forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCorsPermissiveConfigurationCustomizations.qll
More file actions
89 lines (76 loc) · 2.69 KB
/
CorsPermissiveConfigurationCustomizations.qll
File metadata and controls
89 lines (76 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/**
* Provides default sources, sinks and sanitizers for reasoning about
* overly permissive CORS configurations, as well as
* extension points for adding your own.
*/
import javascript
/** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
module CorsPermissiveConfiguration {
private newtype TFlowState =
TTaint() or
TPermissive()
/** A flow state to associate with a tracked value. */
class FlowState extends TFlowState {
/** Gets a string representation of this flow state. */
string toString() {
this = TTaint() and result = "taint"
or
this = TPermissive() and result = "permissive"
}
}
/** Predicates for working with flow states. */
module FlowState {
/** A tainted value. */
FlowState taint() { result = TTaint() }
/** A permissive value (true, null, or "*"). */
FlowState permissive() { result = TPermissive() }
}
/**
* A data flow source for permissive CORS configuration.
*/
abstract class Source extends DataFlow::Node { }
/**
* A data flow sink for permissive CORS configuration.
*/
abstract class Sink extends DataFlow::Node { }
/**
* A sanitizer for permissive CORS configuration.
*/
abstract class Sanitizer extends DataFlow::Node { }
/**
* An active threat-model source, considered as a flow source.
*/
private class ActiveThreatModelSourceAsSource extends Source instanceof ActiveThreatModelSource {
ActiveThreatModelSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}
/** An overly permissive value for `origin` configuration. */
class PermissiveValue extends Source {
PermissiveValue() {
this.mayHaveBooleanValue(true) or
this.asExpr() instanceof NullLiteral or
this.mayHaveStringValue("*")
}
}
/**
* The value of cors origin when initializing the application.
*/
class CorsOriginSink extends Sink, DataFlow::ValueNode {
CorsOriginSink() { ModelOutput::sinkNode(this, "cors-origin") }
}
/**
* A sanitizer for CORS configurations where credentials are explicitly disabled.
* When credentials are false, using "*" for origin is a legitimate pattern.
*/
private class CredentialsDisabledSanitizer extends Sanitizer {
CredentialsDisabledSanitizer() {
exists(DataFlow::SourceNode config, DataFlow::CallNode call |
call.getArgument(0).getALocalSource() = config and
this = config.getAPropertyWrite("origin").getRhs() and
config.getAPropertyWrite("credentials").getRhs().mayHaveBooleanValue(false)
)
}
}
private class SanitizerFromModel extends Sanitizer {
SanitizerFromModel() { ModelOutput::barrierNode(this, "cors-origin") }
}
}