JS: Port experimental EnvValueInjection to ConfigSig

asgerf · asgerf · commit 7e162f5451e6 · 2024-12-03T14:30:17.000+01:00
diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueInjection.ql
@@ -11,20 +11,21 @@
  */
 
 import javascript
-import DataFlow::PathGraph
 
 /** A taint tracking configuration for unsafe environment injection. */
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "envInjection" }
+module EnvValueInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink = API::moduleImport("process").getMember("env").getAMember().asSink()
   }
 }
 
-from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
+module EnvValueInjectionFlow = TaintTracking::Global<EnvValueInjectionConfig>;
+
+import EnvValueInjectionFlow::PathGraph
+
+from EnvValueInjectionFlow::PathNode source, EnvValueInjectionFlow::PathNode sink
+where EnvValueInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "this environment variable assignment is $@.",
   source.getNode(), "user controllable"
diff --git a/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected b/javascript/ql/test/experimental/Security/CWE-099/EnvValueInjection/EnvValueInjection.expected
@@ -1,26 +1,17 @@
-nodes
-| test.js:4:9:4:20 | { EnvValue } |
-| test.js:4:9:4:31 | EnvValue |
-| test.js:4:11:4:18 | EnvValue |
-| test.js:4:24:4:31 | req.body |
-| test.js:4:24:4:31 | req.body |
-| test.js:5:35:5:42 | EnvValue |
-| test.js:5:35:5:42 | EnvValue |
-| test.js:6:23:6:30 | EnvValue |
-| test.js:6:23:6:30 | EnvValue |
-| test.js:7:22:7:29 | EnvValue |
-| test.js:7:22:7:29 | EnvValue |
 edges
-| test.js:4:9:4:20 | { EnvValue } | test.js:4:11:4:18 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue |
-| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue |
-| test.js:4:11:4:18 | EnvValue | test.js:4:9:4:31 | EnvValue |
-| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } |
-| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } |
+| test.js:4:9:4:20 | { EnvValue } | test.js:4:9:4:31 | EnvValue | provenance |  |
+| test.js:4:9:4:31 | EnvValue | test.js:5:35:5:42 | EnvValue | provenance |  |
+| test.js:4:9:4:31 | EnvValue | test.js:6:23:6:30 | EnvValue | provenance |  |
+| test.js:4:9:4:31 | EnvValue | test.js:7:22:7:29 | EnvValue | provenance |  |
+| test.js:4:24:4:31 | req.body | test.js:4:9:4:20 | { EnvValue } | provenance |  |
+nodes
+| test.js:4:9:4:20 | { EnvValue } | semmle.label | { EnvValue } |
+| test.js:4:9:4:31 | EnvValue | semmle.label | EnvValue |
+| test.js:4:24:4:31 | req.body | semmle.label | req.body |
+| test.js:5:35:5:42 | EnvValue | semmle.label | EnvValue |
+| test.js:6:23:6:30 | EnvValue | semmle.label | EnvValue |
+| test.js:7:22:7:29 | EnvValue | semmle.label | EnvValue |
+subpaths
 #select
 | test.js:5:35:5:42 | EnvValue | test.js:4:24:4:31 | req.body | test.js:5:35:5:42 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |
 | test.js:6:23:6:30 | EnvValue | test.js:4:24:4:31 | req.body | test.js:6:23:6:30 | EnvValue | this environment variable assignment is $@. | test.js:4:24:4:31 | req.body | user controllable |
