Skip to content

JS: Add SharedTaintStep (again) #5396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 61 commits into from
Mar 17, 2021
Merged

JS: Add SharedTaintStep (again) #5396

merged 61 commits into from
Mar 17, 2021

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Mar 12, 2021
edited
Loading

Revival of #3603 without the string base-type stuff.

Converts AdditionalTaintStep to a unit-type class called SharedTaintStep:

  • AdditionalTaintStep remains as a deprecated class.
  • Converting AdditionalTaintStep into a unit type would be a breaking change, hence the new class.
  • The new class name should help indicate that it should not be subclassed in a query.

Evaluation looks good

@asgerf asgerf added the JS label Mar 12, 2021
@asgerf asgerf marked this pull request as ready for review March 15, 2021 13:01
@asgerf asgerf requested a review from a team as a code owner March 15, 2021 13:01
@asgerf asgerf added the no-change-note-required This PR does not need a change note label Mar 15, 2021
esbena
esbena reviewed Mar 15, 2021
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!
And bravo for keeping this to so many atomic and simple commits!

My concern is that we are not making our users properly aware of this change. It is not obvious to outsiders why we are doing this major surgery, which could look like a simple renaming exercise that is optional to respect.

I suppose a change note and an update to the tutorials would suffice. A more glaring deprecation warning would be great, but I can see how that may be tricky.

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll Outdated
* of the standard library. Override `Configuration::isAdditionalTaintStep`
* for analysis-specific taint steps.
*/
abstract class AdditionalTaintStep extends DataFlow::Node {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we mark this as deprecated, or at least add some prominent text about SharedTaintSted? Otherwise, the users will keep using it.
(I suppose the reason that this isn't deprecated is that we use it ourselves in legacyAdditionalTaintStep, it would be nice if we could juggle our way out of that)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I thought it actually was deprecated. It's properly deprecated now.

I've also updated the tutorial. In the process of doing that, I introduced a forward-compatible version of DataFlow::SharedFlowStep as one paragraph simply couldn't be updated without distracting the reader with the details of how these two classes differ. Actually migrating to SharedFlowStep is for a future PR.

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
/**
* Holds if `pred -> succ` is an edge used by all taint-tracking configurations.
*/
predicate sharedTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we add a comment at the relevant locations about the need to manually maintain this large disjunction?

esbena
esbena previously approved these changes Mar 17, 2021
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we wait for a change note labelling decision, or do we add that afterwards?

asgerf added 20 commits March 17, 2021 13:29
@asgerf
JS: Remove duplicate await step
0bdf67f
@asgerf
JS: Add arrayStep but ignore overlap with heapStep for now
6324c4f
@asgerf
JS: Move React steps into React library
e847043
@asgerf
JS: Cache taint steps in same stage
f95c799
@asgerf
JS: Fix promiseStep documentation
8542c71
@asgerf
JS: Autoformat
e4a75b4
@asgerf
JS: Put in same stage as RemoteFlowSource
561b9d0
@asgerf
JS: Update with new AdditionalTaintStep subclasses
96c6e4d
@asgerf
JS: Autoformat and add qldoc
d52ff3e
@asgerf
JS: Update Vue test
80bc5d9
@asgerf
JS: Fixup bad merge in HeapTaintStep
443b59e
@asgerf
JS: Fixup UriLibraries test
0675066
@asgerf
JS: Autoformat
332ee40
@asgerf
JS: Deprecate AdditionalTaintStep
c0b5a9a
@asgerf
JS: Remove or update some mentions of AdditionalTaintStep
d74e84a
@asgerf
JS: Add DataFlow::SharedFlowStep to future-proof the tutorial
a97d345
@asgerf
JS: Mention why we cache predicates outside the class
c276406
@asgerf
JS: Add comment explaining how to add new steps
ab1947a
@asgerf
JS: Add qldoc to deprecated class member
e1bfc6c
@asgerf
JS: Autoformat
ccc879d
@asgerf asgerf force-pushed the js/shared-taint-step branch from 8ed0579 to ccc879d Compare March 17, 2021 13:32
@asgerf
Copy link
Contributor Author

asgerf commented Mar 17, 2021

Rebased to resolve conflicts

erik-krogh
erik-krogh approved these changes Mar 17, 2021
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

But shouldn't we add a change note?
(Or are you waiting until DataFlow::SharedFlowStep is fully implemented?)

@asgerf
Copy link
Contributor Author

asgerf commented Mar 17, 2021

@esbena any final comments from your end?

@asgerf
Copy link
Contributor Author

asgerf commented Mar 17, 2021

But shouldn't we add a change note?

For anyone else seeing this, we addressed this question offline and decided not to add a change note for now.

@codeql-ci codeql-ci merged commit 7c20c4a into github:main Mar 17, 2021
@asgerf asgerf mentioned this pull request Mar 22, 2021
Merged
@asgerf asgerf mentioned this pull request Aug 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@esbena esbena esbena approved these changes

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees
No one assigned
Labels
documentation JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@asgerf @esbena @erik-krogh @codeql-ci