rename TaintedLength to LoopBoundInjection

Author: erik-krogh

javascript/config/suites/javascript/security

@@ -42,7 +42,7 @@
 + semmlecode-javascript-queries/Security/CWE-798/HardcodedCredentials.ql: /Security/CWE/CWE-798
 + semmlecode-javascript-queries/Security/CWE-807/ConditionalBypass.ql: /Security/CWE/CWE-807
 + semmlecode-javascript-queries/Security/CWE-807/DifferentKindsComparisonBypass.ql: /Security/CWE/CWE-807
-+ semmlecode-javascript-queries/Security/CWE-834/TaintedLength.ql: /Security/CWE/CWE-834
++ semmlecode-javascript-queries/Security/CWE-834/LoopBoundInjection.ql: /Security/CWE/CWE-834
 + semmlecode-javascript-queries/Security/CWE-843/TypeConfusionThroughParameterTampering.ql: /Security/CWE/CWE-834
 + semmlecode-javascript-queries/Security/CWE-916/InsufficientPasswordHash.ql: /Security/CWE/CWE-916
 + semmlecode-javascript-queries/Security/CWE-918/RequestForgery.ql: /Security/CWE/CWE-918

javascript/ql/src/Security/CWE-834/LoopBoundInjection.qhelp

@@ -9,7 +9,7 @@
 		cause indefinite looping since a malicious attacker can set the
 		<code>.length</code> property to a very large number. For example, 
 		when a program that expects an array is passed a JSON object such as
-		<code>{length: 1e100}</code>, the loop will be run for 1e100 
+		<code>{length: 1e100}</code>, the loop will be run for 10<sup>100</sup>
 		iterations. This may cause the program to hang or run out of memory, 
 		which can be used to mount a denial-of-service (DoS) attack.
 	</p>
@@ -30,7 +30,7 @@
 		<code>obj</code> to an array.
 	</p>
 
-	<sample src="examples/TaintedLength.js" />
+	<sample src="examples/LoopBoundInjection.js" />
 
 	<p>
 		This is not secure since an attacker can control the value of
@@ -39,7 +39,7 @@
 		the user controlled object is an array.
 	</p>
 
-	<sample src="examples/TaintedLength_fixed.js" />
+	<sample src="examples/LoopBoundInjection_fixed.js" />
 </example>
 
 <references></references>

javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql

@@ -1,5 +1,5 @@
 /**
- * @name Tainted .length in loop condition
+ * @name Loop bound injection
  * @description Iterating over an object with a user-controlled .length
  *              property can cause indefinite looping.
  * @kind path-problem
@@ -11,7 +11,7 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.TaintedLength::TaintedLength
+import semmle.javascript.security.dataflow.LoopBoundInjection::LoopBoundInjection
 
 from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
 where dataflow.hasFlowPath(source, sink)

…ript/security/dataflow/TaintedLength.qll …security/dataflow/LoopBoundInjection.qlljavascript/ql/src/semmle/javascript/security/dataflow/TaintedLength.qll renamed to javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjection.qll javascript/ql/src/semmle/javascript/security/dataflow/TaintedLength.qll renamed to javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjection.qll

@@ -3,21 +3,21 @@
  * using a user controlled object with an unbounded .length property.
  *
  * Note, for performance reasons: only import this file if
- * `TaintedLength::Configuration` is needed, otherwise
- * `TaintedLengthCustomizations` should be imported instead.
+ * `LoopBoundInjection::Configuration` is needed, otherwise
+ * `LoopBoundInjectionCustomizations` should be imported instead.
  */
 
 import javascript
 import semmle.javascript.security.TaintedObject
 
-module TaintedLength {
-  import TaintedLengthCustomizations::TaintedLength
+module LoopBoundInjection {
+  import LoopBoundInjectionCustomizations::LoopBoundInjection
 
   /**
    * A taint-tracking configuration for reasoning about looping on tainted objects with unbounded length.
    */
   class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "TaintedLength" }
+    Configuration() { this = "LoopBoundInjection" }
 
     override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
       source instanceof Source and label = TaintedObject::label()

…dataflow/TaintedLengthCustomizations.qll …low/LoopBoundInjectionCustomizations.qlljavascript/ql/src/semmle/javascript/security/dataflow/TaintedLengthCustomizations.qll renamed to javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll javascript/ql/src/semmle/javascript/security/dataflow/TaintedLengthCustomizations.qll renamed to javascript/ql/src/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll

@@ -6,7 +6,7 @@
 
 import javascript
 
-module TaintedLength {
+module LoopBoundInjection {
   import semmle.javascript.security.dataflow.RemoteFlowSources
   import semmle.javascript.security.TaintedObject
   import DataFlow::PathGraph

javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.expected

@@ -0,0 +1,57 @@
+nodes
+| LoopBoundInjectionBad.js:8:13:8:20 | req.body |
+| LoopBoundInjectionBad.js:10:15:10:22 | req.body |
+| LoopBoundInjectionBad.js:12:25:12:32 | req.body |
+| LoopBoundInjectionBad.js:14:19:14:26 | req.body |
+| LoopBoundInjectionBad.js:17:18:17:20 | val |
+| LoopBoundInjectionBad.js:20:25:20:27 | val |
+| LoopBoundInjectionBad.js:25:20:25:22 | val |
+| LoopBoundInjectionBad.js:29:16:29:18 | val |
+| LoopBoundInjectionBad.js:35:30:35:32 | val |
+| LoopBoundInjectionBad.js:38:15:38:17 | val |
+| LoopBoundInjectionBad.js:46:24:46:26 | val |
+| LoopBoundInjectionBad.js:51:25:51:27 | val |
+| LoopBoundInjectionExitBad.js:8:9:8:16 | req.body |
+| LoopBoundInjectionExitBad.js:10:9:10:16 | req.body |
+| LoopBoundInjectionExitBad.js:12:10:12:17 | req.body |
+| LoopBoundInjectionExitBad.js:14:14:14:21 | req.body |
+| LoopBoundInjectionExitBad.js:17:17:17:19 | val |
+| LoopBoundInjectionExitBad.js:20:22:20:24 | val |
+| LoopBoundInjectionExitBad.js:31:17:31:19 | val |
+| LoopBoundInjectionExitBad.js:34:22:34:24 | val |
+| LoopBoundInjectionExitBad.js:46:18:46:20 | val |
+| LoopBoundInjectionExitBad.js:49:22:49:24 | val |
+| LoopBoundInjectionExitBad.js:59:22:59:24 | val |
+| LoopBoundInjectionExitBad.js:60:8:60:10 | val |
+| LoopBoundInjectionLodash.js:9:13:9:20 | req.body |
+| LoopBoundInjectionLodash.js:12:18:12:20 | val |
+| LoopBoundInjectionLodash.js:13:13:13:15 | val |
+edges
+| LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:17:18:17:20 | val |
+| LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:25:20:25:22 | val |
+| LoopBoundInjectionBad.js:12:25:12:32 | req.body | LoopBoundInjectionBad.js:35:30:35:32 | val |
+| LoopBoundInjectionBad.js:14:19:14:26 | req.body | LoopBoundInjectionBad.js:46:24:46:26 | val |
+| LoopBoundInjectionBad.js:17:18:17:20 | val | LoopBoundInjectionBad.js:20:25:20:27 | val |
+| LoopBoundInjectionBad.js:25:20:25:22 | val | LoopBoundInjectionBad.js:29:16:29:18 | val |
+| LoopBoundInjectionBad.js:35:30:35:32 | val | LoopBoundInjectionBad.js:38:15:38:17 | val |
+| LoopBoundInjectionBad.js:46:24:46:26 | val | LoopBoundInjectionBad.js:51:25:51:27 | val |
+| LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | LoopBoundInjectionExitBad.js:17:17:17:19 | val |
+| LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | LoopBoundInjectionExitBad.js:31:17:31:19 | val |
+| LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | LoopBoundInjectionExitBad.js:46:18:46:20 | val |
+| LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | LoopBoundInjectionExitBad.js:59:22:59:24 | val |
+| LoopBoundInjectionExitBad.js:17:17:17:19 | val | LoopBoundInjectionExitBad.js:20:22:20:24 | val |
+| LoopBoundInjectionExitBad.js:31:17:31:19 | val | LoopBoundInjectionExitBad.js:34:22:34:24 | val |
+| LoopBoundInjectionExitBad.js:46:18:46:20 | val | LoopBoundInjectionExitBad.js:49:22:49:24 | val |
+| LoopBoundInjectionExitBad.js:59:22:59:24 | val | LoopBoundInjectionExitBad.js:60:8:60:10 | val |
+| LoopBoundInjectionLodash.js:9:13:9:20 | req.body | LoopBoundInjectionLodash.js:12:18:12:20 | val |
+| LoopBoundInjectionLodash.js:12:18:12:20 | val | LoopBoundInjectionLodash.js:13:13:13:15 | val |
+#select
+| LoopBoundInjectionBad.js:20:25:20:27 | val | LoopBoundInjectionBad.js:8:13:8:20 | req.body | LoopBoundInjectionBad.js:20:25:20:27 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionBad.js:8:13:8:20 | req.body | here |
+| LoopBoundInjectionBad.js:29:16:29:18 | val | LoopBoundInjectionBad.js:10:15:10:22 | req.body | LoopBoundInjectionBad.js:29:16:29:18 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionBad.js:10:15:10:22 | req.body | here |
+| LoopBoundInjectionBad.js:38:15:38:17 | val | LoopBoundInjectionBad.js:12:25:12:32 | req.body | LoopBoundInjectionBad.js:38:15:38:17 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionBad.js:12:25:12:32 | req.body | here |
+| LoopBoundInjectionBad.js:51:25:51:27 | val | LoopBoundInjectionBad.js:14:19:14:26 | req.body | LoopBoundInjectionBad.js:51:25:51:27 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionBad.js:14:19:14:26 | req.body | here |
+| LoopBoundInjectionExitBad.js:20:22:20:24 | val | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | LoopBoundInjectionExitBad.js:20:22:20:24 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionExitBad.js:8:9:8:16 | req.body | here |
+| LoopBoundInjectionExitBad.js:34:22:34:24 | val | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | LoopBoundInjectionExitBad.js:34:22:34:24 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionExitBad.js:10:9:10:16 | req.body | here |
+| LoopBoundInjectionExitBad.js:49:22:49:24 | val | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | LoopBoundInjectionExitBad.js:49:22:49:24 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionExitBad.js:12:10:12:17 | req.body | here |
+| LoopBoundInjectionExitBad.js:60:8:60:10 | val | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | LoopBoundInjectionExitBad.js:60:8:60:10 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionExitBad.js:14:14:14:21 | req.body | here |
+| LoopBoundInjectionLodash.js:13:13:13:15 | val | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | LoopBoundInjectionLodash.js:13:13:13:15 | val | Iterating over user-controlled object with a potentially unbounded .length property from $@. | LoopBoundInjectionLodash.js:9:13:9:20 | req.body | here |

javascript/ql/test/query-tests/Security/CWE-834/LoopBoundInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-834/LoopBoundInjection.ql