNumParameter() = 3 and
not exists(SSA::definition(func.getParameter(2).getParameter()))
not exists(Ssa::definition(func.getParameter(2).getParameter()))
)
) and
// The process returned by an async call is unused.

2
javascript/ql/lib/semmle/javascript/security/dataflow/CleartextStorageCustomizations.qll
Просмотреть файл

@ -49,7 +49,7 @@ module CleartextStorage {
*/
class CookieStorageSink extends Sink {
CookieStorageSink() {
exists(HTTP::CookieDefinition cookieDef |
exists(Http::CookieDefinition cookieDef |
this = cookieDef.getValueArgument() or
this = cookieDef.getHeaderArgument()
)

8
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
Просмотреть файл

@ -19,7 +19,7 @@ module CorsMisconfigurationForCredentials {
/**
* Gets the "Access-Control-Allow-Credentials" header definition.
*/
abstract HTTP::HeaderDefinition getCredentialsHeader();
abstract Http::HeaderDefinition getCredentialsHeader();
}
/**
@ -41,11 +41,11 @@ module CorsMisconfigurationForCredentials {
* HTTP header with a truthy value.
*/
class CorsOriginHeaderWithAssociatedCredentialHeader extends Sink, DataFlow::ValueNode {
HTTP::ExplicitHeaderDefinition credentials;
Http::ExplicitHeaderDefinition credentials;
CorsOriginHeaderWithAssociatedCredentialHeader() {
exists(
HTTP::RouteHandler routeHandler, HTTP::ExplicitHeaderDefinition origin,
Http::RouteHandler routeHandler, Http::ExplicitHeaderDefinition origin,
DataFlow::Node credentialsValue
|
routeHandler.getAResponseHeader(_) = origin and
@ -58,7 +58,7 @@ module CorsMisconfigurationForCredentials {
)
}
override HTTP::HeaderDefinition getCredentialsHeader() { result = credentials }
override Http::HeaderDefinition getCredentialsHeader() { result = credentials }
}
/**

4
javascript/ql/lib/semmle/javascript/security/dataflow/DifferentKindsComparisonBypassCustomizations.qll
Просмотреть файл

@ -31,7 +31,7 @@ module DifferentKindsComparisonBypass {
* A HTTP request input that is suspicious to compare with another HTTP request input of a different kind.
*/
class RequestInputComparisonSource extends Source {
HTTP::RequestInputAccess input;
Http::RequestInputAccess input;
RequestInputComparisonSource() { input = this }
@ -42,7 +42,7 @@ module DifferentKindsComparisonBypass {
/**
* Gets the HTTP request input of this source.
*/
private HTTP::RequestInputAccess getInput() { result = input }
private Http::RequestInputAccess getInput() { result = input }
}
/**

2
javascript/ql/lib/semmle/javascript/security/dataflow/HostHeaderPoisoningInEmailGenerationQuery.qll
Просмотреть файл

@ -12,7 +12,7 @@ class Configuration extends TaintTracking::Configuration {
Configuration() { this = "TaintedHostHeader" }
override predicate isSource(DataFlow::Node node) {
exists(HTTP::RequestHeaderAccess input | node = input |
exists(Http::RequestHeaderAccess input | node = input |
input.getKind() = "header" and
input.getAHeaderName() = "host"
)

2
javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessSpecific.qll
Просмотреть файл

@ -9,7 +9,7 @@ private import HttpToFileAccessCustomizations::HttpToFileAccess
* An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
*/
private class RequestInputAccessAsSource extends Source {
RequestInputAccessAsSource() { this instanceof HTTP::RequestInputAccess }
RequestInputAccessAsSource() { this instanceof Http::RequestInputAccess }
}
/** A response from a server, considered as a flow source for writing user-controlled data to files. */

20
javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
Просмотреть файл

@ -24,15 +24,15 @@ module ReflectedXss {
* a content type that does not (case-insensitively) contain the string "html". This
* is to prevent us from flagging plain-text or JSON responses as vulnerable.
*/
class HttpResponseSink extends Sink instanceof HTTP::ResponseSendArgument {
class HttpResponseSink extends Sink instanceof Http::ResponseSendArgument {
HttpResponseSink() { not exists(getANonHtmlHeaderDefinition(this)) }
}
/**
* Gets a HeaderDefinition that defines a non-html content-type for `send`.
*/
HTTP::HeaderDefinition getANonHtmlHeaderDefinition(HTTP::ResponseSendArgument send) {
exists(HTTP::RouteHandler h |
Http::HeaderDefinition getANonHtmlHeaderDefinition(Http::ResponseSendArgument send) {
exists(Http::RouteHandler h |
send.getRouteHandler() = h and
result = nonHtmlContentTypeHeader(h)
|
@ -44,7 +44,7 @@ module ReflectedXss {
/**
* Holds if `h` may send a response with a content type other than HTML.
*/
HTTP::HeaderDefinition nonHtmlContentTypeHeader(HTTP::RouteHandler h) {
Http::HeaderDefinition nonHtmlContentTypeHeader(Http::RouteHandler h) {
result = h.getAResponseHeader("content-type") and
not exists(string tp | result.defines("content-type", tp) | tp.regexpMatch("(?i).*html.*"))
}
@ -52,7 +52,7 @@ module ReflectedXss {
/**
* Holds if a header set in `header` is likely to affect a response sent at `sender`.
*/
predicate headerAffects(HTTP::HeaderDefinition header, HTTP::ResponseSendArgument sender) {
predicate headerAffects(Http::HeaderDefinition header, Http::ResponseSendArgument sender) {
sender.getRouteHandler() = header.getRouteHandler() and
(
// `sender` is affected by a dominating `header`.
@ -60,7 +60,7 @@ module ReflectedXss {
or
// There is no dominating header, and `header` is non-local.
not isLocalHeaderDefinition(header) and
not exists(HTTP::HeaderDefinition dominatingHeader |
not exists(Http::HeaderDefinition dominatingHeader |
dominatingHeader.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())
)
)
@ -77,10 +77,10 @@ module ReflectedXss {
* return;
* ```
*/
predicate isLocalHeaderDefinition(HTTP::HeaderDefinition header) {
predicate isLocalHeaderDefinition(Http::HeaderDefinition header) {
exists(ReachableBasicBlock headerBlock | headerBlock = header.getBasicBlock() |
1 =
strictcount(HTTP::ResponseSendArgument sender |
strictcount(Http::ResponseSendArgument sender |
sender.getRouteHandler() = header.getRouteHandler() and
header.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())
) and
@ -108,9 +108,9 @@ module ReflectedXss {
/** A third-party controllable request input, considered as a flow source for reflected XSS. */
class ThirdPartyRequestInputAccessAsSource extends Source {
ThirdPartyRequestInputAccessAsSource() {
this.(HTTP::RequestInputAccess).isThirdPartyControllable()
this.(Http::RequestInputAccess).isThirdPartyControllable()
or
this.(HTTP::RequestHeaderAccess).getAHeaderName() = "referer"
this.(Http::RequestHeaderAccess).getAHeaderName() = "referer"
}
}
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionCustomizations.qll
Просмотреть файл

@ -59,7 +59,7 @@ module RemotePropertyInjection {
*/
class HeaderNameSink extends Sink {
HeaderNameSink() {
exists(HTTP::ExplicitHeaderDefinition hd |
exists(Http::ExplicitHeaderDefinition hd |
not hd instanceof Express::SetMultipleHeaders and
this = hd.getNameNode()
)

6
javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll
Просмотреть файл

@ -26,7 +26,7 @@ module ServerSideUrlRedirect {
/** A source of third-party user input, considered as a flow source for URL redirects. */
class ThirdPartyRequestInputAccessAsSource extends Source {
ThirdPartyRequestInputAccessAsSource() {
this.(HTTP::RequestInputAccess).isThirdPartyControllable()
this.(Http::RequestInputAccess).isThirdPartyControllable()
}
}
@ -34,7 +34,7 @@ module ServerSideUrlRedirect {
* An HTTP redirect, considered as a sink for `Configuration`.
*/
class RedirectSink extends Sink {
RedirectSink() { this = any(HTTP::RedirectInvocation redir).getUrlArgument() }
RedirectSink() { this = any(Http::RedirectInvocation redir).getUrlArgument() }
}
/**
@ -43,7 +43,7 @@ module ServerSideUrlRedirect {
*/
class LocationHeaderSink extends Sink {
LocationHeaderSink() {
any(HTTP::ExplicitHeaderDefinition def).definesHeaderValue("location", this)
any(Http::ExplicitHeaderDefinition def).definesHeaderValue("location", this)
}
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll
Просмотреть файл

@ -32,5 +32,5 @@ module StackTraceExposure {
* An expression that can become part of an HTTP response body, viewed
* as a data flow sink for stack trace exposure vulnerabilities.
*/
class DefaultSink extends Sink instanceof HTTP::ResponseBody { }
class DefaultSink extends Sink instanceof Http::ResponseBody { }
}

2
javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingCustomizations.qll
Просмотреть файл

@ -29,7 +29,7 @@ module TypeConfusionThroughParameterTampering {
* Node.js-based HTTP servers turn request parameters into arrays if their names are repeated.
*/
private class TypeTamperableRequestParameter extends Source {
TypeTamperableRequestParameter() { this.(HTTP::RequestInputAccess).isUserControlledObject() }
TypeTamperableRequestParameter() { this.(Http::RequestInputAccess).isUserControlledObject() }
}
/**

4
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSCustomizations.qll
Просмотреть файл

@ -48,8 +48,8 @@ module PolynomialReDoS {
* A remote input to a server, seen as a source for polynomial
* regular expression denial-of-service vulnerabilities.
*/
class RequestInputAccessAsSource extends Source instanceof HTTP::RequestInputAccess {
override string getKind() { result = HTTP::RequestInputAccess.super.getKind() }
class RequestInputAccessAsSource extends Source instanceof Http::RequestInputAccess {
override string getKind() { result = Http::RequestInputAccess.super.getKind() }
}
/**

6
javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
Просмотреть файл

@ -35,7 +35,7 @@ predicate isRouteHandlerUsingCookies(Routing::RouteHandler handler) {
* A router handler following after cookie parsing is assumed to depend on
* cookies, and thus require CSRF protection.
*/
predicate hasCookieMiddleware(Routing::Node route, HTTP::CookieMiddlewareInstance cookie) {
predicate hasCookieMiddleware(Routing::Node route, Http::CookieMiddlewareInstance cookie) {
route.isGuardedBy(cookie)
}
@ -112,7 +112,7 @@ private DataFlow::SourceNode nodeLeadingToCsrfWriteOrCheck(DataFlow::TypeBackTra
* Gets a route handler that sets an CSRF related cookie.
*/
private Routing::RouteHandler getAHandlerSettingCsrfCookie() {
exists(HTTP::CookieDefinition setCookie |
exists(Http::CookieDefinition setCookie |
setCookie.getNameArgument().getStringValue().regexpMatch("(?i).*(csrf|xsrf).*") and
result = Routing::getRouteHandler(setCookie.getRouteHandler())
)
@ -180,7 +180,7 @@ predicate hasCsrfMiddleware(Routing::RouteHandler handler) {
from
Routing::RouteSetup setup, Routing::Node setupArg, Routing::RouteHandler handler,
HTTP::CookieMiddlewareInstance cookie
Http::CookieMiddlewareInstance cookie
where
// Require that the handler uses cookies and has cookie middleware.
//

2
javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
Просмотреть файл

@ -15,6 +15,6 @@
import javascript
import semmle.javascript.frameworks.HTTP
from HTTP::ServerDefinition server
from Http::ServerDefinition server
where not exists(server.getARouteHandler().getAResponseHeader("x-frame-options"))
select server, "This server never sets the 'X-Frame-Options' HTTP header."

2
javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
Просмотреть файл

@ -14,7 +14,7 @@
import javascript
from
Routing::RouteSetup setup, Routing::RouteHandler handler, HTTP::RequestInputAccess input,
Routing::RouteSetup setup, Routing::RouteHandler handler, Http::RequestInputAccess input,
SensitiveNode sensitive
where
setup.getOwnHttpMethod() = "GET" and

4
javascript/ql/src/Security/CWE-730/ServerCrash.ql
Просмотреть файл

@ -88,7 +88,7 @@ Function reachableFromAsyncCallback() {
* The main predicate of this query: used for both result display and path computation.
*/
predicate main(
HTTP::RouteHandler rh, AsyncSentinelCall async, AsyncCallback cb, LikelyExceptionThrower thrower
Http::RouteHandler rh, AsyncSentinelCall async, AsyncCallback cb, LikelyExceptionThrower thrower
) {
async.getAsyncCallee() = cb and
rh.getAstNode() = invokesCallbackThatThrowsUncaughtException(async, thrower)
@ -180,7 +180,7 @@ query predicate nodes(AstNode node) {
}
from
HTTP::RouteHandler rh, AsyncSentinelCall async, DataFlow::Node callbackArg, AsyncCallback cb,
Http::RouteHandler rh, AsyncSentinelCall async, DataFlow::Node callbackArg, AsyncCallback cb,
ExprOrStmt crasher
where
main(rh, async, cb, crasher) and

10
javascript/ql/src/experimental/poi/PoI.qll
Просмотреть файл

@ -77,7 +77,7 @@ private module StandardPoIs {
UnpromotedRouteSetupPoI() { this = "UnpromotedRouteSetupPoI" }
override predicate is(Node l0) {
l0 instanceof HTTP::RouteSetupCandidate and not l0 instanceof HTTP::RouteSetup
l0 instanceof Http::RouteSetupCandidate and not l0 instanceof Http::RouteSetup
}
}
@ -88,7 +88,7 @@ private module StandardPoIs {
UnpromotedRouteHandlerPoI() { this = "UnpromotedRouteHandlerPoI" }
override predicate is(Node l0) {
l0 instanceof HTTP::RouteHandlerCandidate and not l0 instanceof HTTP::RouteHandler
l0 instanceof Http::RouteHandlerCandidate and not l0 instanceof Http::RouteHandler
}
}
@ -98,7 +98,7 @@ private module StandardPoIs {
class UnpromotedRouteHandlerWithFlowPoI extends PoI {
UnpromotedRouteHandlerWithFlowPoI() { this = "UnpromotedRouteHandlerWithFlowPoI" }
private DataFlow::SourceNode track(HTTP::RouteHandlerCandidate cand, DataFlow::TypeTracker t) {
private DataFlow::SourceNode track(Http::RouteHandlerCandidate cand, DataFlow::TypeTracker t) {
t.start() and
result = cand
or
@ -106,8 +106,8 @@ private module StandardPoIs {
}
override predicate is(Node l0, Node l1, string t1) {
l0 instanceof HTTP::RouteHandlerCandidate and
not l0 instanceof HTTP::RouteHandler and
l0 instanceof Http::RouteHandlerCandidate and
not l0 instanceof Http::RouteHandler and
l1 = track(l0, TypeTracker::end()) and
(if l1 = l0 then t1 = "ends here" else t1 = "starts/ends here")
}

2
javascript/ql/src/meta/analysis-quality/CandidateTracking.qll
Просмотреть файл

@ -8,7 +8,7 @@ import javascript
* Gets a source node to which `cand` may flow inter-procedurally, with `t` tracking
* the state of flow.
*/
DataFlow::SourceNode track(HTTP::RouteHandlerCandidate cand, DataFlow::TypeTracker t) {
DataFlow::SourceNode track(Http::RouteHandlerCandidate cand, DataFlow::TypeTracker t) {
t.start() and
result = cand
or

2
javascript/ql/src/meta/analysis-quality/RouteHandlers.ql
Просмотреть файл

@ -11,6 +11,6 @@
import javascript
import CallGraphQuality
HTTP::RouteHandler relevantRouteHandler() { not result.getFile() instanceof IgnoredFile }
Http::RouteHandler relevantRouteHandler() { not result.getFile() instanceof IgnoredFile }
select projectRoot(), count(relevantRouteHandler())

6
javascript/ql/src/meta/analysis-quality/UnpromotedRouteHandlerCandidate.ql
Просмотреть файл

@ -11,10 +11,10 @@
import javascript
import CandidateTracking
from HTTP::RouteHandlerCandidate rh
from Http::RouteHandlerCandidate rh
where
not rh instanceof HTTP::RouteHandler and
not exists(HTTP::RouteSetupCandidate setup |
not rh instanceof Http::RouteHandler and
not exists(Http::RouteSetupCandidate setup |
track(rh, DataFlow::TypeTracker::end()).flowsTo(setup.getARouteHandlerArg())
)
select rh,

6
javascript/ql/src/meta/analysis-quality/UnpromotedRouteSetupCandidate.ql
Просмотреть файл

@ -11,10 +11,10 @@
import javascript
import CandidateTracking
from HTTP::RouteSetupCandidate setup
from Http::RouteSetupCandidate setup
where
not setup instanceof HTTP::RouteSetup and
exists(HTTP::RouteHandlerCandidate rh |
not setup instanceof Http::RouteSetup and
exists(Http::RouteHandlerCandidate rh |
track(rh, DataFlow::TypeTracker::end()).flowsTo(setup.getARouteHandlerArg())
)
select setup,

2
javascript/ql/test/library-tests/frameworks/Express/CookieMiddlewareInstance.qll
Просмотреть файл

@ -1,7 +1,7 @@
import javascript
query predicate test_CookieMiddlewareInstance(
HTTP::CookieMiddlewareInstance instance, DataFlow::Node res
Http::CookieMiddlewareInstance instance, DataFlow::Node res
) {
res = instance.getASecretKey()
}

2
javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.qll
Просмотреть файл

@ -1,5 +1,5 @@
import javascript
query predicate test_HeaderAccess(HTTP::RequestHeaderAccess access, string res) {
query predicate test_HeaderAccess(Http::RequestHeaderAccess access, string res) {
res = access.getAHeaderName()
}

2
javascript/ql/test/library-tests/frameworks/Express/HeaderDefinition.qll
Просмотреть файл

@ -1,5 +1,5 @@
import javascript
query predicate test_HeaderDefinition(HTTP::HeaderDefinition hd, Express::RouteHandler rh) {
query predicate test_HeaderDefinition(Http::HeaderDefinition hd, Express::RouteHandler rh) {
rh = hd.getRouteHandler()
}

2
javascript/ql/test/library-tests/frameworks/Express/HeaderDefinition_defines.qll
Просмотреть файл

@ -1,5 +1,5 @@
import javascript
query predicate test_HeaderDefinition_defines(HTTP::HeaderDefinition hd, string name, string value) {
query predicate test_HeaderDefinition_defines(Http::HeaderDefinition hd, string name, string value) {
hd.defines(name, value) and hd.getRouteHandler() instanceof Express::RouteHandler
}

2
javascript/ql/test/library-tests/frameworks/Express/HeaderDefinition_getAHeaderName.qll
Просмотреть файл

@ -1,5 +1,5 @@
import javascript
query predicate test_HeaderDefinition_getAHeaderName(HTTP::HeaderDefinition hd, string res) {
query predicate test_HeaderDefinition_getAHeaderName(Http::HeaderDefinition hd, string res) {
hd.getRouteHandler() instanceof Express::RouteHandler and res = hd.getAHeaderName()
}

2
javascript/ql/test/library-tests/frameworks/Express/HeaderDefinition_getNameExpr.qll
Просмотреть файл

@ -1,7 +1,7 @@
import javascript
query predicate test_HeaderDefinition_getNameExpr(
HTTP::ExplicitHeaderDefinition hd, DataFlow::Node res
Http::ExplicitHeaderDefinition hd, DataFlow::Node res
) {
hd.getRouteHandler() instanceof Express::RouteHandler and res = hd.getNameNode()
}

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше