move TypeTestGuard to the Query.qll file

2026-04-30 19:26:02 +02:00 · 2022-04-20 12:01:36 +02:00
parent b1bad271d5
commit 12e60c7a06
2 changed files with 28 additions and 28 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
@@ -137,34 +137,6 @@ module XssThroughDom {
  /** DEPRECATED: Alias for DomTextSource */
  deprecated class DOMTextSource = DomTextSource;

-  /**
-   * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
-   *
-   * This sanitizer helps prune infeasible paths in type-overloaded functions.
-   */
-  class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
-    override EqualityTest astNode;
-    Expr operand;
-    boolean polarity;
-
-    TypeTestGuard() {
-      exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
-        // typeof x === "string" sanitizes `x` when it evaluates to false
-        tag = "string" and
-        polarity = astNode.getPolarity().booleanNot()
-        or
-        // typeof x === "object" sanitizes `x` when it evaluates to true
-        tag != "string" and
-        polarity = astNode.getPolarity()
-      )
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      polarity = outcome and
-      e = operand
-    }
-  }
-
  /** The `files` property of an `<input />` element */
  class FilesSource extends Source {
    FilesSource() { this = DOM::domValueRef().getAPropertyRead("files") }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll
@@ -52,6 +52,34 @@ class Configuration extends TaintTracking::Configuration {
  }
 }

+/**
+ * A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
+ *
+ * This sanitizer helps prune infeasible paths in type-overloaded functions.
+ */
+class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
+  override EqualityTest astNode;
+  Expr operand;
+  boolean polarity;
+
+  TypeTestGuard() {
+    exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
+      // typeof x === "string" sanitizes `x` when it evaluates to false
+      tag = "string" and
+      polarity = astNode.getPolarity().booleanNot()
+      or
+      // typeof x === "object" sanitizes `x` when it evaluates to true
+      tag != "string" and
+      polarity = astNode.getPolarity()
+    )
+  }
+
+  override predicate sanitizes(boolean outcome, Expr e) {
+    polarity = outcome and
+    e = operand
+  }
+}
+
 private import semmle.javascript.security.dataflow.Xss::Shared as Shared

 private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,