Skip to content

JS: type tracking for js/incomplete-hostname-regexp #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
xiemaisi merged 10 commits into from Apr 15, 2019
Merged

JS: type tracking for js/incomplete-hostname-regexp #1211

xiemaisi merged 10 commits into from Apr 15, 2019

Conversation

@ghost
Copy link

@ghost ghost commented Apr 5, 2019

This query reformulates js/incomplete-hostname-regexp to use backwards type tracking to avoid forwards taint tracking of irrelevant strings.

To do this, the type tracking library is trivially generalized to support tracking of non-SourceNodes.

The expressivity of the reformulated query is not exactly the same, but I expect more results from the query since we now support additional sources, and no longer spuriously sanitize programmer-provided strings.

I suspect the idiom (t.continue() = t2 or t = t2) should be encapsulated as as t.taint() = t2, but I would like to see another use case before moving it into the library.

I have performed two evaluations: javscript-lgtm on big-apps.slugs, js/incomplete-hostname-regexp on default.slugs. There are no changes to the results (which I think is a good thing for this change), and the performance improves a bit.

@ghost ghost added the JS label Apr 5, 2019
@ghost ghost self-requested a review as a code owner April 5, 2019 06:41
@ghost ghost mentioned this pull request Apr 5, 2019
Closed
xiemaisi
xiemaisi suggested changes Apr 5, 2019
View reviewed changes
Copy link

@xiemaisi xiemaisi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Glad to see this has finally come together. Have you tested this version of the query on a few of the projects we discussed earlier where the query used to take very long?

asger-semmle
asger-semmle reviewed Apr 5, 2019
View reviewed changes
@ghost ghost added the WIP This is a work-in-progress, do not merge yet! label Apr 5, 2019
@ghost
Copy link
Author

ghost commented Apr 8, 2019

Have you tested this version of the query on a few of the projects we discussed earlier where the query used to take very long?

~10% time reduction

@asger-semmle asger-semmle mentioned this pull request Apr 8, 2019
Merged
@ghost
Copy link
Author

ghost commented Apr 10, 2019

As discussed, I have added TypeBackTracker::step and TypeBackTracker::smallstep.
The change has no negative performance impact on big-apps.slugs/security.

We should follow this up with a similar change for the forwards tracker soon.

@ghost ghost mentioned this pull request Apr 10, 2019
Merged
xiemaisi
xiemaisi reviewed Apr 10, 2019
View reviewed changes
@xiemaisi
Copy link

xiemaisi commented Apr 10, 2019

We should follow this up with a similar change for the forwards tracker soon.

Could you make a JIRA issue for this?

@ghost ghost removed the WIP This is a work-in-progress, do not merge yet! label Apr 12, 2019
@xiemaisi xiemaisi merged commit 4c9edaf into github:master Apr 15, 2019
@xiemaisi xiemaisi mentioned this pull request Apr 23, 2019
Merged
@ghost ghost mentioned this pull request Jun 3, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xiemaisi @asger-semmle