Inherit from a module?

[jghebre]

I'm working on a project where I need to override the isSource, isSink, isBarrier predicates for several JavaScript security queries.
I can do this by changing the library .qll file that the queries rely on but I wanted to use a higher level approach that only changes the base security query.

For the PrototypePollutingAssignment.ql:

import javascript
import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery
import PrototypePollutingAssignmentFlow::PathGraph

from
  PrototypePollutingAssignmentFlow::PathNode source, PrototypePollutingAssignmentFlow::PathNode sink
where
  PrototypePollutingAssignmentFlow::flowPath(source, sink) and
  not isIgnoredLibraryFlow(source.getNode(), sink.getNode())
select sink, source, sink,
  "This assignment may alter Object.prototype if a malicious '__proto__' string is injected from $@.",
  source.getNode(), source.getNode().(Source).describe()

I understand that the dataflow configuration information comes from here in PrototypePollutingAssignmentQuery.qll:

/** A taint-tracking configuration for reasoning about prototype-polluting assignments. */
module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
  class FlowState = PrototypePollutingAssignment::FlowState;

  predicate isSource(DataFlow::Node node, FlowState state) {
    node instanceof Source and state = FlowState::taint()
  }

  predicate isSink(DataFlow::Node node, FlowState state) { node.(Sink).getAFlowState() = state }

  predicate isBarrier(DataFlow::Node node) {
    node instanceof Sanitizer
    or
    // Concatenating with a string will in practice prevent the string `__proto__` from arising.
    exists(StringOps::ConcatenationRoot root | node = root |
      // Exclude the string coercion `"" + node` from this filter.
      not node.(StringOps::ConcatenationNode).isCoercion()
    )
    or
    node instanceof DataFlow::ThisNode
    or
    // Stop at .replace() calls that likely prevent __proto__ from arising
    exists(StringReplaceCall replace |
      node = replace and
      replace.getAReplacedString() = ["_", "p", "r", "o", "t"] and
      // Replacing with "_" is likely to be exploitable
      not replace.getRawReplacement().getStringValue() = "_" and
      (
        replace.maybeGlobal()
        or
        // Non-global replace with a non-empty string can also prevent __proto__ by
        // inserting a chunk of text that doesn't fit anywhere in __proto__
        not replace.getRawReplacement().getStringValue() = ""
      )
    )
    or
    node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
  }

  predicate isBarrierOut(DataFlow::Node node, FlowState state) {
    // Suppress the value-preserving step src -> dst in `extend(dst, src)`. This is modeled as a value-preserving
    // step because it preserves all properties, but the destination is not actually Object.prototype.
    node = any(ExtendCall call).getASourceOperand() and
    state = FlowState::objectPrototype()
  }

  predicate isBarrierIn(DataFlow::Node node, FlowState state) { isSource(node, state) }

...

I know that previously for Configurations classes we could simply extend and overide them like so:

class Config extends Configuration {
  override predicate isBarrier(DataFlow::Node node) { none() }

}
 

However these Configuration classes are now deprecated in favor of modules.

I can declare a new module that implements the same predicates as PrototypePollutingAssignmentConfig and that seems to allow me to keep the same funcitonality while changing certain predicates:

import javascript
import semmle.javascript.security.dataflow.PrototypePollutingAssignmentQuery


module GeneralConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { PrototypePollutingAssignmentConfig::isSource(source) }

  predicate isSink(DataFlow::Node sink) { PrototypePollutingAssignmentConfig::isSink(sink) }
}

module PPAC =
  DataFlow::GlobalWithState<GeneralConfig>;
import PPAC::PathGraph


from
  PPAC::PathNode source,
  PPAC::PathNode sink
where PPAC::flowPath(source, sink)
select sink, source, sink,
  "Call to " + sink.getNode().(Sink).getApiName() + " with untrusted data from $@.", source,
  source.toString()

My question is does CodeQL support a method to inherit the predicates from other modules so users override certain predicates? I want to try certain changes to sources, sinks and barriers at scale and it would be much simpler if I could just inherit the Config from the security query and override the 1 or 2 predicates I want, rather than redeclaring the config only to change what I want each time.

Thanks!

[redsun82]

👋 @jghebre

From what I tried, it does appear that is not possible. I got a somewhat terser way of doing that using module and predicate aliases:

module Cfg = PrototypePollutingAssignmentConfig;

module GeneralConfig implements DataFlow::StateConfigSig {
    class FlowState = Cfg::FlowState;
    predicate isSource = Cfg::isSource/2;
    predicate isSink = Cfg::isSink/2;
    predicate isBarrier = Cfg::isBarrier/2;
}

This still requires you to list all the "default" predicates you want to leave unchanged, but at least is less verbose than redefining the predicates.

Let me ask around whether there's another way to achieve what you want.

By the way, as far as I could see the latest version of the prototype pollution assignment query uses state data flow (which is why I'm implementing DataFlow::StateConfigSig above, and the predicates have two parameters), are you using the latest QL code?

[redsun82]

@jghebre I can confirm that at the current time there is no better solution than using aliases as I suggested. You're not the first asking for such a feature though, so I would not exclude this will be possible at some point in the future. We can't make any promises at this time though.

[jghebre]

I'll use the more concise method you suggested. For prototype pollution, I mixed up the data flow with another query, fixed it now.
Thanks for your help!