Skip to content

Address deprecation of PathExpr and port ZipSlipQuery #230

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Address deprecation of PathExpr and port ZipSlipQuery #230

wants to merge 9 commits into from
+137 −165

Conversation

jeongsoolee09
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 commented Sep 16, 2025
edited
Loading

What This PR Contributes

Rewrite XSJSZipSlip with new data flow APIs

XSJSZipSlip was the only query that wasn't ported to the newer data flow API in PR #220. This PR not only ports the query to using the newer API, it rewrites the entire query to be visually and conceptually cleaner.

WebRequestBody as unified RemoteFlowSource

Previously, methods asArrayBuffer, asString, and asWebRequest on these types were RemoteFlowSources on their own:

  • WebRequestBody (having access paths $.request and $.request.entities.* in source code)
  • InboundResponse.body (having acess paths $.net.http.Client::getResponse().body() in source code)

This made alert reporting a bit perplexing both conceptually and practically, as (1) these method calls could be mistaken as a side-effecting entrypoint that pulls data in, and (2) the data flow as reported starts from the call to these methods and not the actual request body or a response.

Therefore, we place the WebRequestBody on the sourceModel and leave only the InboundResponse on the sourceModel, and calls to the above three methods on the summaryModel.

Clean up, port, and streamline XSJSZipSlipQuery

  • XSJSZipInstanceDependingOnRemoteFlowSource is unnecessary when we have a combination of (1) unified RemoteFlowSource discussed above, (2) the data flow that starts from it, and (3) a stateful data flow config (enforcing the taint tracking to filter out flows that does not have an XSJSZipInstance along the way).
  • XSJSRemoteFlowSourceToZipInstanceStep is a special case of a kind of step already covered by the data flow library.
  • Port ZipEntryPathIndexOfCallEqualsZeroGuard to use DataFlow::MakeBarrierGuard.
  • Demote the ForInLoopDomainToVariableStep to a query-dependent step, from being a SharedFlowStep.

Replace deprecated PathString with FileSystem::Folder::Resolve

  • PathString is deprecated, so use FileSystem::Folder::Resolve<shouldResolve/2>::resolve where shouldResolve restricts the possible set of (container, path) pairs using the predefined isAnUnResolvedResourceRoot.

Miscellaneous

  • Remove rows that are commented out in xsjs.model.yml.
  • Remove obsolete module webBody.qll.

Future Works

  • Remove the deprecated DbLocation in ListXssPartialPaths.

@jeongsoolee09 jeongsoolee09 changed the title Address deprecation on PathExpr and port ZipSlipQuery Address deprecation of PathExpr and port ZipSlipQuery Sep 16, 2025
@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review September 18, 2025 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knewbury01 knewbury01 Awaiting requested review from knewbury01

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jeongsoolee09