JS: Add StoredXss and XssThroughDom to ATM extraction queries #8857

TomBolton · 2022-04-25T13:54:43Z

Add StoredXss and XssThroughDom to ATM extraction queries
Update the expected test output with the two new queries
Explicitly name each individual security query to include in the ATM query pack
Update the acronyms in the class names to use camel case to address the code scanning warnings

Produced with: ``` javascript/ql$tb boost src/Security/CWE-079/StoredXss.ql XssSink javascript/ql$ tb boost src/Security/CWE-079/XssThroughDom.ql XssSink ```

github-advanced-security

Found 8 vulnerabilities.

...experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/StoredXssATM.qll

...rimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll

...ript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll

@@ -16,8 +16,10 @@
 import experimental.adaptivethreatmodeling.FilteringReasons
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM


...ript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll

@@ -16,8 +16,10 @@
 import experimental.adaptivethreatmodeling.FilteringReasons
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM


...ript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll

 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomATM


...pt/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql

@@ -7,7 +7,9 @@
 import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjectionATM
 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM


...pt/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql

 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM


...pt/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointMapping.ql

 import experimental.adaptivethreatmodeling.NosqlInjectionATM as NosqlInjectionATM
 import experimental.adaptivethreatmodeling.TaintedPathATM as TaintedPathATM
 import experimental.adaptivethreatmodeling.XssATM as XssATM
+import experimental.adaptivethreatmodeling.StoredXssATM as StoredXssATM
+import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomATM


TomBolton · 2022-04-26T09:39:32Z

Copying Henry's comment from a previous PR:

Update these to line up with the existing queries like XssAtm.ql:

Use an alert message like "(Experimental) This may be a cross-site scripting vulnerability due to $@. Identified using machine learning.", which doesn't include the score.
Use "experimental" instead of "boosted" in the query name
Use an @id like js/ml-powered/
Remove experimental/atm from the tags
Rename ATM -> Atm

github-advanced-security

Found 100 vulnerabilities.

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATM.ql

...ipt/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATMLite.ql

...perimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/TaintedPathATM.qll

...experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/StoredXssATM.qll

...pt/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll

github-advanced-security

Found 10 vulnerabilities.

...pt/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll

...rimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssThroughDomATM.qll

javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATM.ql

...ipt/ql/experimental/adaptivethreatmodeling/modelbuilding/evaluation/NosqlInjectionATMLite.ql

TomBolton · 2022-04-26T13:18:16Z

Closing as the experimentation with renaming ATM -> Atm did not work as intended.

esbena and others added 4 commits April 22, 2022 14:28

Boost StoredXss and XssThroughDomATM

e5bfb94

Produced with: ``` javascript/ql$tb boost src/Security/CWE-079/StoredXss.ql XssSink javascript/ql$ tb boost src/Security/CWE-079/XssThroughDom.ql XssSink ```

add new Xss queries to extraction code

afd4fbb

explicitly include individual ATM queries in pack

7fdb670

update test output to include new queries

59b439f

github-actions bot added the JS label Apr 25, 2022

github-advanced-security bot found potential problems Apr 25, 2022

View reviewed changes

TomBolton added 2 commits April 25, 2022 15:16

modify acronyms in class names to address code scanning warnings

15ac1f2

update actual and expected test output

d7ea0b5

TomBolton changed the title ~~Add StoredXss and XssThroughDom to ATM extraction queries~~ JS: Add StoredXss and XssThroughDom to ATM extraction queries Apr 26, 2022

update @name, @tags, and alert message

3c6b9f2

github-advanced-security bot found potential problems Apr 26, 2022

View reviewed changes

TomBolton force-pushed the tombolton/add-new-queries branch from 112855f to 59d579c Compare April 26, 2022 11:45

github-advanced-security bot found potential problems Apr 26, 2022

View reviewed changes

delete actual test files

08678a9

TomBolton force-pushed the tombolton/add-new-queries branch from 59d579c to 08678a9 Compare April 26, 2022 13:03

TomBolton closed this Apr 26, 2022

JS: Add StoredXss and XssThroughDom to ATM extraction queries #8857

JS: Add StoredXss and XssThroughDom to ATM extraction queries #8857

Uh oh!

Conversation

TomBolton commented Apr 25, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-advanced-security bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

TomBolton commented Apr 26, 2022

Uh oh!

github-advanced-security bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-advanced-security bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

TomBolton commented Apr 26, 2022

Uh oh!

Uh oh!

TomBolton commented Apr 25, 2022 •

edited

Loading