JS: split NosqlInjection.qll

2019-07-04 09:19:26 +02:00 · 2019-07-04 09:19:26 +02:00 · 2972c28e58
--- a/javascript/ql/src/semmle/javascript/security/dataflow/NosqlInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/NosqlInjection.qll
@ -1,33 +1,17 @@
 /**
- * Provides a taint tracking configuration for reasoning about NoSQL injection
- * vulnerabilities.
+ * Provides a taint tracking configuration for reasoning about NoSQL
+ * injection vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `NosqlInjection::Configuration` is needed, otherwise
+ * `NosqlInjectionCustomizations` should be imported instead.
 */

 import javascript
 import semmle.javascript.security.TaintedObject

 module NosqlInjection {
-  /**
-   * A data flow source for NoSQL-injection vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for SQL-injection vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node {
-    /**
-     * Gets a flow label relevant for this sink.
-     *
-     * Defaults to deeply tainted objects only.
-     */
-    DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
-  }
-
-  /**
-   * A sanitizer for SQL-injection vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import NosqlInjectionCustomizations::NosqlInjection

  /**
   * A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
@ -69,14 +53,4 @@ module NosqlInjection {
      )
    }
  }
-
-  /** A source of remote user input, considered as a flow source for NoSQL injection. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /** An expression interpreted as a NoSQL query, viewed as a sink. */
-  class NosqlQuerySink extends Sink, DataFlow::ValueNode {
-    override NoSQL::Query astNode;
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
@ -0,0 +1,42 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * NoSQL injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.TaintedObject
+
+module NosqlInjection {
+  /**
+   * A data flow source for NoSQL injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for NoSQL injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets a flow label relevant for this sink.
+     *
+     * Defaults to deeply tainted objects only.
+     */
+    DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+  }
+
+  /**
+   * A sanitizer for NoSQL injection vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for NoSQL injection. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /** An expression interpreted as a NoSQL query, viewed as a sink. */
+  class NosqlQuerySink extends Sink, DataFlow::ValueNode {
+    override NoSQL::Query astNode;
+  }
+}