JS: Add view-component-input threat model

[asgerf]

We sometimes get requests from users to treat React props, Vue props, or Angular inputs as taint sources. Such inputs are not true taint sources however, and tend to generate many false positives in practice if used as taint sources. These inputs are akin to function parameters in that they just hold whatever values are passed in at the component's instantiation site.

As a middle ground, this PR adds a new threat model kind called view-component-input. When enabled, React props, Vue props, and Angular2 inputs are seen as taint sources.

Also adds a new meta-query to report changes to threat model sources other than remote.

Evaluations:

• Evaluation with threat model turned on shows 14k new taint sources and 283 new alerts. I haven't found any TPs in the new alerts.
• Evaluation of just the type-restricting commit shows a couple of sources of type boolean or number gets filtered out.

Copilot reviewed 16 out of 34 changed files in this pull request and generated no comments.

Files not reviewed (18)

• docs/codeql/reusables/threat-model-description.rst: Language not supported
• javascript/ql/lib/semmle/javascript/Concepts.qll: Language not supported
• javascript/ql/lib/semmle/javascript/ViewComponentInput.qll: Language not supported
• javascript/ql/lib/semmle/javascript/frameworks/Angular2.qll: Language not supported
• javascript/ql/lib/semmle/javascript/frameworks/React.qll: Language not supported
• javascript/ql/lib/semmle/javascript/frameworks/Vue.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll: Language not supported
• javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll: Language not supported
• javascript/ql/src/meta/alerts/TaintSources.ql: Language not supported
• javascript/ql/src/meta/alerts/ThreatModelSources.ql: Language not supported
• javascript/ql/src/meta/internal/TaintMetrics.qll: Language not supported
• javascript/ql/test/library-tests/frameworks/Angular2/test.expected: Language not supported

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

[erik-krogh]

👍

The whole safe-type thing seems somewhat like whack-a-mole on FPs.
But it's probably fine, and I don't have better ideas.

[erik-krogh]

all of these are named "sink", but they're sources, right?

[asgerf]

They're like React props, they're just passed in from the instantiation site. When I initially wrote this test long ago, I had omitted the @Input() decorator on these fields, which you're supposed to put on such input fields in Angular (not sure if they're strictly required though).

If the threat model is enabled they become sources (in addition to having incoming flow from instantiation sites). The unit test now reports which nodes are associated with this threat model, but the threat model is not actually enabled, so the data flow test doesn't treat them as taint sources.

[asgerf]

The whole safe-type thing seems somewhat like whack-a-mole on FPs.

I think it makes sense if you think about it in terms of division of responsibility between user and library. If something has type number then it's reasonable to say that the caller should ensure that only numbers are passed in. If something has type string the library is responsible for handling that safely.