Skip to content

Commit b34df9f

Browse files
asgerfasgerf
committed
JS: Autoformat
1 parent f737f34 commit b34df9f

File tree

1 file changed

+34
-13
lines changed

1 file changed

+34
-13
lines changed

javascript/ql/src/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll

Lines changed: 34 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,11 @@ module ExternalAPIUsedWithUntrustedData {
7777
private class DefaultSafeExternalAPIPackage extends SafeExternalAPIPackage {
7878
DefaultSafeExternalAPIPackage() {
7979
// Promise libraries are safe and generate too much noise if included
80-
this = ["bluebird", "q", "deferred", "when", "promise", "promises", "es6-promise", "promise-polyfill"]
80+
this =
81+
[
82+
"bluebird", "q", "deferred", "when", "promise", "promises", "es6-promise",
83+
"promise-polyfill"
84+
]
8185
}
8286
}
8387

@@ -177,7 +181,9 @@ module ExternalAPIUsedWithUntrustedData {
177181
private string getSimplifiedName(API::Node node) {
178182
node = API::moduleImport(result)
179183
or
180-
exists(API::Node base, string basename | getDepth(base) < getDepth(node) and basename = getSimplifiedName(base) |
184+
exists(API::Node base, string basename |
185+
getDepth(base) < getDepth(node) and basename = getSimplifiedName(base)
186+
|
181187
// In practice there is no need to distinguish between 'new X' and 'X()'
182188
node = [base.getInstance(), base.getReturn()] and
183189
result = basename + "()"
@@ -215,9 +221,13 @@ module ExternalAPIUsedWithUntrustedData {
215221
result = basename + ".[callback].[param '" + paramName + "']"
216222
or
217223
exists(string callbackName, string index |
218-
node = getNamedParameter(base.getASuccessor("parameter " + index).getMember(callbackName), paramName) and
224+
node =
225+
getNamedParameter(base.getASuccessor("parameter " + index).getMember(callbackName),
226+
paramName) and
219227
index != "-1" and // ignore receiver
220-
result = basename + ".[callback " + index + " '" + callbackName + "'].[param '" + paramName + "']"
228+
result =
229+
basename + ".[callback " + index + " '" + callbackName + "'].[param '" + paramName +
230+
"']"
221231
)
222232
)
223233
)
@@ -251,7 +261,9 @@ module ExternalAPIUsedWithUntrustedData {
251261
// Ignore arguments to a method such as 'indexOf' that's likely called on a string or array value
252262
not isCommonBuiltinMethodName(this.(DataFlow::CallNode).getCalleeName()) and
253263
// Not already modeled as a flow/taint step
254-
not exists(DataFlow::Node arg | arg = this.getAnArgument() and not arg instanceof DeepObjectSink |
264+
not exists(DataFlow::Node arg |
265+
arg = this.getAnArgument() and not arg instanceof DeepObjectSink
266+
|
255267
any(TaintTracking::AdditionalTaintStep s).step(arg, _)
256268
or
257269
exists(DataFlow::AdditionalFlowStep s |
@@ -305,9 +317,7 @@ module ExternalAPIUsedWithUntrustedData {
305317
)
306318
}
307319

308-
override string getApiName() {
309-
result = invoke.getApiName() + " [param *]"
310-
}
320+
override string getApiName() { result = invoke.getApiName() + " [param *]" }
311321
}
312322

313323
/** A "named argument" to an external API call, seen as a sink. */
@@ -317,7 +327,7 @@ module ExternalAPIUsedWithUntrustedData {
317327
string prop;
318328

319329
NamedParameterSink() {
320-
exists (DataFlow::ObjectLiteralNode object, DataFlow::PropWrite write |
330+
exists(DataFlow::ObjectLiteralNode object, DataFlow::PropWrite write |
321331
object = invoke.getArgument(index) and
322332
isNamedArgumentObject(object) and
323333
write = object.getAPropertyWrite() and
@@ -331,7 +341,9 @@ module ExternalAPIUsedWithUntrustedData {
331341
)
332342
}
333343

334-
override string getApiName() { result = invoke.getApiName() + " [param " + index + " '" + prop + "']" }
344+
override string getApiName() {
345+
result = invoke.getApiName() + " [param " + index + " '" + prop + "']"
346+
}
335347
}
336348

337349
/** The return value from a direct callback to an external API call, seen as a sink */
@@ -345,7 +357,9 @@ module ExternalAPIUsedWithUntrustedData {
345357
not invoke.getCalleeName() = ["then", "catch", "finally"]
346358
}
347359

348-
override string getApiName() { result = invoke.getApiName() + " [callback " + index + " result]" }
360+
override string getApiName() {
361+
result = invoke.getApiName() + " [callback " + index + " result]"
362+
}
349363
}
350364

351365
/** The return value from a named callback to an external API call, seen as a sink. */
@@ -355,9 +369,16 @@ module ExternalAPIUsedWithUntrustedData {
355369
string prop;
356370

357371
NamedCallbackSink() {
358-
this = invoke.getOptionArgument(index, prop).getALocalSource().(DataFlow::FunctionNode).getAReturn()
372+
this =
373+
invoke
374+
.getOptionArgument(index, prop)
375+
.getALocalSource()
376+
.(DataFlow::FunctionNode)
377+
.getAReturn()
359378
}
360379

361-
override string getApiName() { result = invoke.getApiName() + " [callback " + index + " '" + prop + "' result]" }
380+
override string getApiName() {
381+
result = invoke.getApiName() + " [callback " + index + " '" + prop + "' result]"
382+
}
362383
}
363384
}

0 commit comments

Comments
 (0)