Convert BrowserExtensionCodeInjection.ql to use the new dataflow API

Jami Cogswell · Jami Cogswell · commit 701d39dbebe2 · 2025-04-29T12:24:38.000-04:00
diff --git a/javascript/lib/browserextension/CodeInjectionQuery.qll b/javascript/lib/browserextension/CodeInjectionQuery.qll
@@ -17,30 +17,29 @@
  /**
   * A taint-tracking configuration for reasoning about code injection vulnerabilities.
   */
- class Configuration extends TaintTracking::Configuration {
-   Configuration() { this = "CodeInjection" }
+ module Config implements DataFlow::ConfigSig { 
+  predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source}
  
-   override predicate isSource(DataFlow::Node source) { source instanceof XssThroughDom::Source}
  
  
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink}
  
-   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink}
- 
-   override predicate isSanitizer(DataFlow::Node node) {
-     super.isSanitizer(node) or
+  predicate isBarrier(DataFlow::Node node) {
      node instanceof Sanitizer
    }
  
-   override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
+  predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
      // HTML sanitizers are insufficient protection against code injection
      src = trg.(HtmlSanitizerCall).getInput()
    }
  
-   override predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
+  additional predicate isAdditionalLoadStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
      exists(ExecuteScript ess | ess = pred  and ess = succ and prop = ["file", "code"])
    }
  }
 
+ module ConfigFlow = TaintTracking::Global<Config>;
+
 //Browser Extension Models
 class ExecuteScriptSink extends Sink instanceof ExecuteScript{}
 class ExternalConnect1 extends Source instanceof OnConnectExternal{}
diff --git a/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql b/javascript/src/audit/CWE-094/BrowserExtensionCodeInjection.ql
@@ -16,9 +16,9 @@
 
  import javascript
  import browserextension.CodeInjectionQuery
- import DataFlow::PathGraph
+ import ConfigFlow::PathGraph
  
- from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
- where cfg.hasFlowPath(source, sink)
+ from ConfigFlow::PathNode source, ConfigFlow::PathNode sink
+ where ConfigFlow::flowPath(source, sink)
  select sink.getNode(), source, sink, sink.getNode().(Sink).getMessagePrefix() + " depends on a $@.",
    source.getNode(), "user-provided value"
