hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port TaintBarriers test

Browse Source
This commit is contained in:
Asger F
2023-10-06 10:45:57 +02:00
parent e5946bf43b
commit 6c9f4a10ac
3 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll
View File

@@ -6,16 +6,14 @@ StringOps::ConcatenationRoot sinkConcatenation() {
result.getConstantStringParts().matches("<sink>%</sink>")
}
class ExampleConfiguration extends TaintTracking::Configuration {
ExampleConfiguration() { this = "ExampleConfiguration" }
override predicate isSource(DataFlow::Node source) {
module TestConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr().(CallExpr).getCalleeName() = "SOURCE"
or
source = sourceVariable()
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
exists(CallExpr callExpr |
callExpr.getCalleeName() = "SINK" and
DataFlow::valueNode(callExpr.getArgument(0)) = sink
@@ -24,19 +22,40 @@ class ExampleConfiguration extends TaintTracking::Configuration {
sink = sinkConcatenation()
}
override predicate isSanitizerIn(DataFlow::Node node) { node = sourceVariable() }
predicate isBarrierIn(DataFlow::Node node) { node = sourceVariable() }
override predicate isSanitizerOut(DataFlow::Node node) { node = sinkConcatenation() }
predicate isBarrierOut(DataFlow::Node node) { node = sinkConcatenation() }
override predicate isSanitizer(DataFlow::Node node) {
additional predicate isBarrier1(DataFlow::Node node) {
exists(CallExpr callExpr |
callExpr.getCalleeName() = "SANITIZE" and
DataFlow::valueNode(callExpr.getArgument(0)) = node
)
}
predicate isBarrier(DataFlow::Node node) {
isBarrier1(node)
or
node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
}
}
module TestFlow = TaintTracking::Global<TestConfig>;
class ExampleConfiguration extends TaintTracking::Configuration {
ExampleConfiguration() { this = "ExampleConfiguration" }
override predicate isSource(DataFlow::Node source) { TestConfig::isSource(source) }
override predicate isSink(DataFlow::Node sink) { TestConfig::isSink(sink) }
override predicate isSanitizerIn(DataFlow::Node node) { TestConfig::isBarrierIn(node) }
override predicate isSanitizerOut(DataFlow::Node node) { TestConfig::isBarrierOut(node) }
override predicate isSanitizer(DataFlow::Node node) { TestConfig::isBarrier1(node) }
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
// add additional generic sanitizers
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
}
}

1
javascript/ql/test/library-tests/TaintBarriers/tests.expected
View File

@@ -1,3 +1,4 @@
legacyDataFlowDifference
isBarrier
isLabeledBarrier
| ExampleConfiguration | tst.js:6:14:6:14 | v | taint |

4
javascript/ql/test/library-tests/TaintBarriers/tests.ql
View File

@@ -16,5 +16,7 @@ query predicate sanitizingGuard(TaintTracking::SanitizerGuardNode g, Expr e, boo
}
query predicate taintedSink(DataFlow::Node source, DataFlow::Node sink) {
exists(ExampleConfiguration cfg | cfg.hasFlow(source, sink))
TestFlow::flow(source, sink)
}
import testUtilities.LegacyDataFlowDiff::DataFlowDiff<TestFlow, ExampleConfiguration>