JS: Use shared barrier guard for falsy check.

2026-04-22 23:35:14 +02:00 · 2025-02-24 12:43:35 +01:00
parent 782b6cfb9a
commit 1af753cd0c
1 changed files with 11 additions and 13 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
@@ -36,12 +36,16 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2,
  defaultAdditionalTaintStep(node1, node2) and model = "" // TODO: set model
 }

-bindingset[node]
-pragma[inline_late]
-private BasicBlock getBasicBlockFromSsa2(Ssa2::Node node) {
-  result = node.(Ssa2::ExprNode).getExpr().getBasicBlock()
-  or
-  result = node.(Ssa2::SsaInputNode).getBasicBlock()
+private predicate guardChecksFalsy(
+  Ssa2::SsaDataflowInput::Guard g, Ssa2::SsaDataflowInput::Expr e, boolean outcome
+) {
+  exists(ConditionGuardNode guard |
+    guard.getTest() = g and
+    guard.getOutcome() = outcome and
+    e = g and
+    e instanceof VarAccess and
+    outcome = false
+  )
 }

 /**
@@ -64,13 +68,7 @@ private BasicBlock getBasicBlockFromSsa2(Ssa2::Node node) {
 * ```
 */
 private predicate varAccessBarrier(DataFlow::Node node) {
-  exists(ConditionGuardNode guard, Ssa2::ExprNode nodeFrom, Ssa2::Node nodeTo |
-    guard.getOutcome() = false and
-    guard.getTest().(VarAccess) = nodeFrom.getExpr() and
-    Ssa2::localFlowStep(_, nodeFrom, nodeTo, true) and
-    guard.dominates(getBasicBlockFromSsa2(nodeTo)) and
-    node = getNodeFromSsa2(nodeTo)
-  )
+  getNodeFromSsa2(Ssa2::BarrierGuard<guardChecksFalsy/3>::getABarrierNode()) = node
 }

 /**