rename queries folder

Author: elizabethtl

queries/codeql-pack.lock.yml

@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false

queries/dataflow/README.md

@@ -0,0 +1,25 @@
+# Dataflow Queries
+
+The dataflow queries identify data flows from taint sources to taint sinks.  
+
+Files are named as: [source]-to-[sink].ql  
+
+The four taint sources are  
+- workspace settings (config)
+- file reads (fileRead)
+- network responses (network)
+- web servers (webServer)  
+
+The three taint sinks are  
+- shell commands (shell)
+- eval (eval)
+- file writes (fileWrite)
+
+## Filters
+
+The filters for the following are integrated into the corresponding queries.  
+- file reads
+- network response
+- eval
+
+Filters for the taint sink *file write* are implemented separately in [filter-file-write](./filter-file-write/). They identify flows to the filepath and content argument of a file write. Files are named as: [filepath]-[content].ql

queries/dataflow/config-to-eval.ql

@@ -0,0 +1,40 @@
+/////////////////////////////////
+// this query requires preprocessing to identify a workspace configuration node
+/////////////////////////////////
+
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { any() }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(DirectEval eval | sink.getAstNode() = eval.getAChild()) 
+  }
+}
+
+from 
+Configuration cfg, 
+DataFlow::PathNode source, 
+DataFlow::PathNode sink
+
+
+////////////////////////////////////////////////////////////
+// if preprocessing identified a workspace configuration node
+// the fileName can be replaced by the file where node was identified
+// the getConfiguration_node can be replaced by the line where node was identified
+////////////////////////////////////////////////////////////
+where 
+source.getNode().getFile().getStem().toString().matches("%fileName%")
+and
+source.getNode().getStartLine() = ${getConfiguration_node}
+and
+source.getNode().toString().matches("%vscode%")
+and
+cfg.hasFlowPath(source, sink)
+
+select 
+sink.getNode(), source, sink, "eval depends on $@.", 
+source.getNode(), "config"

queries/dataflow/config-to-fileWrite.ql

@@ -0,0 +1,39 @@
+/////////////////////////////////
+// this query requires preprocessing to identify a workspace configuration node
+/////////////////////////////////
+
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { any() }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(FileSystemWriteAccess file | sink = file.getADataNode()) 
+  }
+}
+
+from 
+Configuration cfg, 
+DataFlow::PathNode source, 
+DataFlow::PathNode sink
+
+////////////////////////////////////////////////////////////
+// if preprocessing identified a workspace configuration node
+// the fileName can be replaced by the file where node was identified
+// the getConfiguration_node can be replaced by the line where node was identified
+////////////////////////////////////////////////////////////
+where 
+source.getNode().getFile().getStem().toString().matches("%fileName%")
+and
+source.getNode().getStartLine() = ${getConfiguration_node}
+and
+source.getNode().toString().matches("%vscode%")
+and
+cfg.hasFlowPath(source, sink)
+
+select 
+sink.getNode(), source, sink, "file write depends on $@.", 
+source.getNode(), "config"

queries/dataflow/config-to-shell.ql

@@ -0,0 +1,39 @@
+/////////////////////////////////
+// this query requires preprocessing to identify a workspace configuration node
+/////////////////////////////////import javascript
+
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { any() }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(SystemCommandExecution shell | sink = shell.getACommandArgument()) 
+  }
+}
+
+from 
+Configuration cfg, 
+DataFlow::PathNode source, 
+DataFlow::PathNode sink
+
+////////////////////////////////////////////////////////////
+// if preprocessing identified a workspace configuration node
+// the fileName can be replaced by the file where node was identified
+// the getConfiguration_node can be replaced by the line where node was identified
+////////////////////////////////////////////////////////////
+where 
+source.getNode().getFile().getStem().toString().matches("%fileName%")
+and
+source.getNode().getStartLine() = ${getConfiguration_node}
+and
+source.getNode().toString().matches("%vscode%")
+and
+cfg.hasFlowPath(source, sink)
+
+select 
+sink.getNode(), source, sink, "shell command depends on $@.", 
+source.getNode(), "config"

queries/dataflow/fileRead-to-eval.ql

@@ -0,0 +1,54 @@
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(FileSystemReadAccess src | source = src.getADataNode().getALocalSource())
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(DirectEval eval | sink.getAstNode() = eval.getAChild()) 
+  }
+}
+
+class FlowToRead extends TaintTracking::Configuration{
+  FlowToRead(){ this = "FlowToRead" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(DataFlow::SourceNode src | source = src)
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(FileSystemReadAccess read | sink = read.getAPathArgument()) 
+  }
+
+}
+
+from 
+Configuration cfg, 
+FlowToRead flowToRead,
+DataFlow::PathNode flow_source, 
+DataFlow::PathNode flow_sink,
+DataFlow::PathNode read_source,
+DataFlow::PathNode read_sink,
+FileSystemReadAccess read
+
+
+where 
+cfg.hasFlowPath(flow_source, flow_sink)
+and
+flowToRead.hasFlowPath(read_source, read_sink)
+and
+not flow_source.getNode() = flow_sink.getNode()
+and
+read.getAPathArgument() = read_sink.getNode()
+and
+read = flow_source.getNode()
+
+select 
+read_sink.getNode(), read_source, read_sink, "eval depends on $@. $@. $@", 
+read_source.getNode(), "read source", 
+flow_source.getNode(), "file",
+flow_sink.getNode(), "eval"

queries/dataflow/fileRead-to-fileWrite.ql

@@ -0,0 +1,54 @@
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(FileSystemReadAccess src | source = src.getADataNode().getALocalSource())
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(FileSystemWriteAccess write | sink = write.getADataNode()) 
+  }
+}
+
+class FlowToRead extends TaintTracking::Configuration{
+  FlowToRead(){ this = "FlowToRead" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(DataFlow::SourceNode src | source = src)
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(FileSystemReadAccess read | sink = read.getAPathArgument()) 
+  }
+
+}
+
+from 
+Configuration cfg, 
+FlowToRead flowToRead,
+DataFlow::PathNode flow_source, 
+DataFlow::PathNode flow_sink,
+DataFlow::PathNode read_source,
+DataFlow::PathNode read_sink,
+FileSystemReadAccess read
+
+
+where 
+cfg.hasFlowPath(flow_source, flow_sink)
+and
+flowToRead.hasFlowPath(read_source, read_sink)
+and
+not flow_source.getNode() = flow_sink.getNode()
+and
+read.getAPathArgument() = read_sink.getNode()
+and
+read = flow_source.getNode()
+
+select 
+read_sink.getNode(), read_source, read_sink, "file write depends on $@. $@. $@", 
+read_source.getNode(), "read source", 
+flow_source.getNode(), "file read",
+flow_sink.getNode(), "file write"

queries/dataflow/fileRead-to-shell.ql

@@ -0,0 +1,54 @@
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Configuration" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(FileSystemReadAccess src | source = src.getADataNode())
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(SystemCommandExecution shell | sink = shell.getACommandArgument()) 
+  }
+}
+
+class FlowToRead extends TaintTracking::Configuration{
+  FlowToRead(){ this = "FlowToRead" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(DataFlow::SourceNode src | source = src)
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(FileSystemReadAccess read | sink = read.getAPathArgument()) 
+  }
+
+}
+
+from 
+Configuration cfg, 
+FlowToRead flowToRead,
+DataFlow::PathNode flow_source, 
+DataFlow::PathNode flow_sink,
+DataFlow::PathNode read_source,
+DataFlow::PathNode read_sink,
+FileSystemReadAccess read
+
+
+where 
+cfg.hasFlowPath(flow_source, flow_sink)
+and
+flowToRead.hasFlowPath(read_source, read_sink)
+and
+not flow_source.getNode() = flow_sink.getNode()
+and
+read.getAPathArgument() = read_sink.getNode()
+and
+read = flow_source.getNode()
+
+select 
+read_sink.getNode(), read_source, read_sink, "shell command depends on $@. $@. $@", 
+read_source.getNode(), "read source", 
+flow_source.getNode(), "file",
+flow_sink.getNode(), "shell"

queries/dataflow/filter-file-write/README.md

@@ -0,0 +1,5 @@
+this directory includes the combined queries to identify flows to two arguments of a file write
+- filepath
+- content
+
+the files are named as: [filepath-source]-[content-source].ql

queries/dataflow/filter-file-write/config-config.ql

@@ -0,0 +1,57 @@
+// module in root folder
+import workspaceConfig
+
+import javascript
+import DataFlow::PathGraph
+
+
+class FlowToWritePath extends TaintTracking::Configuration {
+  FlowToWritePath() { this = "FlowToWritePath" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(VSCodeWorkspaceConfig config, DataFlow::SourceNode src | 
+      src.getFile() = config.getFile() and src.getStartLine() = config.getStartLine() |
+      source = src)
+  }
+
+  override predicate isSink(DataFlow::Node sink) { 
+  exists(FileSystemWriteAccess write | sink = write.getAPathArgument()) 
+  }
+}
+class FlowToWriteContent extends TaintTracking::Configuration {
+  FlowToWriteContent() { this = "FlowToWriteContent" }
+
+  override predicate isSource(DataFlow::Node source) { 
+    exists(VSCodeWorkspaceConfig config, DataFlow::SourceNode src | 
+      src.getFile() = config.getFile() and src.getStartLine() = config.getStartLine() |
+      source = src)
+}
+
+  override predicate isSink(DataFlow::Node sink) { 
+    exists(FileSystemWriteAccess write | sink = write.getADataNode()) 
+  }
+}
+
+
+from 
+FlowToWritePath writepath, FlowToWriteContent writecontent, 
+DataFlow::PathNode source_path, DataFlow::PathNode source_content,
+DataFlow::PathNode sink_path, DataFlow::PathNode sink_content,
+FileSystemWriteAccess filewrite_func
+
+
+where 
+writepath.hasFlowPath(source_path, sink_path)
+and
+writecontent.hasFlowPath(source_content, sink_content)
+and
+filewrite_func.getADataNode() = sink_content.getNode()
+and
+filewrite_func.getAPathArgument() = sink_path.getNode()
+
+
+select 
+sink_path.getNode(), source_path, sink_path, "file read or write depends on $@. $@. $@.", 
+source_path.getNode(), "path source",
+source_content.getNode(), "content source",
+sink_content.getNode(), "content sink"