JS: Update TaintTracking test

2026-05-03 12:45:27 +02:00 · 2023-10-06 15:12:18 +02:00
parent b5ad36686e
commit 2eff07f476
20 changed files with 598 additions and 157 deletions
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.ql
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.ql
@@ -1,5 +1,6 @@
 import javascript
 import semmle.javascript.dataflow.InferredTypes
+import testUtilities.ConsistencyChecking

 DataFlow::CallNode getACall(string name) {
  result.getCalleeName() = name
@@ -7,53 +8,53 @@ DataFlow::CallNode getACall(string name) {
  result.getCalleeNode().getALocalSource() = DataFlow::globalVarRef(name)
 }

-class Sink extends DataFlow::Node {
-  Sink() { this = getACall("sink").getAnArgument() }
-}
+module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node = getACall("source") }

-/**
- * A node that shouldn't be taintable according to the type inference,
- * as it claims to be neither an object nor a string.
- */
-class UntaintableNode extends DataFlow::Node {
-  UntaintableNode() {
-    not this.analyze().getAType() = TTObject() and
-    not this.analyze().getAType() = TTString()
+  predicate isSink(DataFlow::Node node) { node = getACall("sink").getAnArgument() }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.(DataFlow::InvokeNode).getCalleeName().matches("sanitizer_%") or
+    node = DataFlow::MakeBarrierGuard<BasicSanitizerGuard>::getABarrierNode() or
+    node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
  }
 }

-class BasicConfig extends TaintTracking::Configuration {
-  BasicConfig() { this = "BasicConfig" }
+module TestFlow = TaintTracking::Global<TestConfig>;

-  override predicate isSource(DataFlow::Node node) { node = getACall("source") }
+class LegacyConfig extends TaintTracking::Configuration {
+  LegacyConfig() { this = "LegacyConfig" }

-  override predicate isSink(DataFlow::Node node) {
-    node instanceof Sink
-    or
-    node instanceof UntaintableNode
-  }
+  override predicate isSource(DataFlow::Node node) { TestConfig::isSource(node) }
+
+  override predicate isSink(DataFlow::Node node) { TestConfig::isSink(node) }

  override predicate isSanitizer(DataFlow::Node node) {
    node.(DataFlow::InvokeNode).getCalleeName().matches("sanitizer_%")
  }

  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
-    node instanceof BasicSanitizerGuard
+    node instanceof BasicSanitizerGuard or
+    node instanceof TaintTracking::AdHocWhitelistCheckSanitizer
  }
 }

+import testUtilities.LegacyDataFlowDiff::DataFlowDiff<TestFlow, LegacyConfig>
+
 class BasicSanitizerGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
  BasicSanitizerGuard() { this = getACall("isSafe") }

-  override predicate sanitizes(boolean outcome, Expr e) {
+  override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+  predicate blocksExpr(boolean outcome, Expr e) {
    outcome = true and e = this.getArgument(0).asExpr()
  }
 }

-query predicate typeInferenceMismatch(DataFlow::Node source, UntaintableNode sink) {
-  any(BasicConfig cfg).hasFlow(source, sink)
-}
+query predicate flow = TestFlow::flow/2;

-from BasicConfig cfg, DataFlow::Node src, Sink sink
-where cfg.hasFlow(src, sink)
-select src, sink
+class Consistency extends ConsistencyConfiguration {
+  Consistency() { this = "Consistency" }
+
+  override DataFlow::Node getAnAlert() { TestFlow::flowTo(result) }
+}