Python: Add StringConstCompare BarrierGuard

python/ql/src/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -355,6 +355,26 @@ class BarrierGuard extends GuardNode {
   }
 }
 
+/** Provides commonly used BarrierGuards */
+module BarrierGuard {
+  /** A validation of unknown node by comparing with a constant string value. */
+  class StringConstCompare extends BarrierGuard, CompareNode {
+    ControlFlowNode checked_node;
+
+    StringConstCompare() {
+      exists(StrConst str_const |
+        this.operands(str_const.getAFlowNode(), any(Eq eq), checked_node)
+        or
+        this.operands(checked_node, any(Eq eq), str_const.getAFlowNode())
+      )
+    }
+
+    override predicate checks(ControlFlowNode node, boolean branch) {
+      node = checked_node and branch = true
+    }
+  }
+}
+
 /**
  * Algebraic datatype for tracking data content associated with values.
  * Content can be collection elements or object attributes.

python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.expected

@@ -1,4 +1,4 @@
-| test_string_eq.py:16 | fail | const_eq_clears_taint | ts |
+| test_string_eq.py:16 | ok   | const_eq_clears_taint | ts |
 | test_string_eq.py:18 | ok   | const_eq_clears_taint | ts |
 | test_string_eq.py:20 | ok   | const_eq_clears_taint | ts |
 | test_string_eq.py:27 | fail | const_eq_clears_taint2 | ts |

python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/TestTaint.ql

@@ -0,0 +1,7 @@
+import experimental.dataflow.tainttracking.TestTaintLib
+
+class CustomSanitizerOverrides extends TestTaintTrackingConfiguration {
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof DataFlow::BarrierGuard::StringConstCompare
+  }
+}

python/ql/test/experimental/dataflow/tainttracking/defaultSanitizer/TestTaint.ql

@@ -1 +0,0 @@
-import experimental.dataflow.tainttracking.TestTaintLib