refactor into customizations module - and move curl download to a Cli… · github/codeql@056a7e8 · GitHub
Skip to content

Commit 056a7e8

Browse files
committed
refactor into customizations module - and move curl download to a ClientRequest
1 parent 8225adc commit 056a7e8

4 files changed

Lines changed: 127 additions & 39 deletions

File tree

javascript/ql/src/Security/CWE-829/UnsecureDownload.ql

Lines changed: 1 addition & 39 deletions

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -633,4 +633,32 @@ module ClientRequest {
633633

634634
override DataFlow::Node getADataNode() { none() }
635635
}
636+
637+
/**
638+
* A shell execution of `curl` that downloads some file.
639+
*/
640+
class CurlDownload extends ClientRequest::Range {
641+
SystemCommandExecution cmd;
642+
643+
CurlDownload() {
644+
this = cmd and
645+
(
646+
cmd.getACommandArgument().getStringValue() = "curl" or
647+
cmd
648+
.getACommandArgument()
649+
.(StringOps::ConcatenationRoot)
650+
.getConstantStringParts()
651+
.regexpMatch("curl .*")
652+
)
653+
}
654+
655+
override DataFlow::Node getUrl() {
656+
result = cmd.getArgumentList().getALocalSource().getAPropertyWrite().getRhs() or
657+
result = cmd.getACommandArgument().(StringOps::ConcatenationRoot).getALeaf()
658+
}
659+
660+
override DataFlow::Node getHost() { none() }
661+
662+
override DataFlow::Node getADataNode() { none() }
663+
}
636664
}
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/**
2+
* Provides a taint tracking configuration for reasoning about download of sensitive file through unsecure connection.
3+
*
4+
* Note, for performance reasons: only import this file if
5+
* `UnsecureDownload::Configuration` is needed, otherwise
6+
* `UnsecureDownloadCustomizations` should be imported instead.
7+
*/
8+
9+
import javascript
10+
11+
module UnsecureDownload {
12+
import UnsecureDownloadCustomizations::UnsecureDownload
13+
14+
/**
15+
* A taint tracking configuration for download of sensitive file through unsecure connection.
16+
*/
17+
class Configuration extends DataFlow::Configuration {
18+
Configuration() { this = "HTTP/HTTPS" }
19+
20+
override predicate isSource(DataFlow::Node source) {
21+
source instanceof Source
22+
}
23+
24+
override predicate isSink(DataFlow::Node sink) {
25+
sink instanceof Sink
26+
}
27+
}
28+
}
Lines changed: 70 additions & 0 deletions

0 commit comments

Comments
 (0)