Skip to content

JavaScript: Convert security queries to path queries where applicable.#462

Merged
semmle-qlci merged 14 commits intogithub:masterfrom
xiemaisi:js/security-paths
Nov 14, 2018
Merged

JavaScript: Convert security queries to path queries where applicable.#462
semmle-qlci merged 14 commits intogithub:masterfrom
xiemaisi:js/security-paths

Conversation

@xiemaisi
Copy link

@xiemaisi xiemaisi commented Nov 14, 2018

Following the same approach as #367.

The diff is rather intimidating, so I'd suggest commit-by-commit review.

I've verified that this does not degrade performance (largely thanks to the last commit), and that results are unaffected on our default benchmark projects.

Max Schaefer added 14 commits November 14, 2018 09:16
JavaScript: Remove a few unnecessary imports.
c51cd50
JavaScript: Refactor HostHeaderPoisoningInEmailGeneration query.
9b4ae9e
JavaScript: Refactor security queries for uniformity.
65bcf0f
JavaScript: Make all taint-based security queries have `@kind path-pr…
60a1357 
…oblem`.
JavaScript: Add explicit nodes query predicate in PathGraph.
4860364 
This is needed to correctly handle the case where `edges` is empty.
JavaScript: Add import DataFlow::PathGraph.
8d87f55
JavaScript: Move from Node to PathNode.
11d6259
JavaScript: Adjust ConditionalBypass query.
d5af008
JavaScript: Select source and sink in all path queries.
e365b72
JavaScript: Select Nodes (instead of PathNodes) everywhere.
52ae757
JavaScript: Remove ReflectdXssPath.ql, which is now spurious.
d57b5d9
JavaScript: Update expectd test output for security path queries to i…
9221b62 
…nclude `nodes` and `edges` query predicates.
JavaScript: Introduce two more short-circuiting conjuncts.
d6198fc
JavaScript: Add change note.
4112af5
@xiemaisi xiemaisi added the JS label Nov 14, 2018
@xiemaisi xiemaisi requested a review from a team as a code owner November 14, 2018 09:37
@xiemaisi
Copy link
Author

xiemaisi commented Nov 14, 2018

Ping @hvitved and @aschackmull for interest.

asger-semmle
asger-semmle reviewed Nov 14, 2018
View reviewed changes
Copy link
Contributor

@asger-semmle asger-semmle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after a quick read. 👍

ghost
ghost approved these changes Nov 14, 2018
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto. 💯 👍

@aschackmull
Copy link
Contributor

aschackmull commented Nov 14, 2018

LGTM.

@semmle-qlci semmle-qlci merged commit 77213aa into github:master Nov 14, 2018
@xiemaisi xiemaisi deleted the js/security-paths branch November 14, 2018 14:05
cklin pushed a commit that referenced this pull request May 23, 2022
@owen-mc
Merge pull request #462 from owen-mc/make-path-containment-check-more…
e55db63 
…-specific

Make PathContainmentCheck more specific
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@asger-semmle asger-semmle asger-semmle left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@xiemaisi @aschackmull @asger-semmle @semmle-qlci