Skip to content

Commit 1b5c739

Browse files
committed
restrict the size of the getASubexpressionWithinQuery predicate, and remove double-recursion
1 parent bdd07de commit 1b5c739

File tree

1 file changed

+5
-1
lines changed
  • javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling

1 file changed

+5
-1
lines changed

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/NosqlInjectionATM.qll

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,13 +120,17 @@ predicate isBaseAdditionalFlowStep(
120120
}
121121

122122
/**
123+
* Gets a value that is (transitively) written to `query`, where `query` is a NoSQL sink.
124+
*
123125
* This predicate allows us to propagate data flow through property writes and array constructors
124126
* within a query object, enabling the security query to pick up NoSQL injection vulnerabilities
125127
* involving more complex queries.
126128
*/
127129
DataFlow::Node getASubexpressionWithinQuery(DataFlow::Node query) {
130+
any(NosqlInjectionATMConfig cfg).isEffectiveSink(query) and
128131
exists(DataFlow::SourceNode receiver |
129-
receiver.flowsTo(getASubexpressionWithinQuery*(query.getALocalSource())) and
132+
receiver = [getASubexpressionWithinQuery(query), query].getALocalSource()
133+
|
130134
result =
131135
[receiver.getAPropertyWrite().getRhs(), receiver.(DataFlow::ArrayCreationNode).getAnElement()]
132136
)

0 commit comments

Comments
 (0)