JS: Move isThirdPartyControllable into RequestInputAccess

Author: asger-semmle

javascript/ql/src/semmle/javascript/frameworks/HTTP.qll

@@ -400,7 +400,20 @@ module HTTP {
      */
     abstract string getKind();
 
-    override predicate isThirdPartyControllable() {
+    /**
+     * Holds if this part of the request may be controlled by a third party,
+     * that is, an agent other than the one who sent the request.
+     *
+     * This is true for the URL, query parameters, and request body.
+     * These can be controlled by a malicious third party in the following scenarios:
+     *
+     * - The user clicks a malicious link or is otherwise redirected to a malicious URL.
+     * - The user visits a web site that initiates a form submission or AJAX request on their behalf.
+     *
+     * In these cases, the request is technically sent from the user's browser, but
+     * the user is not in direct control of the URL or POST body.
+     */
+    predicate isThirdPartyControllable() {
       exists (string kind | kind = getKind() |
         kind = "parameter" or
         kind = "url" or

javascript/ql/src/semmle/javascript/security/dataflow/ReflectedXss.qll

@@ -43,10 +43,10 @@ module ReflectedXss {
     }
   }
 
-  /** A source of remote user input, considered as a flow source for reflected XSS. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() {
-      this.(RemoteFlowSource).isThirdPartyControllable()
+  /** A third-party controllable request input, considered as a flow source for reflected XSS. */
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
     }
   }
 

javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll

@@ -10,18 +10,6 @@ import semmle.javascript.security.dataflow.DOM
 abstract class RemoteFlowSource extends DataFlow::Node {
   /** Gets a string that describes the type of this remote flow source. */
   abstract string getSourceType();
-
-  /**
-   * Holds if this flow source comes from an incoming request, and this part of the
-   * request can be controlled by a third party, that is, an actor other than the one
-   * sending the request.
-   *
-   * Any web site can redirect the visitor's browser to any other domain, and in doing so control
-   * the entire URL and POST body. In this scenario, these values are technically sent by the
-   * user's browser, but the user is not in direct control of these values, so they are considered
-   * third-party controllable.
-   */
-  predicate isThirdPartyControllable() { none() }
 }
 
 /**

javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll

@@ -91,9 +91,9 @@ module ServerSideUrlRedirect {
   }
 
   /** A source of third-party user input, considered as a flow source for URL redirects. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() {
-      this.(RemoteFlowSource).isThirdPartyControllable()
+  class ThirdPartyRequestInputAccessAsSource extends Source {
+    ThirdPartyRequestInputAccessAsSource() {
+      this.(HTTP::RequestInputAccess).isThirdPartyControllable()
     }
   }