JS: Replace sanitizing prefix edge with node

2026-04-24 16:25:15 +02:00 · 2023-07-11 14:48:13 +02:00
parent 944a2ca825
commit 094302a27b
5 changed files with 6 additions and 14 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -31,9 +31,7 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof Sanitizer
  }

-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    sanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }

  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    isAdditionalRequestForgeryStep(pred, succ)
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
@@ -33,9 +33,7 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof Sanitizer
  }

-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    hostnameSanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }

  override predicate isAdditionalFlowStep(
    DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel f, DataFlow::FlowLabel g
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -26,9 +26,7 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof Sanitizer
  }

-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    sanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }

  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    isAdditionalRequestForgeryStep(pred, succ)
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -27,9 +27,7 @@ class Configuration extends TaintTracking::Configuration {
    node instanceof Sanitizer
  }

-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    hostnameSanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }

  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
    guard instanceof LocalUrlSanitizingGuard or
--- a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
+++ b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
@@ -29,8 +29,8 @@ class Configuration extends TaintTracking::Configuration {
    )
  }

-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    this.strictSanitizingPrefixEdge(source, sink)
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    this.strictSanitizingPrefixEdge(node, _)
  }

  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {