github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

JS: Set literals.

This commit is contained in:
Geoffrey White 2021-10-13 16:39:02 +01:00
Родитель a82c76d2f9
Коммит 882adc8e50
12 изменённых файлов: 170 добавлений и 668 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
javascript/ql/lib/semmle/javascript/DynamicPropertyAccess.qll
Просмотреть файл

@ -14,7 +14,7 @@ private import semmle.javascript.dataflow.internal.FlowSteps
SourceNode getAnEnumeratedArrayElement(SourceNode array) {
exists(MethodCallNode call, string name |
call = array.getAMethodCall(name) and
(name = "forEach" or name = "map") and
(name = ["forEach", "map"]) and
result = call.getCallback(0).getParameter(0)
)
or

8
javascript/ql/lib/semmle/javascript/StandardLibrary.qll
Просмотреть файл

@ -55,13 +55,7 @@ private class ArrayIterationCallbackAsPartialInvoke extends DataFlow::PartialInv
getNumArgument() = 2 and
// Filter out library methods named 'forEach' etc
not DataFlow::moduleImport(_).flowsTo(getReceiver()) and
exists(string name | name = getMethodName() |
name = "filter" or
name = "forEach" or
name = "map" or
name = "some" or
name = "every"
)
getMethodName() = ["filter", "forEach", "map", "some", "every"]
}
override DataFlow::Node getBoundReceiver(DataFlow::Node callback) {

103
javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSCore.qll
Просмотреть файл

@ -177,15 +177,10 @@ class ModuleApiCallDependencyInjection extends DependencyInjection {
* This method excludes the method names that are also present on the AngularJS '$provide' object.
*/
private int injectableArgPos() {
(
methodName = "directive" or
methodName = "filter" or
methodName = "controller" or
methodName = "animation"
) and
methodName = ["directive", "filter", "controller", "animation"] and
result = 1
or
(methodName = "config" or methodName = "run") and
methodName = ["config", "run"] and
result = 0
}
@ -199,64 +194,17 @@ class ModuleApiCallDependencyInjection extends DependencyInjection {
* (cf. https://docs.angularjs.org/api/ng/directive/).
*/
private predicate builtinDirective(string name) {
name = "ngApp" or
name = "ngBind" or
name = "ngBindHtml" or
name = "ngBindTemplate" or
name = "ngBlur" or
name = "ngChange" or
name = "ngChecked" or
name = "ngClass" or
name = "ngClassEven" or
name = "ngClassOdd" or
name = "ngClick" or
name = "ngCloak" or
name = "ngController" or
name = "ngCopy" or
name = "ngCsp" or
name = "ngCut" or
name = "ngDblclick" or
name = "ngDisabled" or
name = "ngFocus" or
name = "ngForm" or
name = "ngHide" or
name = "ngHref" or
name = "ngIf" or
name = "ngInclude" or
name = "ngInit" or
name = "ngJq" or
name = "ngKeydown" or
name = "ngKeypress" or
name = "ngKeyup" or
name = "ngList" or
name = "ngMaxlength" or
name = "ngMinlength" or
name = "ngModel" or
name = "ngModelOptions" or
name = "ngMousedown" or
name = "ngMouseenter" or
name = "ngMouseleave" or
name = "ngMousemove" or
name = "ngMouseover" or
name = "ngMouseup" or
name = "ngNonBindable" or
name = "ngOpen" or
name = "ngOptions" or
name = "ngPaste" or
name = "ngPattern" or
name = "ngPluralize" or
name = "ngReadonly" or
name = "ngRepeat" or
name = "ngRequired" or
name = "ngSelected" or
name = "ngShow" or
name = "ngSrc" or
name = "ngSrcset" or
name = "ngStyle" or
name = "ngSubmit" or
name = "ngSwitch" or
name = "ngTransclude" or
name = "ngValue"
name =
[
"ngApp", "ngBind", "ngBindHtml", "ngBindTemplate", "ngBlur", "ngChange", "ngChecked",
"ngClass", "ngClassEven", "ngClassOdd", "ngClick", "ngCloak", "ngController", "ngCopy",
"ngCsp", "ngCut", "ngDblclick", "ngDisabled", "ngFocus", "ngForm", "ngHide", "ngHref", "ngIf",
"ngInclude", "ngInit", "ngJq", "ngKeydown", "ngKeypress", "ngKeyup", "ngList", "ngMaxlength",
"ngMinlength", "ngModel", "ngModelOptions", "ngMousedown", "ngMouseenter", "ngMouseleave",
"ngMousemove", "ngMouseover", "ngMouseup", "ngNonBindable", "ngOpen", "ngOptions", "ngPaste",
"ngPattern", "ngPluralize", "ngReadonly", "ngRepeat", "ngRequired", "ngSelected", "ngShow",
"ngSrc", "ngSrcset", "ngStyle", "ngSubmit", "ngSwitch", "ngTransclude", "ngValue"
]
}
private newtype TDirectiveInstance =
@ -676,10 +624,7 @@ private class JQLiteObject extends JQuery::ObjectSource::Range {
)
)
or
exists(ServiceReference element |
element.getName() = "$rootElement" or
element.getName() = "$document"
|
exists(ServiceReference element | element.getName() = ["$rootElement", "$document"] |
this = element.getAReference()
)
}
@ -780,23 +725,17 @@ private class BuiltinServiceCall extends AngularJSCall {
override predicate interpretsArgumentAsCode(Expr e) {
exists(ScopeServiceReference scope, string methodName |
methodName = "$apply" or
methodName = "$applyAsync" or
methodName = "$eval" or
methodName = "$evalAsync" or
methodName = "$watch" or
methodName = "$watchCollection" or
methodName = "$watchGroup"
methodName =
[
"$apply", "$applyAsync", "$eval", "$evalAsync", "$watch", "$watchCollection",
"$watchGroup"
]
|
call = scope.getAMethodCall(methodName) and
e = call.getArgument(0)
)
or
exists(ServiceReference service |
service.getName() = "$compile" or
service.getName() = "$parse" or
service.getName() = "$interpolate"
|
exists(ServiceReference service | service.getName() = ["$compile", "$parse", "$interpolate"] |
call = service.getACall() and
e = call.getArgument(0)
)
@ -952,7 +891,7 @@ class ElementScope extends AngularScope, MkElementScope {
DataFlow::SourceNode routeProviderRef() {
result = builtinServiceRef("$routeProvider")
or
exists(string m | m = "when" or m = "otherwise" | result = routeProviderRef().getAMethodCall(m))
exists(string m | m = ["when", "otherwise"] | result = routeProviderRef().getAMethodCall(m))
}
/**

23
javascript/ql/lib/semmle/javascript/frameworks/AngularJS/AngularJSExpressions.qll
Просмотреть файл

@ -277,24 +277,11 @@ private module Lexer {
override string getPattern() {
result =
concat(string op |
op = "===" or
op = "!==" or
op = "==" or
op = "!=" or
op = "<=" or
op = ">=" or
op = "&&" or
op = "||" or
op = "*" or
op = "!" or
op = "=" or
op = "<" or
op = ">" or
op = "+" or
op = "-" or
op = "/" or
op = "%" or
op = "|"
op =
[
"===", "!==", "==", "!=", "<=", ">=", "&&", "||", "*", "!", "=", "<", ">", "+", "-",
"/", "%", "|"
]
|
"\\Q" + op + "\\E", "|" order by op.length() desc
)

30
javascript/ql/lib/semmle/javascript/frameworks/AsyncPackage.qll
Просмотреть файл

@ -103,25 +103,12 @@ module AsyncPackage {
IterationCall() {
this = memberVariant(name).getACall() and
(
name = "concat" or
name = "detect" or
name = "each" or
name = "eachOf" or
name = "forEach" or
name = "forEachOf" or
name = "every" or
name = "filter" or
name = "groupBy" or
name = "map" or
name = "mapValues" or
name = "reduce" or
name = "reduceRight" or
name = "reject" or
name = "some" or
name = "sortBy" or
name = "transform"
)
name =
[
"concat", "detect", "each", "eachOf", "forEach", "forEachOf", "every", "filter",
"groupBy", "map", "mapValues", "reduce", "reduceRight", "reject", "some", "sortBy",
"transform"
]
}
/**
@ -176,10 +163,7 @@ module AsyncPackage {
pred = getLastParameter(iteratee).getACall().getArgument(i) and
succ = final.getParameter(i) and
exists(string name | name = call.getName() |
name = "concat" or
name = "map" or
name = "reduce" or
name = "reduceRight"
name = ["concat", "map", "reduce", "reduceRight"]
)
)
}

46
javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
Просмотреть файл

@ -81,29 +81,12 @@ module HTTP {
*/
class RequestMethodName extends string {
RequestMethodName() {
this = "CHECKOUT" or
this = "COPY" or
this = "DELETE" or
this = "GET" or
this = "HEAD" or
this = "LOCK" or
this = "MERGE" or
this = "MKACTIVITY" or
this = "MKCOL" or
this = "MOVE" or
this = "M-SEARCH" or
this = "NOTIFY" or
this = "OPTIONS" or
this = "PATCH" or
this = "POST" or
this = "PURGE" or
this = "PUT" or
this = "REPORT" or
this = "SEARCH" or
this = "SUBSCRIBE" or
this = "TRACE" or
this = "UNLOCK" or
this = "UNSUBSCRIBE"
this =
[
"CHECKOUT", "COPY", "DELETE", "GET", "HEAD", "LOCK", "MERGE", "MKACTIVITY", "MKCOL",
"MOVE", "M-SEARCH", "NOTIFY", "OPTIONS", "PATCH", "POST", "PURGE", "PUT", "REPORT",
"SEARCH", "SUBSCRIBE", "TRACE", "UNLOCK", "UNSUBSCRIBE"
]
}
/**
@ -111,14 +94,7 @@ module HTTP {
* such as for `GET` and `HEAD` requests.
*/
predicate isSafe() {
this = "GET" or
this = "HEAD" or
this = "OPTIONS" or
this = "PRI" or
this = "PROPFIND" or
this = "REPORT" or
this = "SEARCH" or
this = "TRACE"
this = ["GET", "HEAD", "OPTIONS", "PRI", "PROPFIND", "REPORT", "SEARCH", "TRACE"]
}
}
@ -477,13 +453,7 @@ module HTTP {
* Headers are never considered third-party controllable by this predicate, although the
* third party does have some control over the the Referer and Origin headers.
*/
predicate isThirdPartyControllable() {
exists(string kind | kind = getKind() |
kind = "parameter" or
kind = "url" or
kind = "body"
)
}
predicate isThirdPartyControllable() { getKind() = ["parameter", "url", "body"] }
}
/**

482
javascript/ql/lib/semmle/javascript/frameworks/LodashUnderscore.qll
Просмотреть файл

@ -47,312 +47,50 @@ module LodashUnderscore {
*/
private predicate isLodashMember(string name) {
// Can be generated using Object.keys(require('lodash'))
name = "templateSettings" or
name = "after" or
name = "ary" or
name = "assign" or
name = "assignIn" or
name = "assignInWith" or
name = "assignWith" or
name = "at" or
name = "before" or
name = "bind" or
name = "bindAll" or
name = "bindKey" or
name = "castArray" or
name = "chain" or
name = "chunk" or
name = "compact" or
name = "concat" or
name = "cond" or
name = "conforms" or
name = "constant" or
name = "countBy" or
name = "create" or
name = "curry" or
name = "curryRight" or
name = "debounce" or
name = "defaults" or
name = "defaultsDeep" or
name = "defer" or
name = "delay" or
name = "difference" or
name = "differenceBy" or
name = "differenceWith" or
name = "drop" or
name = "dropRight" or
name = "dropRightWhile" or
name = "dropWhile" or
name = "fill" or
name = "filter" or
name = "flatMap" or
name = "flatMapDeep" or
name = "flatMapDepth" or
name = "flatten" or
name = "flattenDeep" or
name = "flattenDepth" or
name = "flip" or
name = "flow" or
name = "flowRight" or
name = "fromPairs" or
name = "functions" or
name = "functionsIn" or
name = "groupBy" or
name = "initial" or
name = "intersection" or
name = "intersectionBy" or
name = "intersectionWith" or
name = "invert" or
name = "invertBy" or
name = "invokeMap" or
name = "iteratee" or
name = "keyBy" or
name = "keys" or
name = "keysIn" or
name = "map" or
name = "mapKeys" or
name = "mapValues" or
name = "matches" or
name = "matchesProperty" or
name = "memoize" or
name = "merge" or
name = "mergeWith" or
name = "method" or
name = "methodOf" or
name = "mixin" or
name = "negate" or
name = "nthArg" or
name = "omit" or
name = "omitBy" or
name = "once" or
name = "orderBy" or
name = "over" or
name = "overArgs" or
name = "overEvery" or
name = "overSome" or
name = "partial" or
name = "partialRight" or
name = "partition" or
name = "pick" or
name = "pickBy" or
name = "property" or
name = "propertyOf" or
name = "pull" or
name = "pullAll" or
name = "pullAllBy" or
name = "pullAllWith" or
name = "pullAt" or
name = "range" or
name = "rangeRight" or
name = "rearg" or
name = "reject" or
name = "remove" or
name = "rest" or
name = "reverse" or
name = "sampleSize" or
name = "set" or
name = "setWith" or
name = "shuffle" or
name = "slice" or
name = "sortBy" or
name = "sortedUniq" or
name = "sortedUniqBy" or
name = "split" or
name = "spread" or
name = "tail" or
name = "take" or
name = "takeRight" or
name = "takeRightWhile" or
name = "takeWhile" or
name = "tap" or
name = "throttle" or
name = "thru" or
name = "toArray" or
name = "toPairs" or
name = "toPairsIn" or
name = "toPath" or
name = "toPlainObject" or
name = "transform" or
name = "unary" or
name = "union" or
name = "unionBy" or
name = "unionWith" or
name = "uniq" or
name = "uniqBy" or
name = "uniqWith" or
name = "unset" or
name = "unzip" or
name = "unzipWith" or
name = "update" or
name = "updateWith" or
name = "values" or
name = "valuesIn" or
name = "without" or
name = "words" or
name = "wrap" or
name = "xor" or
name = "xorBy" or
name = "xorWith" or
name = "zip" or
name = "zipObject" or
name = "zipObjectDeep" or
name = "zipWith" or
name = "entries" or
name = "entriesIn" or
name = "extend" or
name = "extendWith" or
name = "add" or
name = "attempt" or
name = "camelCase" or
name = "capitalize" or
name = "ceil" or
name = "clamp" or
name = "clone" or
name = "cloneDeep" or
name = "cloneDeepWith" or
name = "cloneWith" or
name = "conformsTo" or
name = "deburr" or
name = "defaultTo" or
name = "divide" or
name = "endsWith" or
name = "eq" or
name = "escape" or
name = "escapeRegExp" or
name = "every" or
name = "find" or
name = "findIndex" or
name = "findKey" or
name = "findLast" or
name = "findLastIndex" or
name = "findLastKey" or
name = "floor" or
name = "forEach" or
name = "forEachRight" or
name = "forIn" or
name = "forInRight" or
name = "forOwn" or
name = "forOwnRight" or
name = "get" or
name = "gt" or
name = "gte" or
name = "has" or
name = "hasIn" or
name = "head" or
name = "identity" or
name = "includes" or
name = "indexOf" or
name = "inRange" or
name = "invoke" or
name = "isArguments" or
name = "isArray" or
name = "isArrayBuffer" or
name = "isArrayLike" or
name = "isArrayLikeObject" or
name = "isBoolean" or
name = "isBuffer" or
name = "isDate" or
name = "isElement" or
name = "isEmpty" or
name = "isEqual" or
name = "isEqualWith" or
name = "isError" or
name = "isFinite" or
name = "isFunction" or
name = "isInteger" or
name = "isLength" or
name = "isMap" or
name = "isMatch" or
name = "isMatchWith" or
name = "isNaN" or
name = "isNative" or
name = "isNil" or
name = "isNull" or
name = "isNumber" or
name = "isObject" or
name = "isObjectLike" or
name = "isPlainObject" or
name = "isRegExp" or
name = "isSafeInteger" or
name = "isSet" or
name = "isString" or
name = "isSymbol" or
name = "isTypedArray" or
name = "isUndefined" or
name = "isWeakMap" or
name = "isWeakSet" or
name = "join" or
name = "kebabCase" or
name = "last" or
name = "lastIndexOf" or
name = "lowerCase" or
name = "lowerFirst" or
name = "lt" or
name = "lte" or
name = "max" or
name = "maxBy" or
name = "mean" or
name = "meanBy" or
name = "min" or
name = "minBy" or
name = "stubArray" or
name = "stubFalse" or
name = "stubObject" or
name = "stubString" or
name = "stubTrue" or
name = "multiply" or
name = "nth" or
name = "noConflict" or
name = "noop" or
name = "now" or
name = "pad" or
name = "padEnd" or
name = "padStart" or
name = "parseInt" or
name = "random" or
name = "reduce" or
name = "reduceRight" or
name = "repeat" or
name = "replace" or
name = "result" or
name = "round" or
name = "runInContext" or
name = "sample" or
name = "size" or
name = "snakeCase" or
name = "some" or
name = "sortedIndex" or
name = "sortedIndexBy" or
name = "sortedIndexOf" or
name = "sortedLastIndex" or
name = "sortedLastIndexBy" or
name = "sortedLastIndexOf" or
name = "startCase" or
name = "startsWith" or
name = "subtract" or
name = "sum" or
name = "sumBy" or
name = "template" or
name = "times" or
name = "toFinite" or
name = "toInteger" or
name = "toLength" or
name = "toLower" or
name = "toNumber" or
name = "toSafeInteger" or
name = "toString" or
name = "toUpper" or
name = "trim" or
name = "trimEnd" or
name = "trimStart" or
name = "truncate" or
name = "unescape" or
name = "uniqueId" or
name = "upperCase" or
name = "upperFirst" or
name = "each" or
name = "eachRight" or
name = "first"
name =
[
"templateSettings", "after", "ary", "assign", "assignIn", "assignInWith", "assignWith",
"at", "before", "bind", "bindAll", "bindKey", "castArray", "chain", "chunk", "compact",
"concat", "cond", "conforms", "constant", "countBy", "create", "curry", "curryRight",
"debounce", "defaults", "defaultsDeep", "defer", "delay", "difference", "differenceBy",
"differenceWith", "drop", "dropRight", "dropRightWhile", "dropWhile", "fill", "filter",
"flatMap", "flatMapDeep", "flatMapDepth", "flatten", "flattenDeep", "flattenDepth", "flip",
"flow", "flowRight", "fromPairs", "functions", "functionsIn", "groupBy", "initial",
"intersection", "intersectionBy", "intersectionWith", "invert", "invertBy", "invokeMap",
"iteratee", "keyBy", "keys", "keysIn", "map", "mapKeys", "mapValues", "matches",
"matchesProperty", "memoize", "merge", "mergeWith", "method", "methodOf", "mixin", "negate",
"nthArg", "omit", "omitBy", "once", "orderBy", "over", "overArgs", "overEvery", "overSome",
"partial", "partialRight", "partition", "pick", "pickBy", "property", "propertyOf", "pull",
"pullAll", "pullAllBy", "pullAllWith", "pullAt", "range", "rangeRight", "rearg", "reject",
"remove", "rest", "reverse", "sampleSize", "set", "setWith", "shuffle", "slice", "sortBy",
"sortedUniq", "sortedUniqBy", "split", "spread", "tail", "take", "takeRight",
"takeRightWhile", "takeWhile", "tap", "throttle", "thru", "toArray", "toPairs", "toPairsIn",
"toPath", "toPlainObject", "transform", "unary", "union", "unionBy", "unionWith", "uniq",
"uniqBy", "uniqWith", "unset", "unzip", "unzipWith", "update", "updateWith", "values",
"valuesIn", "without", "words", "wrap", "xor", "xorBy", "xorWith", "zip", "zipObject",
"zipObjectDeep", "zipWith", "entries", "entriesIn", "extend", "extendWith", "add",
"attempt", "camelCase", "capitalize", "ceil", "clamp", "clone", "cloneDeep",
"cloneDeepWith", "cloneWith", "conformsTo", "deburr", "defaultTo", "divide", "endsWith",
"eq", "escape", "escapeRegExp", "every", "find", "findIndex", "findKey", "findLast",
"findLastIndex", "findLastKey", "floor", "forEach", "forEachRight", "forIn", "forInRight",
"forOwn", "forOwnRight", "get", "gt", "gte", "has", "hasIn", "head", "identity", "includes",
"indexOf", "inRange", "invoke", "isArguments", "isArray", "isArrayBuffer", "isArrayLike",
"isArrayLikeObject", "isBoolean", "isBuffer", "isDate", "isElement", "isEmpty", "isEqual",
"isEqualWith", "isError", "isFinite", "isFunction", "isInteger", "isLength", "isMap",
"isMatch", "isMatchWith", "isNaN", "isNative", "isNil", "isNull", "isNumber", "isObject",
"isObjectLike", "isPlainObject", "isRegExp", "isSafeInteger", "isSet", "isString",
"isSymbol", "isTypedArray", "isUndefined", "isWeakMap", "isWeakSet", "join", "kebabCase",
"last", "lastIndexOf", "lowerCase", "lowerFirst", "lt", "lte", "max", "maxBy", "mean",
"meanBy", "min", "minBy", "stubArray", "stubFalse", "stubObject", "stubString", "stubTrue",
"multiply", "nth", "noConflict", "noop", "now", "pad", "padEnd", "padStart", "parseInt",
"random", "reduce", "reduceRight", "repeat", "replace", "result", "round", "runInContext",
"sample", "size", "snakeCase", "some", "sortedIndex", "sortedIndexBy", "sortedIndexOf",
"sortedLastIndex", "sortedLastIndexBy", "sortedLastIndexOf", "startCase", "startsWith",
"subtract", "sum", "sumBy", "template", "times", "toFinite", "toInteger", "toLength",
"toLower", "toNumber", "toSafeInteger", "toString", "toUpper", "trim", "trimEnd",
"trimStart", "truncate", "unescape", "uniqueId", "upperCase", "upperFirst", "each",
"eachRight", "first"
]
}
/**
@ -363,27 +101,9 @@ module LodashUnderscore {
exists(DataFlow::CallNode call, string name |
// Members ending with By, With, or While indicate that they are a variant of
// another function that takes a callback.
name.matches("%By") or
name.matches("%With") or
name.matches("%While") or
name.matches(["%By", "%With", "%While"]) or
// Other members that don't fit the above pattern.
name = "each" or
name = "eachRight" or
name = "every" or
name = "filter" or
name = "find" or
name = "findLast" or
name = "flatMap" or
name = "flatMapDeep" or
name = "flatMapDepth" or
name = "forEach" or
name = "forEachRight" or
name = "partition" or
name = "reduce" or
name = "reduceRight" or
name = "replace" or
name = "some" or
name = "transform"
name = ["each", "eachRight", "every", "filter", "find", "findLast", "flatMap", "flatMapDeep", "flatMapDepth", "forEach", "forEachRight", "partition", "reduce", "reduceRight", "replace", "some", "transform"]
|
call = member(name).getACall() and
pred = call.getAnArgument().(DataFlow::FunctionNode).getExceptionalReturn() and
@ -462,86 +182,72 @@ private class LodashCallbackAsPartialInvoke extends DataFlow::PartialInvokeNode:
getNumArgument() = argumentCount
|
(
name = "bind" or
name = "callback" or
name = "iteratee"
name = ["bind", "callback", "iteratee"]
) and
callbackIndex = 0 and
contextIndex = 1 and
argumentCount = 2
or
(
name = "all" or
name = "any" or
name = "collect" or
name = "countBy" or
name = "detect" or
name = "dropRightWhile" or
name = "dropWhile" or
name = "each" or
name = "eachRight" or
name = "every" or
name = "filter" or
name = "find" or
name = "findIndex" or
name = "findKey" or
name = "findLast" or
name = "findLastIndex" or
name = "findLastKey" or
name = "forEach" or
name = "forEachRight" or
name = "forIn" or
name = "forInRight" or
name = "groupBy" or
name = "indexBy" or
name = "map" or
name = "mapKeys" or
name = "mapValues" or
name = "max" or
name = "min" or
name = "omit" or
name = "partition" or
name = "pick" or
name = "reject" or
name = "remove" or
name = "select" or
name = "some" or
name = "sortBy" or
name = "sum" or
name = "takeRightWhile" or
name = "takeWhile" or
name = "tap" or
name = "thru" or
name = "times" or
name = "unzipWith" or
name = "zipWith"
name = [
"all",
"any",
"collect",
"countBy",
"detect",
"dropRightWhile",
"dropWhile",
"each",
"eachRight",
"every",
"filter",
"find",
"findIndex",
"findKey",
"findLast",
"findLastIndex",
"findLastKey",
"forEach",
"forEachRight",
"forIn",
"forInRight",
"groupBy",
"indexBy",
"map",
"mapKeys",
"mapValues",
"max",
"min",
"omit",
"partition",
"pick",
"reject",
"remove",
"select",
"some",
"sortBy",
"sum",
"takeRightWhile",
"takeWhile",
"tap",
"thru",
"times",
"unzipWith",
"zipWith"]
) and
callbackIndex = 1 and
contextIndex = 2 and
argumentCount = 3
or
(
name = "foldl" or
name = "foldr" or
name = "inject" or
name = "reduce" or
name = "reduceRight" or
name = "transform"
name = ["foldl", "foldr", "inject", "reduce", "reduceRight", "transform"]
) and
callbackIndex = 1 and
contextIndex = 3 and
argumentCount = 4
or
(
name = "sortedlastIndex"
or
name = "assign"
or
name = "eq"
or
name = "extend"
or
name = "merge"
name = ["sortedlastIndex", "assign", "eq", "extend", "merge"]
or
name = "sortedIndex" and
name = "uniq"

19
javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll
Просмотреть файл

@ -29,20 +29,11 @@ module TaintedUrlSuffix {
/** Holds for `pred -> succ` is a step of form `x -> x.p` */
private predicate isSafeLocationProp(DataFlow::PropRead read) {
// Ignore properties that refer to the scheme, domain, port, auth, or path.
exists(string name | name = read.getPropertyName() |
name = "protocol" or
name = "scheme" or
name = "host" or
name = "hostname" or
name = "domain" or
name = "origin" or
name = "port" or
name = "path" or
name = "pathname" or
name = "username" or
name = "password" or
name = "auth"
)
read.getPropertyName() =
[
"protocol", "scheme", "host", "hostname", "domain", "origin", "port", "path", "pathname",
"username", "password", "auth"
]
}
/**

16
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
Просмотреть файл

@ -88,12 +88,7 @@ module ClientSideUrlRedirect {
class LocationSink extends Sink, DataFlow::ValueNode {
LocationSink() {
// A call to a `window.navigate` or `window.open`
exists(string name |
name = "navigate" or
name = "open" or
name = "openDialog" or
name = "showModalDialog"
|
exists(string name | name = ["navigate", "open", "openDialog", "showModalDialog"] |
this = DataFlow::globalVarRef(name).getACall().getArgument(0)
)
or
@ -102,7 +97,7 @@ module ClientSideUrlRedirect {
locationCall = DOM::locationRef().getAMethodCall(name) and
this = locationCall.getArgument(0)
|
name = "replace" or name = "assign"
name = ["replace", "assign"]
)
or
// An assignment to `location`
@ -113,7 +108,7 @@ module ClientSideUrlRedirect {
pw = DOM::locationRef().getAPropertyWrite(propName) and
this = pw.getRhs()
|
propName = "href" or propName = "protocol" or propName = "hostname"
propName = ["href", "protocol", "hostname"]
)
or
// A redirection using the AngularJS `$location` service
@ -153,9 +148,8 @@ module ClientSideUrlRedirect {
*/
class SrcAttributeUrlSink extends ScriptUrlSink, DataFlow::ValueNode {
SrcAttributeUrlSink() {
exists(DOM::AttributeDefinition attr, string eltName |
attr.getElement().getName() = eltName and
(eltName = "script" or eltName = "iframe") and
exists(DOM::AttributeDefinition attr |
attr.getElement().getName() = ["script", "iframe"] and
attr.getName() = "src" and
this = attr.getValueNode()
)

72
javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll
Просмотреть файл

@ -115,66 +115,18 @@ module LoopBoundInjection {
* Holds if `name` is a method from lodash vulnerable to a DoS attack if called with a tainted object.
*/
predicate loopableLodashMethod(string name) {
name = "chunk" or
name = "compact" or
name = "difference" or
name = "differenceBy" or
name = "differenceWith" or
name = "drop" or
name = "dropRight" or
name = "dropRightWhile" or
name = "dropWhile" or
name = "fill" or
name = "findIndex" or
name = "findLastIndex" or
name = "flatten" or
name = "flattenDeep" or
name = "flattenDepth" or
name = "initial" or
name = "intersection" or
name = "intersectionBy" or
name = "intersectionWith" or
name = "join" or
name = "remove" or
name = "reverse" or
name = "slice" or
name = "sortedUniq" or
name = "sortedUniqBy" or
name = "tail" or
name = "union" or
name = "unionBy" or
name = "unionWith" or
name = "uniqBy" or
name = "unzip" or
name = "unzipWith" or
name = "without" or
name = "zip" or
name = "zipObject" or
name = "zipObjectDeep" or
name = "zipWith" or
name = "countBy" or
name = "each" or
name = "forEach" or
name = "eachRight" or
name = "forEachRight" or
name = "filter" or
name = "find" or
name = "findLast" or
name = "flatMap" or
name = "flatMapDeep" or
name = "flatMapDepth" or
name = "forEach" or
name = "forEachRight" or
name = "groupBy" or
name = "invokeMap" or
name = "keyBy" or
name = "map" or
name = "orderBy" or
name = "partition" or
name = "reduce" or
name = "reduceRight" or
name = "reject" or
name = "sortBy"
name =
[
"chunk", "compact", "difference", "differenceBy", "differenceWith", "drop", "dropRight",
"dropRightWhile", "dropWhile", "fill", "findIndex", "findLastIndex", "flatten",
"flattenDeep", "flattenDepth", "initial", "intersection", "intersectionBy",
"intersectionWith", "join", "remove", "reverse", "slice", "sortedUniq", "sortedUniqBy",
"tail", "union", "unionBy", "unionWith", "uniqBy", "unzip", "unzipWith", "without", "zip",
"zipObject", "zipObjectDeep", "zipWith", "countBy", "each", "forEach", "eachRight",
"forEachRight", "filter", "find", "findLast", "flatMap", "flatMapDeep", "flatMapDepth",
"forEach", "forEachRight", "groupBy", "invokeMap", "keyBy", "map", "orderBy", "partition",
"reduce", "reduceRight", "reject", "sortBy"
]
}
/**

15
javascript/ql/src/Statements/UseOfReturnlessFunction.ql
Просмотреть файл

@ -111,16 +111,11 @@ predicate callToVoidFunction(DataFlow::CallNode call, Function func) {
* and the callback is expected to return a value.
*/
predicate hasNonVoidCallbackMethod(string name) {
name = "every" or
name = "filter" or
name = "find" or
name = "findIndex" or
name = "flatMap" or
name = "map" or
name = "reduce" or
name = "reduceRight" or
name = "some" or
name = "sort"
name =
[
"every", "filter", "find", "findIndex", "flatMap", "map", "reduce", "reduceRight", "some",
"sort"
]
}
DataFlow::SourceNode array(DataFlow::TypeTracker t) {

22
javascript/ql/src/meta/Consistency.ql
Просмотреть файл

@ -37,22 +37,12 @@ predicate exprWithoutEnclosingStmt(Expr e) {
* `"3 results for toString()"`.
*/
predicate uniqueness_error(int number, string what, string problem) {
(
what = "toString" or
what = "getLocation" or
what = "getTopLevel" or
what = "getEnclosingStmt" or
what = "getContainer" or
what = "getEnclosingContainer" or
what = "getEntry" or
what = "getExit" or
what = "getFirstControlFlowNode" or
what = "getOuterScope" or
what = "getScopeElement" or
what = "getBaseName" or
what = "getOperator" or
what = "getTest"
) and
what =
[
"toString", "getLocation", "getTopLevel", "getEnclosingStmt", "getContainer",
"getEnclosingContainer", "getEntry", "getExit", "getFirstControlFlowNode", "getOuterScope",
"getScopeElement", "getBaseName", "getOperator", "getTest"
] and
(
number = 0 and problem = "no results for " + what + "()"
or