Introduce recursive predicate in prepatation for sanitizer; add guard condition

guard condition: if (ua.safeToWrite())...

sample-utility-0.js

@@ -14,9 +14,15 @@ SampleUtility.prototype = Object.extendsObject(Processor, {
         }
         else {
             ua.next();
-	    ua.setValue('status',value);
+            ua.setValue('status',value); // unsafe
             ua.update();
         }
+
+        if (ua.safeToWrite()) {
+            ua.setValue('status', value); // safe
+            ua.update();
+        }        
+
     },
     
     type: 'SampleUtility'

session/session1.ql

@@ -40,11 +40,50 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     // succ = gr.flow().getASuccessor+() and
     //
     // Using control flow:
-    gr.getASuccessor+() = postgr and
+    // 1. without sanitizer
+    // gr.getASuccessor+() = postgr and
+    // succ.asExpr() = postgr
+    //
+    // 2. with recursive predicate, no sanitizer
+    recursiveSuccessor(gr, postgr) and
     succ.asExpr() = postgr
+    // // 3. with recursive predicate, with sanitizer
+    // sanitizerCheckedSuccessor(gr, postgr) and
+    // succ.asExpr() = postgr
   )
 }
 
+predicate foo(VarAccess gr, VarAccess postgr) {
+  exists(DotExpr temp, MethodCallExpr mce |
+    temp.getPropertyName() = "setValue" and
+    mce.getReceiver() = temp.getBase() and
+    gr = mce.getReceiver() and
+    gr.getASuccessor+() = postgr
+  )
+}
+
+predicate foo1(Expr gr, Expr postgr) {
+  exists(DotExpr temp, MethodCallExpr mce |
+    temp.getPropertyName() = "setValue" and
+    mce.getReceiver() = temp.getBase() and
+    gr = mce.getReceiver() and
+    recursiveSuccessor(gr, postgr)
+  )
+}
+
+// Def-Use special handling:
+// Include sanitizer check when flagging successive object member calls in taint step
+predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) {
+  gr.getASuccessor() = postgr
+  or
+  exists(ControlFlowNode p |
+    recursiveSuccessor(gr, p) and
+    p.getASuccessor() = postgr
+  )
+  // The final postgr needs to be a VarAccess for this query, but for the
+  // recursion we need to be able to traverse expressions.
+}
+
 // source 2 to sink flow
 DF::SourceNode grType(DF::TypeTracker t) {
   t.start() and