JS: Port TaintBarriers test

2025-12-20 10:46:30 +01:00 · 2023-10-06 10:45:57 +02:00
parent e5946bf43b
commit 6c9f4a10ac
3 changed files with 32 additions and 10 deletions
--- a/javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll
+++ b/javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll
@@ -6,16 +6,14 @@ StringOps::ConcatenationRoot sinkConcatenation() {
  result.getConstantStringParts().matches("<sink>%</sink>")
 }
-class ExampleConfiguration extends TaintTracking::Configuration {
+module TestConfig implements DataFlow::ConfigSig {
-  ExampleConfiguration() { this = "ExampleConfiguration" }
+  predicate isSource(DataFlow::Node source) {
  override predicate isSource(DataFlow::Node source) {
    source.asExpr().(CallExpr).getCalleeName() = "SOURCE"
    or
    source = sourceVariable()
  }
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
    exists(CallExpr callExpr |
      callExpr.getCalleeName() = "SINK" and
      DataFlow::valueNode(callExpr.getArgument(0)) = sink
@@ -24,19 +22,40 @@ class ExampleConfiguration extends TaintTracking::Configuration {
    sink = sinkConcatenation()
  }
-  override predicate isSanitizerIn(DataFlow::Node node) { node = sourceVariable() }
+  predicate isBarrierIn(DataFlow::Node node) { node = sourceVariable() }
-  override predicate isSanitizerOut(DataFlow::Node node) { node = sinkConcatenation() }
+  predicate isBarrierOut(DataFlow::Node node) { node = sinkConcatenation() }
-  override predicate isSanitizer(DataFlow::Node node) {
+  additional predicate isBarrier1(DataFlow::Node node) {
    exists(CallExpr callExpr |
      callExpr.getCalleeName() = "SANITIZE" and
      DataFlow::valueNode(callExpr.getArgument(0)) = node
    )
  }
  predicate isBarrier(DataFlow::Node node) {
    isBarrier1(node)
    or
    node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
  }
 }
 module TestFlow = TaintTracking::Global<TestConfig>;
 class ExampleConfiguration extends TaintTracking::Configuration {
  ExampleConfiguration() { this = "ExampleConfiguration" }
  override predicate isSource(DataFlow::Node source) { TestConfig::isSource(source) }
  override predicate isSink(DataFlow::Node sink) { TestConfig::isSink(sink) }
  override predicate isSanitizerIn(DataFlow::Node node) { TestConfig::isBarrierIn(node) }
  override predicate isSanitizerOut(DataFlow::Node node) { TestConfig::isBarrierOut(node) }
  override predicate isSanitizer(DataFlow::Node node) { TestConfig::isBarrier1(node) }
  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
    // add additional generic sanitizers
    guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
  }
 }
--- a/javascript/ql/test/library-tests/TaintBarriers/tests.expected
+++ b/javascript/ql/test/library-tests/TaintBarriers/tests.expected
@@ -1,3 +1,4 @@
 legacyDataFlowDifference
 isBarrier
 isLabeledBarrier
 | ExampleConfiguration | tst.js:6:14:6:14 | v | taint |
--- a/javascript/ql/test/library-tests/TaintBarriers/tests.ql
+++ b/javascript/ql/test/library-tests/TaintBarriers/tests.ql
@@ -16,5 +16,7 @@ query predicate sanitizingGuard(TaintTracking::SanitizerGuardNode g, Expr e, boo
 }
 query predicate taintedSink(DataFlow::Node source, DataFlow::Node sink) {
-  exists(ExampleConfiguration cfg | cfg.hasFlow(source, sink))
+  TestFlow::flow(source, sink)
 }
 import testUtilities.LegacyDataFlowDiff::DataFlowDiff<TestFlow, ExampleConfiguration>