wip: another nested if() test case

2025-12-16 03:53:04 +01:00 · 2023-12-05 19:46:57 -08:00
parent 405b3a0661
commit 301d1ca2f5
2 changed files with 26 additions and 18 deletions
--- a/session/session1.ql
+++ b/session/session1.ql
@@ -44,17 +44,10 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    // 1. without sanitizer
    gr.getASuccessor+() = postgr and
    succ.asExpr() = postgr
-    //
-    // 2. with recursive predicate, no sanitizer
-    // recursiveSuccessor(gr, postgr) and
-    // succ.asExpr() = postgr
-    // 3. with recursive predicate, with sanitizer
-    // sanitizerCheckedSuccessor(gr, postgr) and
-    // succ.asExpr() = postgr
  )
 }

-// Def-Use special handling:
+// Def-Use special handling.  Not needed here, but a good example of recursive predicates.
 // - Include sanitizer check when flagging successive object member calls in taint
 //   step.
 // - Stop at
@@ -153,7 +146,6 @@ class CanWriteGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNod
    // outcome is the result of the conditional (the true or false branch)
    outcome = true and
    e = this.getReceiver().asExpr()
-    // or e.getASuccessor+() = this.getReceiver().asExpr()
  }
 }

--- a/source/sample-utility-0.js
+++ b/source/sample-utility-0.js
@@ -1,30 +1,46 @@
-var SampleUtility = function(){};
+var SampleUtility = function () { };
 SampleUtility.prototype = Object.extendsObject(Processor, {
-    
-    setUserStatus: function() {
+
+    setUserStatus: function () {
        var value = this.getParameter('value');

        var ua = new GR('users');
        ua.query();
-        
-        if(!ua.hasNext()){
+
+        if (!ua.hasNext()) {
            ua.initialize();
-            ua.setValue('status',value);
+            ua.setValue('status', value);
            ua.insert();
        }
        else {
            ua.next();
-            ua.setValue('status',value); // unsafe
+            ua.setValue('status', value); // unsafe
            ua.update();
            // Nested if() test.
            if (ua.safeToWrite()) {
                ua.setValue('status', value); // safe
                ua.update();
-            }        
+            }
        }

+        if (ua !== null) {
+            1
+        } else {
+            if (ua.safeToWrite()) {
+                ua.setValue('status', value);
+                ua.update();
+            }
+        }

+        if (ua == magicval) {
+            1
+        } else {
+            if (ua.safeToWrite()) {
+                ua.setValue('status', value);
+                ua.update();
+            }
+        }
    },
-    
+
    type: 'SampleUtility'
 });