Skip to content

ATM: Boost XssThroughDOM #11486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhelie merged 8 commits into from
Dec 2, 2022
Merged

ATM: Boost XssThroughDOM #11486

jhelie merged 8 commits into from
Dec 2, 2022

Conversation

@tiferet
Copy link
Contributor

@tiferet tiferet commented Nov 30, 2022
edited
Loading

This is a new version of #11204 based on top of the CodeQL refactoring, of which #11323 is the final PR.

@jhelie Because rebasing was too hard, I created this new version of your PR based on top of the new CodeQL framework. As I did this, though, I noticed that, as I understand it, there are more changes that need to be made when boosting a new query that are missing from your PR. Searching the repo for the substring XssAtm I found changes that I think need to be made for XssThroughDOM in the following files:

  • javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/EndpointFeatures.ql
  • javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/FilteredTruePositives.ql
  • javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/DebugResultInclusion.ql
  • javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointDataTraining.qll (this one will go away if we deprecate hasFlowFromSource from the training data)

The changes to the tests will also require changes to the .expected files, of course.

@github-actions github-actions bot added the ATM label Nov 30, 2022
@tiferet tiferet mentioned this pull request Nov 30, 2022
Closed
Base automatically changed from tiferet/simplify-configs to main November 30, 2022 01:39
@tiferet tiferet force-pushed the tiferet/boost-xss-through-dom branch from a2921cb to b885249 Compare November 30, 2022 01:40
@owen-mc owen-mc changed the title Boost XssThroughDOM ATM: Boost XssThroughDOM Nov 30, 2022
@jhelie
Copy link
Contributor

jhelie commented Dec 1, 2022

I'm not sure why the tests are failing, I can run the query on my machine and the tests pass.

@henrymercer
Copy link
Contributor

henrymercer commented Dec 1, 2022

The tests run on a merge commit, and there have been changes on main since this PR. So I think we can resolve this by merging in main and updating the code, e.g. the getAlerts predicate specifically.

@jhelie
Copy link
Contributor

jhelie commented Dec 1, 2022
edited
Loading

I've merged main but I'm not sure which piece of code I'm supposed to update?

I see it, ignore me

@henrymercer
Copy link
Contributor

henrymercer commented Dec 1, 2022

Can you now reproduce the test failures locally?

@jhelie jhelie marked this pull request as ready for review December 1, 2022 22:09
@jhelie jhelie requested a review from a team December 1, 2022 22:09
@tiferet
Copy link
Contributor Author

tiferet commented Dec 1, 2022

Note: When #11532 gets merged XssThroughDOM should be added to that test as well.

adityasharad
adityasharad approved these changes Dec 1, 2022
View reviewed changes
Copy link
Collaborator

@adityasharad adityasharad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code changes look good. Assuming no other concerns from the team, I recommend merging this as is, so we don't accumulate conflicts with other PRs, and evaluating the combined state of main.

javascript/ql/experimental/adaptivethreatmodeling/src/XssThroughDomATM.ql
@@ -0,0 +1,25 @@
/**
* For internal use only.
Copy link
Collaborator

@adityasharad adityasharad Dec 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we just remove this comment now, so we don't forget later? Here and in the corresponding QLL file.

Copy link
Contributor

@jhelie jhelie Dec 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is present in all ATM-related .ql and .qll so probably best done in a separate PR given the churn. I'll open one.

@jhelie
Copy link
Contributor

jhelie commented Dec 2, 2022

Merging now, and will evaluate new main state.

@jhelie jhelie merged commit 3f203ea into main Dec 2, 2022
@jhelie jhelie deleted the tiferet/boost-xss-through-dom branch December 2, 2022 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adityasharad adityasharad adityasharad approved these changes

+1 more reviewer

@jhelie jhelie jhelie left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ATM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tiferet @jhelie @henrymercer @adityasharad