JS: Don't create new flow labels in *Customizations.qll files

asgerf · asgerf · commit 42fc4ff78c5d · 2020-10-16T07:12:29.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll
@@ -14,6 +14,11 @@ import UrlConcatenation
 module ClientSideUrlRedirect {
   import ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect
 
+  // Materialize flow labels
+  private class ConcreteDocumentUrl extends DocumentUrl {
+    ConcreteDocumentUrl() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unvalidated URL redirections.
    */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
@@ -29,7 +29,7 @@ module ClientSideUrlRedirect {
    * A flow label for values that represent the URL of the current document, and
    * hence are only partially user-controlled.
    */
-  class DocumentUrl extends DataFlow::FlowLabel {
+  abstract class DocumentUrl extends DataFlow::FlowLabel {
     DocumentUrl() { this = "document.url" }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownload.qll b/javascript/ql/src/semmle/javascript/security/dataflow/InsecureDownload.qll
@@ -14,6 +14,14 @@ import javascript
 module InsecureDownload {
   import InsecureDownloadCustomizations::InsecureDownload
 
+  // Materialize flow labels
+  private class ConcreteSensitiveInsecureURL extends Label::SensitiveInsecureURL {
+    ConcreteSensitiveInsecureURL() { this = this }
+  }
+  private class ConcreteInsecureURL extends Label::InsecureURL {
+    ConcreteInsecureURL() { this = this }
+  }
+
   /**
    * A taint tracking configuration for download of sensitive file through insecure connection.
    */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStar.qll b/javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStar.qll
@@ -12,6 +12,11 @@ import javascript
 module PostMessageStar {
   import PostMessageStarCustomizations::PostMessageStar
 
+  // Materialize flow labels
+  private class ConcretePartiallyTaintedObject extends PartiallyTaintedObject {
+    ConcretePartiallyTaintedObject() { this = this }
+  }
+
   /**
    * A taint tracking configuration for cross-window communication with unrestricted origin.
    *
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStarCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/PostMessageStarCustomizations.qll
@@ -26,7 +26,7 @@ module PostMessageStar {
   /**
    * A flow label representing an object with at least one tainted property.
    */
-  class PartiallyTaintedObject extends DataFlow::FlowLabel {
+  abstract class PartiallyTaintedObject extends DataFlow::FlowLabel {
     PartiallyTaintedObject() { this = "partially tainted object" }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollution.qll b/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollution.qll
@@ -15,6 +15,11 @@ import semmle.javascript.dependencies.SemVer
 module PrototypePollution {
   import PrototypePollutionCustomizations::PrototypePollution
 
+  // Materialize flow labels
+  private class ConcreteTaintedObjectWrapper extends TaintedObjectWrapper {
+    ConcreteTaintedObjectWrapper() { this = this }
+  }
+
   /**
    * A taint tracking configuration for user-controlled objects flowing into deep `extend` calls,
    * leading to prototype pollution.
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/PrototypePollutionCustomizations.qll
@@ -24,11 +24,13 @@ module PrototypePollution {
    * }
    * ```
    */
-  module TaintedObjectWrapper {
-    private class TaintedObjectWrapper extends DataFlow::FlowLabel {
-      TaintedObjectWrapper() { this = "tainted-object-wrapper" }
-    }
+  abstract class TaintedObjectWrapper extends DataFlow::FlowLabel {
+    TaintedObjectWrapper() { this = "tainted-object-wrapper" }
+  }
 
+  /** Companion module to the `TaintedObjectWrapper` class. */
+  module TaintedObjectWrapper {
+    /** Gets the instance of the `TaintedObjectWrapper` label. */
     TaintedObjectWrapper label() { any() }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -12,6 +12,14 @@ import javascript
 module TaintedPath {
   import TaintedPathCustomizations::TaintedPath
 
+  // Materialize flow labels
+  private class ConcretePosixPath extends Label::PosixPath {
+    ConcretePosixPath() { this = this }
+  }
+  private class ConcreteSplitPath extends Label::SplitPath {
+    ConcreteSplitPath() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about tainted-path vulnerabilities.
    */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -55,7 +55,7 @@ module TaintedPath {
      * There are currently four flow labels, representing the different combinations of
      * normalization and absoluteness.
      */
-    class PosixPath extends DataFlow::FlowLabel {
+    abstract class PosixPath extends DataFlow::FlowLabel {
       Normalization normalization;
       Relativeness relativeness;
 
@@ -113,7 +113,7 @@ module TaintedPath {
     /**
      * A flow label representing an array of path elements that may include "..".
      */
-    class SplitPath extends DataFlow::FlowLabel {
+    abstract class SplitPath extends DataFlow::FlowLabel {
       SplitPath() { this = "splitPath" }
     }
   }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccess.qll
@@ -14,6 +14,11 @@ module UnsafeDynamicMethodAccess {
   private import DataFlow::FlowLabel
   import UnsafeDynamicMethodAccessCustomizations::UnsafeDynamicMethodAccess
 
+  // Materialize flow labels
+  private class ConcreteUnsafeFunction extends UnsafeFunction {
+    ConcreteUnsafeFunction() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unsafe dynamic method access.
    */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessCustomizations.qll
@@ -43,7 +43,11 @@ module UnsafeDynamicMethodAccess {
    */
   UnsafeFunction unsafeFunction() { any() }
 
-  private class UnsafeFunction extends DataFlow::FlowLabel {
+  /**
+   * Flow label describing values that may refer to an unsafe
+   * function as a result of an attacker-controlled property name.
+   */
+  abstract class UnsafeFunction extends DataFlow::FlowLabel {
     UnsafeFunction() { this = "UnsafeFunction" }
   }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCall.qll
@@ -17,6 +17,14 @@ module UnvalidatedDynamicMethodCall {
   import UnvalidatedDynamicMethodCallCustomizations::UnvalidatedDynamicMethodCall
   private import DataFlow::FlowLabel
 
+  // Materialize flow labels
+  private class ConcreteMaybeNonFunction extends MaybeNonFunction {
+    ConcreteMaybeNonFunction() { this = this }
+  }
+  private class ConcreteMaybeFromProto extends MaybeFromProto {
+    ConcreteMaybeFromProto() { this = this }
+  }
+
   /**
    * A taint-tracking configuration for reasoning about unvalidated dynamic method calls.
    */
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/UnvalidatedDynamicMethodCallCustomizations.qll
@@ -43,15 +43,15 @@ module UnvalidatedDynamicMethodCall {
    * A flow label describing values read from a user-controlled property that
    * may not be functions.
    */
-  class MaybeNonFunction extends DataFlow::FlowLabel {
+  abstract class MaybeNonFunction extends DataFlow::FlowLabel {
     MaybeNonFunction() { this = "MaybeNonFunction" }
   }
 
   /**
    * A flow label describing values read from a user-controlled property that
    * may originate from a prototype object.
    */
-  class MaybeFromProto extends DataFlow::FlowLabel {
+  abstract class MaybeFromProto extends DataFlow::FlowLabel {
     MaybeFromProto() { this = "MaybeFromProto" }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ module ClientSideUrlRedirect {`
`29`	`29`	`* A flow label for values that represent the URL of the current document, and`
`30`	`30`	`* hence are only partially user-controlled.`
`31`	`31`	`*/`
`32`		`- class DocumentUrl extends DataFlow::FlowLabel {`
	`32`	`+ abstract class DocumentUrl extends DataFlow::FlowLabel {`
`33`	`33`	`DocumentUrl() { this = "document.url" }`
`34`	`34`	`}`
`35`	`35`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ module PostMessageStar {`
`26`	`26`	`/**`
`27`	`27`	`* A flow label representing an object with at least one tainted property.`
`28`	`28`	`*/`
`29`		`- class PartiallyTaintedObject extends DataFlow::FlowLabel {`
	`29`	`+ abstract class PartiallyTaintedObject extends DataFlow::FlowLabel {`
`30`	`30`	`PartiallyTaintedObject() { this = "partially tainted object" }`
`31`	`31`	`}`
`32`	`32`