File tree 2 files changed +16
-0
lines changed
javascript/ql/lib/semmle/javascript
2 files changed +16
-0
lines changed Original file line number Diff line number Diff line change @@ -26,6 +26,11 @@ class ThreatModelSource extends DataFlow::Node instanceof ThreatModelSource::Ran
2626
2727 /** Gets a string that describes the type of this threat-model source. */
2828 string getSourceType ( ) { result = super .getSourceType ( ) }
29+
30+ /**
31+ * Holds if this is a source of data that is specific to the web browser environment.
32+ */
33+ predicate isClientSideSource ( ) { super .isClientSideSource ( ) }
2934}
3035
3136/** Provides a class for modeling new sources for specific threat-models. */
@@ -48,6 +53,11 @@ module ThreatModelSource {
4853
4954 /** Gets a string that describes the type of this threat-model source. */
5055 abstract string getSourceType ( ) ;
56+
57+ /**
58+ * Holds if this is a source of data that is specific to the web browser environment.
59+ */
60+ predicate isClientSideSource ( ) { this .getThreatModel ( ) = "view-component-input" }
5161 }
5262}
5363
Original file line number Diff line number Diff line change @@ -24,12 +24,18 @@ private module Cached {
2424
2525 /**
2626 * A source of remote input in a web browser environment.
27+ *
28+ * Note that this does not include `view-component-input` sources even if that threat model has been enabled by the user.
29+ * Consider using the predicate `ThreatModelSource#isClientSideSource()` to check for a broader class of client-side sources.
2730 */
2831 cached
2932 abstract class ClientSideRemoteFlowSource extends RemoteFlowSource {
3033 /** Gets a string indicating what part of the browser environment this was derived from. */
3134 cached
3235 abstract ClientSideRemoteFlowKind getKind ( ) ;
36+
37+ cached
38+ final override predicate isClientSideSource ( ) { any ( ) }
3339 }
3440}
3541
You can’t perform that action at this time.
0 commit comments