-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathLogInjectionQuery.qll
More file actions
94 lines (74 loc) · 2.68 KB
/
LogInjectionQuery.qll
File metadata and controls
94 lines (74 loc) · 2.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
/**
* Provides a taint-tracking configuration for reasoning about untrusted user input used in log entries.
*/
import javascript
/**
* A data flow source for user input used in log entries.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for user input used in log entries.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for malicious user input used in log entries.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* A taint-tracking configuration for untrusted user input used in log entries.
*/
module LogInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
predicate observeDiffInformedIncrementalMode() { any() }
}
/**
* Taint-tracking for untrusted user input used in log entries.
*/
module LogInjectionFlow = TaintTracking::Global<LogInjectionConfig>;
/**
* DEPRECATED. Use the `LogInjectionFlow` module instead.
*/
deprecated class LogInjectionConfiguration extends TaintTracking::Configuration {
LogInjectionConfiguration() { this = "LogInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
}
/**
* A source of remote user controlled input.
*/
class RemoteSource extends Source instanceof RemoteFlowSource {
RemoteSource() { not this.isClientSideSource() }
}
/**
* An argument to a logging mechanism.
*/
class LoggingSink extends Sink {
LoggingSink() { this = any(LoggerCall console).getAMessageComponent() }
}
/**
* A call to `String.prototype.replace` that replaces `\n` is considered to sanitize the replaced string (reduce false positive).
*/
class StringReplaceSanitizer extends Sanitizer {
StringReplaceSanitizer() {
exists(string s | this.(StringReplaceCall).replaces(s, "") and s.regexpMatch("\\n"))
}
}
/**
* A call to an HTML sanitizer is considered to sanitize the user input.
*/
class HtmlSanitizer extends Sanitizer instanceof HtmlSanitizerCall { }
/**
* A call to `JSON.stringify` or similar, seen as sanitizing log output.
*/
class JsonStringifySanitizer extends Sanitizer {
JsonStringifySanitizer() { this = any(JsonStringifyCall c).getOutput() }
}
private class SinkFromModel extends Sink {
SinkFromModel() { ModelOutput::sinkNode(this, "log-injection") }
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "log-injection") }
}