Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: Add view-component-input threat model #18466

Merged
merged 10 commits into from
Jan 24, 2025
Prev Previous commit
Next Next commit
JS: Add ThreatModelSource#isCilentSideSource()
asgerf committed Jan 22, 2025
commit 3061d51b20d236133490976c2e39e2d65948cef3
10 changes: 10 additions & 0 deletions javascript/ql/lib/semmle/javascript/Concepts.qll
Original file line number Diff line number Diff line change
@@ -26,6 +26,11 @@ class ThreatModelSource extends DataFlow::Node instanceof ThreatModelSource::Ran

/** Gets a string that describes the type of this threat-model source. */
string getSourceType() { result = super.getSourceType() }

/**
* Holds if this is a source of data that is specific to the web browser environment.
*/
predicate isClientSideSource() { super.isClientSideSource() }
}

/** Provides a class for modeling new sources for specific threat-models. */
@@ -48,6 +53,11 @@ module ThreatModelSource {

/** Gets a string that describes the type of this threat-model source. */
abstract string getSourceType();

/**
* Holds if this is a source of data that is specific to the web browser environment.
*/
predicate isClientSideSource() { this.getThreatModel() = "view-component-input" }
}
}

Original file line number Diff line number Diff line change
@@ -24,12 +24,18 @@ private module Cached {

/**
* A source of remote input in a web browser environment.
*
* Note that this does not include `view-component-input` sources even if that threat model has been enabled by the user.
* Consider using the predicate `ThreatModelSource#isClientSideSource()` to check for a broader class of client-side sources.
*/
cached
abstract class ClientSideRemoteFlowSource extends RemoteFlowSource {
/** Gets a string indicating what part of the browser environment this was derived from. */
cached
abstract ClientSideRemoteFlowKind getKind();

cached
final override predicate isClientSideSource() { any() }
}
}