22 * Provides a taint tracking configuration for reasoning about injections in
33 * property names, used either for writing into a property, into a header or
44 * for calling an object's method.
5+ *
6+ * Note, for performance reasons: only import this file if
7+ * `RemotePropertyInjection::Configuration` is needed, otherwise
8+ * `RemotePropertyInjectionCustomizations` should be imported instead.
59 */
610
711import javascript
8- import semmle.javascript.frameworks.Express
9- import PropertyInjectionShared
1012
1113module RemotePropertyInjection {
12- /**
13- * A data flow source for remote property injection.
14- */
15- abstract class Source extends DataFlow:: Node { }
16-
17- /**
18- * A data flow sink for remote property injection.
19- */
20- abstract class Sink extends DataFlow:: Node {
21- /**
22- * Gets a string to identify the different types of sinks.
23- */
24- abstract string getMessage ( ) ;
25- }
26-
27- /**
28- * A sanitizer for remote property injection.
29- */
30- abstract class Sanitizer extends DataFlow:: Node { }
14+ import RemotePropertyInjectionCustomizations:: RemotePropertyInjection
3115
3216 /**
3317 * A taint-tracking configuration for reasoning about remote property injection.
@@ -45,42 +29,4 @@ module RemotePropertyInjection {
4529 node = StringConcatenation:: getRoot ( any ( ConstantString str ) .flow ( ) )
4630 }
4731 }
48-
49- /**
50- * A source of remote user input, considered as a flow source for remote property
51- * injection.
52- */
53- class RemoteFlowSourceAsSource extends Source {
54- RemoteFlowSourceAsSource ( ) { this instanceof RemoteFlowSource }
55- }
56-
57- /**
58- * A sink for property writes with dynamically computed property name.
59- */
60- class PropertyWriteSink extends Sink , DataFlow:: ValueNode {
61- PropertyWriteSink ( ) {
62- exists ( DataFlow:: PropWrite pw | astNode = pw .getPropertyNameExpr ( ) ) or
63- exists ( DeleteExpr expr | expr .getOperand ( ) .( PropAccess ) .getPropertyNameExpr ( ) = astNode )
64- }
65-
66- override string getMessage ( ) { result = " a property name to write to." }
67- }
68-
69- /**
70- * A sink for HTTP header writes with dynamically computed header name.
71- * This sink avoids double-flagging by ignoring `SetMultipleHeaders` since
72- * the multiple headers use case consists of an objects containing different
73- * header names as properties. This case is already handled by
74- * `PropertyWriteSink`.
75- */
76- class HeaderNameSink extends Sink , DataFlow:: ValueNode {
77- HeaderNameSink ( ) {
78- exists ( HTTP:: ExplicitHeaderDefinition hd |
79- not hd instanceof Express:: SetMultipleHeaders and
80- astNode = hd .getNameExpr ( )
81- )
82- }
83-
84- override string getMessage ( ) { result = " a header name." }
85- }
8632}
0 commit comments