refactoring to remove duplicated code and simplify the ExceptionXss query

erik-krogh · erik-krogh · commit 91674f681b35 · 2019-11-19T08:54:51.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/Expr.qll b/javascript/ql/src/semmle/javascript/Expr.qll
@@ -245,6 +245,21 @@ class Expr extends @expr, ExprOrStmt, ExprOrType, AST::ValueNode {
       ctx.(ConditionalExpr).inNullSensitiveContext()
     )
   }
+
+  /**
+   * Gets the data-flow node where exceptional data-flow will flow if this expression
+   * causes an exception to be thrown.
+   */
+  DataFlow::Node getThrowsToNode() {
+    if exists(this.getEnclosingStmt().getEnclosingTryStmt())
+    then
+      result = DataFlow::parameterNode(this
+              .getEnclosingStmt()
+              .getEnclosingTryStmt()
+              .getACatchClause()
+              .getAParameter())
+    else result = any(DataFlow::FunctionNode f | f.getFunction() = this.getContainer()).getExceptionalReturn()
+  }
 }
 
 /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1125,6 +1125,9 @@ class MidPathNode extends PathNode, MkMidNode {
     // Skip to the top of big left-leaning string concatenation trees.
     nd = any(AddExpr add).flow() and
     nd = any(AddExpr add).getAnOperand().flow()
+    or
+    // Skip the exceptional return on functions, as this highlights the entire function.
+    nd = any(DataFlow::FunctionNode f).getExceptionalReturn()
   }
 }
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -66,19 +66,7 @@ predicate localExceptionStep(DataFlow::Node pred, DataFlow::Node succ) {
     or
     DataFlow::exceptionalInvocationReturnNode(pred, expr)
   |
-    // Propagate out of enclosing function.
-    not exists(expr.getEnclosingStmt().getEnclosingTryStmt()) and
-    exists(Function f |
-      f = expr.getEnclosingFunction() and
-      DataFlow::exceptionalFunctionReturnNode(succ, f)
-    )
-    or
-    // Propagate to enclosing try/catch.
-    // To avoid false flow, we only propagate to an unguarded catch clause.
-    exists(TryStmt try |
-      try = expr.getEnclosingStmt().getEnclosingTryStmt() and
-      DataFlow::parameterNode(succ, try.getCatchClause().getAParameter())
-    )
+    succ = expr.getThrowsToNode()
   )
 }
 
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll b/javascript/ql/src/semmle/javascript/security/dataflow/ExceptionXss.qll
@@ -13,26 +13,6 @@ module ExceptionXss {
   import Xss::ReflectedXss as ReflectedXSS
   import Xss::StoredXss as StoredXss
   import Xss as XSS
-
-  DataFlow::ExceptionalInvocationReturnNode getCallerExceptionalReturn(Function func) {
-    exists(DataFlow::InvokeNode call |
-      not call.isImprecise() and
-      func = call.getACallee(0) and
-      result = call.getExceptionalReturn()
-    )
-  }
-
-  DataFlow::Node getExceptionalSuccessor(DataFlow::Node pred) {
-    if exists(pred.asExpr().getEnclosingStmt().getEnclosingTryStmt())
-    then
-      result = DataFlow::parameterNode(pred
-              .asExpr()
-              .getEnclosingStmt()
-              .getEnclosingTryStmt()
-              .getACatchClause()
-              .getAParameter())
-    else result = getCallerExceptionalReturn(pred.getContainer())
-  }
   
   /**
    * Holds if `node` cannot cause an exception containing sensitive information to be thrown.
@@ -92,13 +72,9 @@ module ExceptionXss {
       DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel inlbl,
       DataFlow::FlowLabel outlbl
     ) {
-      inlbl instanceof NotYetThrown and
-      (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
-      succ = getExceptionalSuccessor(pred) and
-      (
-        canThrowSensitiveInformation(pred) or
-        pred = any(DataFlow::InvokeNode c).getExceptionalReturn()
-      )
+      inlbl instanceof NotYetThrown and (outlbl.isTaint() or outlbl instanceof NotYetThrown) and
+      succ = pred.asExpr().getThrowsToNode() and
+      canThrowSensitiveInformation(pred)
       or
       // All the usual taint-flow steps apply on data-flow before it has been thrown in an exception.
       this.isAdditionalFlowStep(pred, succ) and inlbl instanceof NotYetThrown and outlbl instanceof NotYetThrown
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ExceptionXss.expected
@@ -2,8 +2,6 @@ nodes
 | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:2:15:2:31 | document.location |
 | exception-xss.js:2:15:2:31 | document.location |
-| exception-xss.js:4:20:4:20 | x |
-| exception-xss.js:5:14:5:14 | x |
 | exception-xss.js:9:11:9:13 | foo |
 | exception-xss.js:10:10:10:10 | e |
 | exception-xss.js:11:18:11:18 | e |
@@ -28,21 +26,12 @@ nodes
 | exception-xss.js:34:10:34:10 | e |
 | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:35:18:35:18 | e |
-| exception-xss.js:38:16:38:16 | x |
-| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) |
-| exception-xss.js:39:9:39:9 | x |
-| exception-xss.js:41:17:41:17 | x |
-| exception-xss.js:42:3:42:10 | exceptional return of inner(x) |
-| exception-xss.js:42:9:42:9 | x |
 | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
 | exception-xss.js:46:8:46:18 | "bar" + foo |
 | exception-xss.js:46:16:46:18 | foo |
 | exception-xss.js:47:10:47:10 | e |
 | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:48:18:48:18 | e |
-| exception-xss.js:74:28:74:28 | x |
-| exception-xss.js:75:4:75:11 | exceptional return of inner(x) |
-| exception-xss.js:75:10:75:10 | x |
 | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
 | exception-xss.js:81:16:81:18 | foo |
 | exception-xss.js:82:10:82:10 | e |
@@ -76,15 +65,11 @@ edges
 | exception-xss.js:2:9:2:31 | foo | exception-xss.js:95:12:95:14 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
 | exception-xss.js:2:15:2:31 | document.location | exception-xss.js:2:9:2:31 | foo |
-| exception-xss.js:4:20:4:20 | x | exception-xss.js:5:14:5:14 | x |
-| exception-xss.js:5:14:5:14 | x | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
-| exception-xss.js:5:14:5:14 | x | exception-xss.js:42:3:42:10 | exceptional return of inner(x) |
-| exception-xss.js:5:14:5:14 | x | exception-xss.js:75:4:75:11 | exceptional return of inner(x) |
 | exception-xss.js:9:11:9:13 | foo | exception-xss.js:10:10:10:10 | e |
 | exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
 | exception-xss.js:10:10:10:10 | e | exception-xss.js:11:18:11:18 | e |
 | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) | exception-xss.js:16:10:16:10 | e |
-| exception-xss.js:15:9:15:11 | foo | exception-xss.js:4:20:4:20 | x |
+| exception-xss.js:15:9:15:11 | foo | exception-xss.js:15:3:15:12 | exceptional return of inner(foo) |
 | exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
 | exception-xss.js:16:10:16:10 | e | exception-xss.js:17:18:17:18 | e |
 | exception-xss.js:21:11:21:13 | foo | exception-xss.js:21:11:21:21 | foo + "bar" |
@@ -99,22 +84,13 @@ edges
 | exception-xss.js:33:19:33:21 | foo | exception-xss.js:33:11:33:22 | ["bar", foo] |
 | exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
 | exception-xss.js:34:10:34:10 | e | exception-xss.js:35:18:35:18 | e |
-| exception-xss.js:38:16:38:16 | x | exception-xss.js:39:9:39:9 | x |
-| exception-xss.js:39:3:39:10 | exceptional return of deep2(x) | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
-| exception-xss.js:39:9:39:9 | x | exception-xss.js:41:17:41:17 | x |
-| exception-xss.js:41:17:41:17 | x | exception-xss.js:42:9:42:9 | x |
-| exception-xss.js:42:3:42:10 | exceptional return of inner(x) | exception-xss.js:39:3:39:10 | exceptional return of deep2(x) |
-| exception-xss.js:42:9:42:9 | x | exception-xss.js:4:20:4:20 | x |
 | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) | exception-xss.js:47:10:47:10 | e |
-| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:38:16:38:16 | x |
+| exception-xss.js:46:8:46:18 | "bar" + foo | exception-xss.js:46:3:46:19 | exceptional return of deep("bar" + foo) |
 | exception-xss.js:46:16:46:18 | foo | exception-xss.js:46:8:46:18 | "bar" + foo |
 | exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
 | exception-xss.js:47:10:47:10 | e | exception-xss.js:48:18:48:18 | e |
-| exception-xss.js:74:28:74:28 | x | exception-xss.js:75:10:75:10 | x |
-| exception-xss.js:75:4:75:11 | exceptional return of inner(x) | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
-| exception-xss.js:75:10:75:10 | x | exception-xss.js:4:20:4:20 | x |
 | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) | exception-xss.js:82:10:82:10 | e |
-| exception-xss.js:81:16:81:18 | foo | exception-xss.js:74:28:74:28 | x |
+| exception-xss.js:81:16:81:18 | foo | exception-xss.js:81:3:81:19 | exceptional return of myWeirdInner(foo) |
 | exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
 | exception-xss.js:82:10:82:10 | e | exception-xss.js:83:18:83:18 | e |
 | exception-xss.js:89:11:89:13 | foo | exception-xss.js:89:11:89:26 | foo.match(/foo/) |

Original file line number	Diff line number	Diff line change
`@@ -1125,6 +1125,9 @@ class MidPathNode extends PathNode, MkMidNode {`
`1125`	`1125`	`// Skip to the top of big left-leaning string concatenation trees.`
`1126`	`1126`	`nd = any(AddExpr add).flow() and`
`1127`	`1127`	`nd = any(AddExpr add).getAnOperand().flow()`
	`1128`	`+ or`
	`1129`	`+ // Skip the exceptional return on functions, as this highlights the entire function.`
	`1130`	`+ nd = any(DataFlow::FunctionNode f).getExceptionalReturn()`
`1128`	`1131`	`}`
`1129`	`1132`	`}`
`1130`	`1133`