Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Migrate all queries to proper flow states and deprecate FlowLabel #18265

Merged
merged 37 commits into from
Dec 17, 2024
Merged

JS: Migrate all queries to proper flow states and deprecate FlowLabel #18265

merged 37 commits into from
Dec 17, 2024

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Dec 11, 2024
edited
Loading

Previously, our queries used flow state simply by doing class FlowState = DataFlow::FlowLabel;. This meant we could reuse some existing flow label-specified infrastructure, this is no longer needed.

This PR migrates all queries to newtype-based FlowState classes and deprecates the FlowLabel class.

I've introduced a file CommonFlowState to declare all flow states that are shared between queries, or are in use by a query that depends on another common flow state. This could technically be split into TaintedUrlSuffix-based queries and TaintedObject-based queries, but it seems simpler to just have one flow state for all cases where they need to be shared.

Finally, also applies a mass rename to the node1,state1,node2,state2 naming convention in our flow step predicates. We previously had an inconsistent naming convention, ranging between pred -> succ, src -> dst, src -> trg, and likewise for labels, but with the additional variant inlbl -> outlbl. Now it's much more consistent.

Evaluation looks quiet, again with hints of a minor speedup (1% on average).

@github-actions github-actions bot added the JS label Dec 11, 2024
asgerf added 15 commits December 13, 2024 10:08
@asgerf asgerf force-pushed the jss/flow-labels2 branch 2 times, most recently from 4d33ddb to 60738e8 Compare December 13, 2024 12:15
@asgerf asgerf changed the title JS: Migrate more queries to flow state JS: Migrate all queries to proper flow states and migrate FlowLabel Dec 13, 2024
@asgerf asgerf changed the title JS: Migrate all queries to proper flow states and migrate FlowLabel JS: Migrate all queries to proper flow states and deprecate FlowLabel Dec 13, 2024
@asgerf asgerf marked this pull request as ready for review December 16, 2024 14:04
@Copilot Copilot bot review requested due to automatic review settings December 16, 2024 14:04
@asgerf asgerf requested a review from a team as a code owner December 16, 2024 14:04
Copilot
Copilot AI reviewed Dec 16, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 55 out of 75 changed files in this pull request and generated no comments.

Files not reviewed (20)
  • docs/codeql/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript.rst: Language not supported
  • javascript/ql/examples/queries/dataflow/BackendIdor/BackendIdor.ql: Language not supported
  • javascript/ql/examples/queries/dataflow/InformationDisclosure/InformationDisclosure.ql: Language not supported
  • javascript/ql/lib/semmle/javascript/dataflow/AdditionalFlowSteps.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/dataflow/internal/BarrierGuards.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSteps.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/CommonFlowState.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/TaintedObject.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/TaintedObjectCustomizations.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffix.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakCustomizations.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/ConditionalBypassQuery.qll: Language not supported
  • javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionCustomizations.qll: Language not supported

Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more
@asgerf asgerf added the no-change-note-required This PR does not need a change note label Dec 16, 2024
@asgerf asgerf marked this pull request as draft December 16, 2024 14:07
@asgerf
Copy link
Contributor Author

asgerf commented Dec 16, 2024

Taking back into draft as there are a bunch of new CI failures that popped up when I took it out of draft.

asgerf added 14 commits December 16, 2024 15:35
@asgerf
JS: Migrate UnvalidatedDynamicMethodCall
c951a29
@asgerf
JS: Rename an experimental query
a398599 
Having the same name as a standard query is just confusing
@asgerf
JS: Migrate an experimental CodeInjection query
d83ddfa
@asgerf
JS: Migrate CorsPermissiveConfiguration
ebe596f
@asgerf
JS: Migrate PrototypePollutingFunction
73af3f3
@asgerf
JS: Migrate a test to use flow state
69b361a
@asgerf
JS: Deprecate the FlowLabel class
d993c88
@asgerf
JS: Add some missing qldoc
ac6da6c
@asgerf
JS: Mass rename to node1,state1,node2,state2 naming convention
079294e
@asgerf
JS: Also update tutorial code
cf6d166
@asgerf
JS: Avoid deprecation warnings in some tests
db00dad
@asgerf
JS: A few more deprecation updates
0b2914f
@asgerf
JS: Remove reference to deprecated step relation that's empty anyway
947b785
@asgerf
JS: Fix bad join in isOptionallySanitizedEdgeInternal
e5ae7e0 
This was previously called from isBarrier(node, state) but without restricting the state. The call was therefore moved to isBarrier(node), but this caused some optimisation changes resulting in a bad join.
@asgerf asgerf marked this pull request as ready for review December 17, 2024 09:26
@asgerf asgerf requested a review from erik-krogh December 17, 2024 09:26
erik-krogh
erik-krogh approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍

I'm sure that I missed some place where the code still says "label" instead of "state", but I definitely agree with the general pattern.

This PR migrates all queries to newtype-based

PrototypePollutingFunction is still string, but that's fine.

@asgerf
Copy link
Contributor Author

asgerf commented Dec 17, 2024

Right, I left PrototypePollutingFunction as a string because it's defined in a .ql file, so external users can't depend on it.

@asgerf asgerf merged commit 729efff into github:js/shared-dataflow-branch Dec 17, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees
No one assigned
Labels
documentation JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@asgerf @erik-krogh