JS: use isUserControlledObject in js/type-confusion-through-parameter-tampering

Esben Sparre Andreasen · Esben Sparre Andreasen · commit f0343d067836 · 2018-11-07T12:18:46.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll
@@ -54,12 +54,7 @@ module TypeConfusionThroughParameterTampering {
   private class TypeTamperableRequestParameter extends Source {
 
     TypeTamperableRequestParameter() {
-      this.(HTTP::RequestInputAccess).getKind() = "parameter" and
-      not exists (Express::RequestExpr request, DataFlow::PropRead base |
-        // Express's `req.params.name` is always a string
-        base.accesses(request.flow(), "params") and
-        this = base.getAPropertyRead(_)
-      )
+      this.(HTTP::RequestInputAccess).isUserControlledObject()
     }
 
   }

Original file line number	Diff line number	Diff line change
`@@ -54,12 +54,7 @@ module TypeConfusionThroughParameterTampering {`
`54`	`54`	`private class TypeTamperableRequestParameter extends Source {`
`55`	`55`
`56`	`56`	`TypeTamperableRequestParameter() {`
`57`		`- this.(HTTP::RequestInputAccess).getKind() = "parameter" and`
`58`		`- not exists (Express::RequestExpr request, DataFlow::PropRead base \|`
`59`		- // Express's `req.params.name` is always a string
`60`		`- base.accesses(request.flow(), "params") and`
`61`		`- this = base.getAPropertyRead(_)`
`62`		`- )`
	`57`	`+ this.(HTTP::RequestInputAccess).isUserControlledObject()`
`63`	`58`	`}`
`64`	`59`
`65`	`60`	`}`