Merge branch 'master' of git.semmle.com:Semmle/ql into CVE74

2025-12-24 04:36:35 +01:00 · 2020-02-20 12:19:32 +01:00
parent 63036aa444 f6af5da7f7
commit 03e295ef11
9 changed files with 810 additions and 754 deletions
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -188,12 +188,7 @@ class PropNameTracking extends DataFlow::Configuration {
  override predicate isBarrier(DataFlow::Node node) {
    super.isBarrier(node)
    or
-    exists(ConditionGuardNode guard, SsaRefinementNode refinement |
-      node = DataFlow::ssaDefinitionNode(refinement) and
-      refinement.getGuard() = guard and
-      guard.getTest() instanceof VarAccess and
-      guard.getOutcome() = false
-    )
+    node instanceof DataFlow::VarAccessBarrier
  }

  override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1480,3 +1480,18 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat

  override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
 }
+
+/**
+  * A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
+  * Can be added to a `isBarrier` in a data-flow configuration to block flow through such checks.
+  */
+class VarAccessBarrier extends DataFlow::Node {
+  VarAccessBarrier() {
+    exists(ConditionGuardNode guard, SsaRefinementNode refinement |
+      this = DataFlow::ssaDefinitionNode(refinement) and
+      refinement.getGuard() = guard and
+      guard.getTest() instanceof VarAccess and
+      guard.getOutcome() = false
+    )
+  }
+}
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -89,7 +89,8 @@ module TaintTracking {

    final override predicate isBarrier(DataFlow::Node node) {
      super.isBarrier(node) or
-      isSanitizer(node)
+      isSanitizer(node) or
+      node instanceof DataFlow::VarAccessBarrier
    }

    final override predicate isBarrierEdge(DataFlow::Node source, DataFlow::Node sink) {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -364,6 +364,11 @@ module TaintedPath {
    }
  }

+  /**
+   * A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
+   */
+  private class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }
+
  /**
   * A source of remote user input, considered as a flow source for
   * tainted-path vulnerabilities.