CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.1.1-dev (changelog, source)
Search

Class Configuration

A taint-tracking configuration for reasoning about second order command-injection vulnerabilities.

Import path

import semmle.javascript.security.dataflow.SecondOrderCommandInjectionQuery

Direct supertypes

Indirect supertypes

Predicates

isAdditionalFlowStep

Holds if src -> trg is a flow edge converting flow with label inlbl to flow with label outlbl.

isSanitizer

Holds if the intermediate node node is a taint sanitizer, that is, tainted values can not flow into or out of node.

isSanitizerGuard

Holds if data flow node guard can act as a sanitizer when appearing in a condition.

isSink

Holds if sink is a sink of flow labeled with lbl that is relevant for this configuration.

isSource

Holds if source is a source of flow labeled with lbl that is relevant for this configuration.

Inherited predicates

charAt

Returns a one-character string containing the character in the receiver at the given index (which ranges from 0 through length minus one)

from string
codePointAt

Returns an integer for the Unicode code point value of the character starting at the given index, counted by UTF-16 code units.

from string
codePointCount

Returns the number of Unicode code points found in the receiver between the given start index (inclusive) and end index (exclusive).

from string
getDefaultSourceLabel

Gets the flow label to associate with sources added by the 1-argument isSource predicate.

from Configuration
getId

Gets the unique identifier of this configuration among all data flow tracking configurations.

from Configuration
hasFlow

Holds if data may flow from source to sink for this configuration.

from Configuration
hasFlowPath

Holds if data may flow from source to sink for this configuration.

from Configuration
indexOf

Returns all the offsets (starting at 0) at which the given string occurs in the receiver. Has no result if the string does not occur in the receiver.

from string
indexOf

Returns the index of the n’th (starting at 0) occurrence of the given string within the receiver, starting at the given 0-based offset. Has no result if the string does not occur in the receiver.

from string
isAdditionalFlowStep

Holds if src -> trg should be considered as a flow edge in addition to standard data flow edges.

from Configuration
isAdditionalFlowStep

INTERNAL: This predicate should not normally be used outside the data flow library.

from Configuration
isAdditionalLoadStep

EXPERIMENTAL. This API may change in the future.

from Configuration
isAdditionalLoadStoreStep

EXPERIMENTAL. This API may change in the future.

from Configuration
isAdditionalLoadStoreStep

EXPERIMENTAL. This API may change in the future.

from Configuration
isAdditionalStoreStep

EXPERIMENTAL. This API may change in the future.

from Configuration
isAdditionalTaintStep

Holds if the additional taint propagation step from pred to succ must be taken into account in the analysis.

from Configuration
isBarrier

Holds if the intermediate flow node node is prohibited.

from Configuration
isBarrierEdge

Holds if flow from pred to succ is prohibited.

from Configuration
isBarrierEdge

Holds if flow with label lbl cannot flow from pred to succ.

from Configuration
isBarrierGuard

Holds if data flow node guard can act as a barrier when appearing in a condition.

from Configuration
isBarrierIn

Holds if flow into node is prohibited.

from Configuration
isBarrierIn

Holds if flow into node is prohibited for the flow label lbl.

from Configuration
isBarrierOut

Holds if flow out node is prohibited.

from Configuration
isBarrierOut

Holds if flow out node is prohibited for the flow label lbl.

from Configuration
isLabeledBarrier

Holds if flow with label lbl cannot flow into node.

from Configuration
isLowercase

Holds when the receiver contains no upper-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols.

from string
isSanitizerEdge

Holds if the edge from pred to succ is a taint sanitizer.

from Configuration
isSanitizerEdge

Holds if the edge from pred to succ is a taint sanitizer for data labelled with lbl.

from Configuration
isSanitizerIn

Holds if flow into node is prohibited.

from Configuration
isSanitizerIn

Holds if flow into node is prohibited for the flow label lbl.

from Configuration
isSanitizerOut

Holds if flow out node is prohibited.

from Configuration
isSanitizerOut

Holds if flow out node is prohibited for the flow label lbl.

from Configuration
isSink

Holds if sink is a relevant taint sink.

from Configuration
isSource

Holds if source is a relevant taint source.

from Configuration
isUppercase

Holds when the receiver contains no lower-case letters. This includes the case where the receiver contains no letters at all, for example, if it’s an empty string or only consists of non-letter symbols.

from string
length

Returns the length of the receiver (in UTF-16 code units)

from string
matches

Holds when the receiver matches the pattern. Patterns are matched by case sensitive string matching, and there are two wildcards: _ matches a single character, and % matches any sequence of characters. To match the actual characters _ or % in the pattern, they must be escaped using backslashes. For example, "anythingstring%".matches("%string\\%") holds. To match a literal backslash in front of _ or %, you must escape the backslash. Backslashes that are not part of an escape sequence are matched as literals.

from string
prefix

Returns the substring of the receiver ending at the given 0-based exclusive offset

from string
regexpCapture

When the given regular expression matches the entire receiver, returns the substring matched by the given capture group (starting at 1). The regex format used is Java’s Pattern.

from string
regexpFind

Returns a substring of the receiver which matches the given regular expression. Also returns the offset within the receiver (starting at 0) at which the match occurred (occurrenceOffset), and the number of matches which occur at smaller offsets (occurrenceIndex). The regex format used is Java’s Pattern.

from string
regexpMatch

Holds when the given regular expression matches the entire receiver. The regex format used is Java’s Pattern.

from string
regexpReplaceAll

Returns a copy of the receiver with every substring which matches the given regular expression is replaced by the replacement. The regex format used is Java’s Pattern. The replacement string can contain references to captured groups as described in Java’s appendReplacement docs.

from string
replaceAll

Returns a copy of the receiver with all occurrences of the target replaced by the replacement

from string
splitAt

Returns all the substrings obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of.

from string
splitAt

Returns the n’th (starting at 0) substring obtained by splitting the receiver at every occurrence of the argument. Trailing empty substrings are omitted. Splitting at an empty string returns all the characters that the receiver consists of.

from string
substring

Returns the substring of the receiver which starts and ends at the given indices. Both indices are 0-based. The start index is inclusive and the end index is exclusive.

from string
suffix

Returns the substring of the receiver starting at the given 0-based inclusive offset

from string
toBigInt

Returns the arbitrary-precision signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading + or -, followed by one or more digits.

from string
toDate

Returns the date, if any, obtained by parsing the receiver. The recognized formats are described in the documentation.

from string
toFloat

Returns the 64-bit floating point number, if any, obtained by parsing the receiver. The parsing rules are described in Java’s valueOf docs.

from string
toInt

Returns the 32-bit signed integer, if any, obtained by parsing the receiver. The number may consist of an optional leading + or -, followed by one or more digits. Has no result if the value exceeds the value range supported by the int type.

from string
toLowerCase

Returns a copy of the receiver with all uppercase characters replaced by lowercase ones according to Unicode case conversion rules.

from string
toString

Returns the receiver

from string
toUpperCase

Returns a copy of the receiver with all lowercase characters replaced by uppercase ones according to Unicode case conversion rules.

from string
trim

Returns a copy of the receiver with all whitespace removed from the beginning and end of the string (where whitespace is defined as Unicode code points ‘\u0000’ through ‘\u0020’ inclusive)

from string

Charpred