Skip to content

Commit 744be61

Browse files
jeongsoolee09jeongsoolee09
committed
Checkpoint
1 parent 4792d8f commit 744be61

File tree

1 file changed

+20
-9
lines changed

1 file changed

+20
-9
lines changed

javascript/frameworks/ui5/src/UI5LogInjection/UI5LogsToHttp.ql

Lines changed: 20 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -76,18 +76,23 @@ class LogListener extends DataFlow::Node {
7676
}
7777
}
7878

79-
class UI5LogEntryToHttp extends LogInjection::LogInjectionConfiguration {
80-
override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
79+
class UI5LogEntryToHttp extends TaintTracking::Configuration {
80+
UI5LogEntryToHttp() { this = "UI5 log entries being passed to outbound HTTP requests" }
81+
82+
override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel label) {
83+
node instanceof RemoteFlowSource and
84+
label = "not-logged"
85+
}
8186

8287
/*
8388
* !!!!!!!!!! NOTE !!!!!!!!!!
8489
*
85-
* The `DataFlow::FlowLabel` class became deprecated along with the deprecation
86-
* of `DataFlow::Configuration` and `TaintTracking::Configuration`.
90+
* The `DataFlow::FlowLabel` class became deprecated together with
91+
* `DataFlow::Configuration` and `TaintTracking::Configuration`.
8792
*
8893
* There is now no standard library taking advantage of `DataFlow::FlowLabel`
8994
* specifically, so we shouldn't expect our pre-labels and post-labels to
90-
* be propagated along with `LogInjection::Configuration.isAdditionalFlowStep`!
95+
* be propagated along with steps in `LogInjection::Configuration.isAdditionalFlowStep`!
9196
*/
9297

9398
override predicate isAdditionalFlowStep(
@@ -100,7 +105,6 @@ class UI5LogEntryToHttp extends LogInjection::LogInjectionConfiguration {
100105
preLabel = "not-logged" and
101106
postLabel = "logged"
102107
)
103-
or
104108
/*
105109
* 2. From a logging function to a log entry: a shared flow step
106110
* `LogArgumentToListener` in FlowSteps.qll, implemented as a
@@ -111,10 +115,12 @@ class UI5LogEntryToHttp extends LogInjection::LogInjectionConfiguration {
111115
* 3. From a log entry to an HTTP sending function.
112116
*/
113117

114-
exists() // TODO
115-
}
118+
}
116119

117-
override predicate isSink(DataFlow::Node node) { node instanceof ClientRequestInjectionVector }
120+
override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel label) {
121+
node instanceof ClientRequestInjectionVector and
122+
label = "accessed"
123+
}
118124
}
119125

120126
from UI5LogEntryToHttp cfg, UI5PathNode source, UI5PathNode sink, UI5PathNode primarySource
@@ -123,3 +129,8 @@ where
123129
primarySource = source.getAPrimarySource()
124130
select sink, primarySource, sink, "Outbound network request depends on $@ log data.", primarySource,
125131
"user-provided"
132+
// import DataFlow::PathGraph
133+
// from UI5LogEntryToHttp cfg, DataFlow::PathNode source, DataFlow::PathNode sink
134+
// where cfg.hasFlowPath(source, sink)
135+
// select sink, source, sink, "Outbound network request depends on $@ log data.", source,
136+
// "user-provided"

0 commit comments

Comments
 (0)