JS: split XmlBomb.qll

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 6d5b84fa88b1 · 2019-07-04T22:42:55.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XmlBomb.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XmlBomb.qll
@@ -1,26 +1,16 @@
 /**
- * Provides a taint tracking configuration for reasoning about XML-bomb
- * vulnerabilities.
+ * Provides a taint tracking configuration for reasoning about
+ * XML-bomb vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `XmlBomb::Configuration` is needed, otherwise
+ * `XmlBombCustomizations` should be imported instead.
  */
 
 import javascript
-import semmle.javascript.security.dataflow.DOM
 
 module XmlBomb {
-  /**
-   * A data flow source for XML-bomb vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for XML-bomb vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for XML-bomb vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import XmlBombCustomizations::XmlBomb
 
   /**
    * A taint-tracking configuration for reasoning about XML-bomb vulnerabilities.
@@ -37,28 +27,4 @@ module XmlBomb {
       node instanceof Sanitizer
     }
   }
-
-  /** A source of remote user input, considered as a flow source for XML bomb vulnerabilities. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * An access to `document.location`, considered as a flow source for XML bomb vulnerabilities.
-   */
-  class LocationAsSource extends Source, DataFlow::ValueNode {
-    LocationAsSource() { isLocation(astNode) }
-  }
-
-  /**
-   * A call to an XML parser that performs internal entity expansion, viewed
-   * as a data flow sink for XML-bomb vulnerabilities.
-   */
-  class XmlParsingWithEntityResolution extends Sink, DataFlow::ValueNode {
-    XmlParsingWithEntityResolution() {
-      exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
-        parse.resolvesEntities(XML::InternalEntity())
-      )
-    }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/XmlBombCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/XmlBombCustomizations.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * XML-bomb vulnerabilities, as well as extension points for adding
+ * your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DOM
+
+module XmlBomb {
+  /**
+   * A data flow source for XML-bomb vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for XML-bomb vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for XML-bomb vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for XML bomb vulnerabilities. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * An access to `document.location`, considered as a flow source for XML bomb vulnerabilities.
+   */
+  class LocationAsSource extends Source, DataFlow::ValueNode {
+    LocationAsSource() { isLocation(astNode) }
+  }
+
+  /**
+   * A call to an XML parser that performs internal entity expansion, viewed
+   * as a data flow sink for XML-bomb vulnerabilities.
+   */
+  class XmlParsingWithEntityResolution extends Sink, DataFlow::ValueNode {
+    XmlParsingWithEntityResolution() {
+      exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
+        parse.resolvesEntities(XML::InternalEntity())
+      )
+    }
+  }
+}
