JS: Migrate NoSqlInjection

asgerf · asgerf · commit c38e3a23eb79 · 2024-12-13T10:08:12.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionCustomizations.qll
@@ -8,6 +8,8 @@ import javascript
 import semmle.javascript.security.TaintedObject
 
 module NosqlInjection {
+  import semmle.javascript.security.CommonFlowState
+
   /**
    * A data flow source for NoSQL injection vulnerabilities.
    */
@@ -22,7 +24,10 @@ module NosqlInjection {
      *
      * Defaults to deeply tainted objects only.
      */
-    DataFlow::FlowLabel getAFlowLabel() { result = TaintedObject::label() }
+    FlowState getAFlowState() { result.isTaintedObject() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated DataFlow::FlowLabel getAFlowLabel() { result = this.getAFlowState().toFlowLabel() }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll
@@ -15,19 +15,17 @@ import NosqlInjectionCustomizations::NosqlInjection
  * A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
  */
 module NosqlInjectionConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  import semmle.javascript.security.CommonFlowState
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel state) {
+  predicate isSource(DataFlow::Node source, FlowState state) {
     source instanceof Source and state.isTaint()
     or
-    TaintedObject::isSource(source, state)
+    source instanceof TaintedObject::Source and state.isTaintedObject()
   }
 
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel state) {
-    sink.(Sink).getAFlowLabel() = state
-  }
+  predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }
 
-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel state) {
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
     node instanceof Sanitizer and state.isTaint()
     or
     TaintTracking::defaultSanitizer(node) and state.isTaint()
@@ -36,14 +34,13 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
   }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
-    DataFlow::FlowLabel state2
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
   ) {
-    TaintedObject::step(node1, node2, state1, state2)
+    TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
     or
     // additional flow step to track taint through NoSQL query objects
-    state1 = TaintedObject::label() and
-    state2 = TaintedObject::label() and
+    state1.isTaintedObject() and
+    state2.isTaintedObject() and
     exists(NoSql::Query query, DataFlow::SourceNode queryObj |
       queryObj.flowsTo(query) and
       queryObj.flowsTo(node2) and
@@ -90,6 +87,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
     DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1,
     DataFlow::FlowLabel state2
   ) {
-    NosqlInjectionConfig::isAdditionalFlowStep(node1, state1, node2, state2)
+    NosqlInjectionConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1), node2,
+      FlowState::fromFlowLabel(state2))
   }
 }
