JS: Port heuristic versions of standard queries

Author: asgerf

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql

@@ -12,11 +12,15 @@
 
 import javascript
 import semmle.javascript.security.dataflow.ExternalAPIUsedWithUntrustedDataQuery
-import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
+import ExternalAPIUsedWithUntrustedDataFlow::PathGraph
 
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
+from
+  ExternalAPIUsedWithUntrustedDataFlow::PathNode source,
+  ExternalAPIUsedWithUntrustedDataFlow::PathNode sink
+where
+  ExternalAPIUsedWithUntrustedDataFlow::flowPath(source, sink) and
+  source.getNode() instanceof HeuristicSource
 select sink, source, sink,
   "Call to " + sink.getNode().(Sink).getApiName() + " with untrusted data from $@.", source,
   source.toString()

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql

@@ -16,17 +16,17 @@
 
 import javascript
 import semmle.javascript.security.dataflow.CommandInjectionQuery
-import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
+import CommandInjectionFlow::PathGraph
 
 from
-  Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, DataFlow::Node highlight,
-  Source sourceNode
+  CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink,
+  DataFlow::Node highlight, Source sourceNode
 where
-  cfg.hasFlowPath(source, sink) and
+  CommandInjectionFlow::flowPath(source, sink) and
   (
-    if cfg.isSinkWithHighlight(sink.getNode(), _)
-    then cfg.isSinkWithHighlight(sink.getNode(), highlight)
+    if isSinkWithHighlight(sink.getNode(), _)
+    then isSinkWithHighlight(sink.getNode(), highlight)
     else highlight = sink.getNode()
   ) and
   sourceNode = source.getNode() and

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-079/Xss.ql

@@ -15,11 +15,11 @@
 
 import javascript
 import semmle.javascript.security.dataflow.DomBasedXssQuery
-import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
+import DomBasedXssFlow::PathGraph
 
-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
+from DomBasedXssFlow::PathNode source, DomBasedXssFlow::PathNode sink
+where DomBasedXssFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
 select sink.getNode(), source, sink,
   sink.getNode().(Sink).getVulnerabilityKind() + " vulnerability due to $@.", source.getNode(),
   "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql

@@ -15,18 +15,24 @@
  */
 
 import javascript
-import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
-import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
-import DataFlow::PathGraph
+import semmle.javascript.security.dataflow.SqlInjectionQuery as Sql
+import semmle.javascript.security.dataflow.NosqlInjectionQuery as Nosql
 import semmle.javascript.heuristics.AdditionalSources
 
-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string type
+module Merged =
+  DataFlow::MergePathGraph<Sql::SqlInjectionFlow::PathNode, Nosql::NosqlInjectionFlow::PathNode,
+    Sql::SqlInjectionFlow::PathGraph, Nosql::NosqlInjectionFlow::PathGraph>;
+
+import DataFlow::DeduplicatePathGraph<Merged::PathNode, Merged::PathGraph>
+
+from PathNode source, PathNode sink, string type
 where
-  (
-    cfg instanceof SqlInjection::Configuration and type = "string"
-    or
-    cfg instanceof NosqlInjection::Configuration and type = "object"
-  ) and
-  cfg.hasFlowPath(source, sink)
+  Sql::SqlInjectionFlow::flowPath(source.getAnOriginalPathNode().asPathNode1(),
+    sink.getAnOriginalPathNode().asPathNode1()) and
+  type = "string"
+  or
+  Nosql::NosqlInjectionFlow::flowPath(source.getAnOriginalPathNode().asPathNode2(),
+    sink.getAnOriginalPathNode().asPathNode2()) and
+  type = "object"
 select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),
   "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-117/LogInjection.ql

@@ -13,11 +13,11 @@
  */
 
 import javascript
-import DataFlow::PathGraph
 import semmle.javascript.security.dataflow.LogInjectionQuery
 import semmle.javascript.heuristics.AdditionalSources
+import LogInjectionFlow::PathGraph
 
-from LogInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
+from LogInjectionFlow::PathNode source, LogInjectionFlow::PathNode sink
+where LogInjectionFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
 select sink.getNode(), source, sink, "Log entry depends on a $@.", source.getNode(),
   "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-770/ResourceExhaustion.ql

@@ -14,11 +14,11 @@
  */
 
 import javascript
-import DataFlow::PathGraph
 import semmle.javascript.security.dataflow.ResourceExhaustionQuery
 import semmle.javascript.heuristics.AdditionalSources
+import ResourceExhaustionFlow::PathGraph
 
-from Configuration dataflow, DataFlow::PathNode source, DataFlow::PathNode sink
-where dataflow.hasFlowPath(source, sink) and source.getNode() instanceof HeuristicSource
+from ResourceExhaustionFlow::PathNode source, ResourceExhaustionFlow::PathNode sink
+where ResourceExhaustionFlow::flowPath(source, sink) and source.getNode() instanceof HeuristicSource
 select sink, source, sink, sink.getNode().(Sink).getProblemDescription() + " from a $@.", source,
   "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-807/ConditionalBypass.ql

@@ -14,13 +14,15 @@
 
 import javascript
 import semmle.javascript.security.dataflow.ConditionalBypassQuery
-import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
+import ConditionalBypassFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveAction action
+from
+  ConditionalBypassFlow::PathNode source, ConditionalBypassFlow::PathNode sink,
+  SensitiveAction action
 where
-  isTaintedGuardForSensitiveAction(sink, source, action) and
-  not isEarlyAbortGuard(sink, action) and
+  isTaintedGuardNodeForSensitiveAction(sink, source, action) and
+  not isEarlyAbortGuardNode(sink, action) and
   source.getNode() instanceof HeuristicSource
 select sink.getNode(), source, sink, "This condition guards a sensitive $@, but a $@ controls it.",
   action, "action", source.getNode(), "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql

@@ -20,13 +20,14 @@
 
 import javascript
 import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery
-import PrototypePollutingAssignmentFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
+import PrototypePollutingAssignmentFlow::PathGraph
 
 from
   PrototypePollutingAssignmentFlow::PathNode source, PrototypePollutingAssignmentFlow::PathNode sink
 where
   PrototypePollutingAssignmentFlow::flowPath(source, sink) and
+  not isIgnoredLibraryFlow(source.getNode(), sink.getNode()) and
   source.getNode() instanceof HeuristicSource
 select sink, source, sink,
   "This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@.",