diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml index ce6e0f684257..43035615a126 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml +++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.model.yml @@ -8,9 +8,3 @@ extensions: - ['global', 'Member[process].Member[stdin].Member[on,addListener].WithStringArgument[0=data].Argument[1].Parameter[0]', 'stdin'] - ['readline', 'Member[createInterface].ReturnValue.Member[question].Argument[1].Parameter[0]', 'stdin'] - ['readline', 'Member[createInterface].ReturnValue.Member[on,addListener].WithStringArgument[0=line].Argument[1].Parameter[0]', 'stdin'] - - - addsTo: - pack: codeql/javascript-all - extensible: barrierModel - data: - - ['global', 'Member[encodeURIComponent,encodeURI].ReturnValue', 'request-forgery'] diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll index e67b9e0d38cb..aa43f4607d86 100644 --- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll @@ -82,4 +82,8 @@ module CorsPermissiveConfiguration { ) } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll index a8d15d0e6989..01fc7ee5e5d9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll @@ -270,4 +270,8 @@ module ClientSideUrlRedirect { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll index 9a72ae4a2315..1d181d975919 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll @@ -438,4 +438,8 @@ module CodeInjection { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "code-injection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "code-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll index 6b17adcb773c..b3516a79bf49 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll @@ -58,4 +58,8 @@ module CommandInjection { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "command-injection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "command-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll index b7639ccc3aad..b5c0be71f452 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll @@ -421,4 +421,8 @@ module DomBasedXss { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll index 8bd9b290fc6b..54811baf14fd 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/HardcodedCredentialsCustomizations.qll @@ -44,4 +44,14 @@ module HardcodedCredentials { not (super.getCredentialsKind() = "jwt key" and isTestFile(this.getFile())) } } + + /** + * Note that a sanitizer with kind `credentials-key` will sanitize flow to + * all sinks, not just sinks with the same kind. + */ + private class CredentialSanitizerFromModel extends Sanitizer { + CredentialSanitizerFromModel() { + exists(string kind | ModelOutput::barrierNode(this, "credentials-" + kind)) + } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll index c93cb07bbc71..f421a92298f9 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IncompleteHtmlAttributeSanitizationCustomizations.qll @@ -101,7 +101,13 @@ module IncompleteHtmlAttributeSanitization { } } - private class SanitizerFromModel extends Sanitizer { - SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") } + /** + * An encoder for potentially malicious characters, as a sanitizer + * for incomplete HTML sanitization vulnerabilities. + */ + class EncodingSanitizer extends Sanitizer { + EncodingSanitizer() { + this = DataFlow::globalVarRef(["encodeURIComponent", "encodeURI"]).getACall() + } } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll index 25474297d09f..6e4dbbf396ed 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll @@ -88,3 +88,7 @@ class JsonStringifySanitizer extends Sanitizer { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") } } + +private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") } +} diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll index 36c0601d501c..3d3eaadf9d3d 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll @@ -47,4 +47,8 @@ module NosqlInjection { /** An expression interpreted as a NoSql query, viewed as a sink. */ class NosqlQuerySink extends Sink instanceof NoSql::Query { } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "nosql-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll index 82b6e99dc217..87a522df7a5e 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll @@ -147,4 +147,8 @@ module ReflectedXss { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "html-injection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "html-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll index de2a1e3c6bf6..8d9310d46c24 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll @@ -114,4 +114,8 @@ module RequestForgery { class UriEncodingSanitizer extends Sanitizer instanceof Xss::Shared::UriEncodingSanitizer { UriEncodingSanitizer() { this.encodesPathSeparators() } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "request-forgery") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll index 18cfaf6f7420..5827e95900da 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll @@ -66,4 +66,8 @@ module ServerSideUrlRedirect { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "url-redirection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "url-redirection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll index 8afb65519ad4..6a3a9df41de6 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll @@ -74,4 +74,8 @@ module SqlInjection { ) } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "sql-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll index bb1da3f4a236..735026095dff 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll @@ -1124,4 +1124,8 @@ module TaintedPath { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "path-injection") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "path-injection") } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll index 82f11ec80030..44ce8d56bcd3 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll @@ -69,4 +69,8 @@ module UnsafeDeserialization { private class SinkFromModel extends Sink { SinkFromModel() { ModelOutput::sinkNode(this, "unsafe-deserialization") } } + + private class SanitizerFromModel extends Sanitizer { + SanitizerFromModel() { ModelOutput::barrierNode(this, "unsafe-deserialization") } + } }