hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: add ad hoc whitelist checks as sanitizers

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2018-09-24 11:17:35 +02:00
parent 89f2dbf8db
commit 42fc28bc55
5 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -625,6 +625,28 @@ module TaintTracking {
}
/**
* A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its "then" branch.
*
* `<isWhitelisted>` is a call with callee name 'safe', 'whitelist', 'allow', or similar.
*/
private class AdHocWhitelistCheckSanitizer extends AdditionalSanitizerGuardNode, DataFlow::CallNode {
AdHocWhitelistCheckSanitizer() {
getCalleeName().regexpMatch("(?i).*(safe|whitelist|allow|auth).*") and
getNumArgument() = 1
}
override predicate sanitizes(boolean outcome, Expr e) {
outcome = true and
e = getArgument(0).asExpr()
}
override predicate appliesTo(Configuration cfg) {
any()
}
}
/** A check of the form `if(x in o)`, which sanitizes `x` in its "then" branch. */
class InSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {