Introduce recursive predicate in prepatation for sanitizer; add guard condition

guard condition: if (ua.safeToWrite())...
2025-12-16 12:03:03 +01:00 · 2023-11-29 20:16:15 -08:00
parent 1bc71c068f
commit 813a53a054
2 changed files with 60 additions and 15 deletions
--- a/sample-utility-0.js
+++ b/sample-utility-0.js
@@ -14,9 +14,15 @@ SampleUtility.prototype = Object.extendsObject(Processor, {
        }
        else {
            ua.next();
-	    ua.setValue('status',value);
+            ua.setValue('status',value); // unsafe
            ua.update();
        }
+
+        if (ua.safeToWrite()) {
+            ua.setValue('status', value); // safe
+            ua.update();
+        }        
+
    },
    
    type: 'SampleUtility'
--- a/session/session1.ql
+++ b/session/session1.ql
@@ -40,11 +40,50 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    // succ = gr.flow().getASuccessor+() and
    //
    // Using control flow:
-    gr.getASuccessor+() = postgr and
+    // 1. without sanitizer
+    // gr.getASuccessor+() = postgr and
+    // succ.asExpr() = postgr
+    //
+    // 2. with recursive predicate, no sanitizer
+    recursiveSuccessor(gr, postgr) and
    succ.asExpr() = postgr
+    // // 3. with recursive predicate, with sanitizer
+    // sanitizerCheckedSuccessor(gr, postgr) and
+    // succ.asExpr() = postgr
  )
 }

+predicate foo(VarAccess gr, VarAccess postgr) {
+  exists(DotExpr temp, MethodCallExpr mce |
+    temp.getPropertyName() = "setValue" and
+    mce.getReceiver() = temp.getBase() and
+    gr = mce.getReceiver() and
+    gr.getASuccessor+() = postgr
+  )
+}
+
+predicate foo1(Expr gr, Expr postgr) {
+  exists(DotExpr temp, MethodCallExpr mce |
+    temp.getPropertyName() = "setValue" and
+    mce.getReceiver() = temp.getBase() and
+    gr = mce.getReceiver() and
+    recursiveSuccessor(gr, postgr)
+  )
+}
+
+// Def-Use special handling:
+// Include sanitizer check when flagging successive object member calls in taint step
+predicate recursiveSuccessor(ControlFlowNode gr, ControlFlowNode postgr) {
+  gr.getASuccessor() = postgr
+  or
+  exists(ControlFlowNode p |
+    recursiveSuccessor(gr, p) and
+    p.getASuccessor() = postgr
+  )
+  // The final postgr needs to be a VarAccess for this query, but for the
+  // recursion we need to be able to traverse expressions.
+}
+
 // source 2 to sink flow
 DF::SourceNode grType(DF::TypeTracker t) {
  t.start() and