JS: change alert messages of path queries to use the same template #10286
Conversation
erik-krogh
force-pushed
the
js-followMsg
branch
from
8450042 to
e3bd767
Compare
erik-krogh
force-pushed
the
js-followMsg
branch
from
e3bd767 to
aa56ca3
Compare
erik-krogh
added
the
ready-for-doc-review
|
Hello from this week's docs first responder 👋 Thanks for creating this PR! I've added it to our review board for another writer to look at. They'll be able to advise on any additional considerations for this change. |
There was a problem hiding this comment.
@erik-krogh - many thanks for continuing to improve the consistency and clarity of our alert comments ✨
As you work on this, it would be great if you could update the Style guide with the patterns you've implemented for common situations.
This generally looks good to me, as far as I can interpret the statements. I've added a few questions and comments for your consideration.
| @@ -28,5 +28,5 @@ where | |||
| else highlight = sink.getNode() | |||
| ) and | |||
| sourceNode = source.getNode() | |||
| select highlight, source, sink, "$@ flows to here and is used in a command.", source.getNode(), | |||
| sourceNode.getSourceType() | |||
| select highlight, source, sink, "This command line depends on $@.", source.getNode(), | |||
There was a problem hiding this comment.
I notice that for this query you include "This" but that this is omitted in TemplateObjectInjection.ql. Do you have a rule of thumb for deciding when to include "This" and when to omit it.
I'm wondering if we should update https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#alert-messages, based on your work on select statements.
There was a problem hiding this comment.
I notice that for this query you include "This" but that this is omitted in TemplateObjectInjection.ql. Do you have a rule of thumb for deciding when to include "This" and when to omit it.
I don't have a rule of thumb, I think it was a coincidence.
I think I prefer the more concise version without "This", so I'll remove the "This" from CommandInjection.ql.
I'm wondering if we should update https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#alert-messages, based on your work on select statements.
We should! I'll get on that when I rewrite the alert-messages for the next language (after merging this PR).
| select sinkNode.getAlertLocation(), source, sink, "$@ which depends on $@ is later used in $@.", | ||
| sinkNode.getAlertLocation(), sinkNode.getSinkType(), source.getNode(), "library input", | ||
| sinkNode.getCommandExecution(), "shell command" |
There was a problem hiding this comment.
Maybe this should contain an article, similar to other select statements? This suggestion is something of a guess.
| select sinkNode.getAlertLocation(), source, sink, "$@ which depends on $@ is later used in $@.", | |
| sinkNode.getAlertLocation(), sinkNode.getSinkType(), source.getNode(), "library input", | |
| sinkNode.getCommandExecution(), "shell command" | |
| select sinkNode.getAlertLocation(), source, sink, "$@ which depends on $@ is later used in $@.", | |
| sinkNode.getAlertLocation(), sinkNode.getSinkType(), source.getNode(), "library input", | |
| sinkNode.getCommandExecution(), "a shell command" |
| @@ -18,6 +18,6 @@ import semmle.javascript.security.dataflow.UnsafeHtmlConstructionQuery | |||
|
|
|||
| from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, Sink sinkNode | |||
| where cfg.hasFlowPath(source, sink) and sink.getNode() = sinkNode | |||
| select sinkNode, source, sink, "$@ based on $@ might later cause $@.", sinkNode, | |||
| select sinkNode, source, sink, "$@ which depends on $@ might later cause $@.", sinkNode, | |||
There was a problem hiding this comment.
Does this actually cause cross-site scripting, or might it be vulnerable to cross-site scripting?
I see that UnsafeDynamicMethodAccess.ql below uses: "may lead to remote code execution".
There was a problem hiding this comment.
The query detects something that appears unsafe, but that's not a full exploitable vulnerability.
The full vulnerability requires that the library (flagged by the query) is used with unsafe inputs in some other project.
So that's why there is a "might" in the alert message.
There was a problem hiding this comment.
I'd suggest replacing "cause" since the code doesn't cause cross-site scripting, it seems more as if it "allows" a hacker to perform cross-site scripting.
| select sinkNode, source, sink, "$@ which depends on $@ might later cause $@.", sinkNode, | |
| select sinkNode, source, sink, "$@ which depends on $@ might later allow $@.", sinkNode, |
| @@ -18,4 +18,4 @@ from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink | |||
| where cfg.hasFlowPath(source, sink) | |||
| select sink, source, sink, | |||
| "Invocation of method derived from $@ may lead to remote code execution.", source.getNode(), | |||
There was a problem hiding this comment.
Should this be more like:
| "Invocation of method derived from $@ may lead to remote code execution.", source.getNode(), | |
| "This method is invoked using $@, which may allow remote code execution.", source.getNode(), |
| @@ -18,5 +18,5 @@ import DataFlow::PathGraph | |||
|
|
|||
| from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink | |||
| where cfg.hasFlowPath(source, sink) | |||
| select sink.getNode(), source, sink, "A $@ is used as" + sink.getNode().(Sink).getMessage(), | |||
| select sink.getNode(), source, sink, sink.getNode().(Sink).getMessage() + " depends on $@.", | |||
| source.getNode(), "user-provided value" | |||
There was a problem hiding this comment.
| source.getNode(), "user-provided value" | |
| source.getNode(), "a user-provided value" |
| "Iterating over user-controlled object with a potentially unbounded .length property from $@.", | ||
| source, "here" | ||
| source, "a user-provided value" |
There was a problem hiding this comment.
Maybe more like this (it won't let me add a suggestion).
"Iteration over a user-controlled object with a potentially unbounded .length property from $@.",
source, "a user-provided value"
erik-krogh
removed
the
ready-for-doc-review
I just did this for Python: #10252, now I'm doing the same thing for JavaScript.
I'm rewriting alert messages for the taint tracking queries:
This path depends on a user-provided value.User-provided value flows to this location and is used in a path.I also generally tried to use "this location" instead of "here".
I tried to formulate messages to use "depends on" and use the term "a user-provided value".
The previous change-note for changing the alert messages still cover this PR.