JS: Port UnsafeHtmlConstruction

2026-04-29 18:55:14 +02:00 · 2023-10-05 09:25:35 +02:00
parent 7f4d42ddcd
commit 6e3f4bd7d8
4 changed files with 150 additions and 253 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -61,6 +61,30 @@ module UnsafeHtmlConstruction {
    abstract string describe();
  }

+  /**
+   * A barrier guard for unsafe HTML constructed from library input vulnerabilities.
+   */
+  abstract class BarrierGuard extends DataFlow::Node {
+    /**
+     * Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e) { none() }
+
+    /**
+     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     */
+    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+  }
+
+  /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
+  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
+    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
+  }
+
  /**
   * A sink for `js/html-constructed-from-input` that constructs some HTML where
   * that HTML is later used in `xssSink`.
@@ -176,14 +200,14 @@ module UnsafeHtmlConstruction {
  }

  /** A test for the value of `typeof x`, restricting the potential types of `x`. */
-  class TypeTestGuard extends TaintTracking::LabeledSanitizerGuardNode, DataFlow::ValueNode {
+  class TypeTestGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
    override EqualityTest astNode;
    Expr operand;
    boolean polarity;

    TypeTestGuard() { TaintTracking::isStringTypeGuard(astNode, operand, polarity) }

-    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
+    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
      polarity = outcome and
      e = operand and
      lbl.isTaint()
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -12,7 +12,66 @@ import semmle.javascript.security.TaintedObject
 /**
 * A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities.
 */
-class Configration extends TaintTracking::Configuration {
+module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
+  class FlowState = DataFlow::FlowLabel;
+
+  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+    source instanceof Source and
+    label = [TaintedObject::label(), DataFlow::FlowLabel::taint(), DataFlow::FlowLabel::data()]
+  }
+
+  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+    sink instanceof Sink and
+    label = DataFlow::FlowLabel::taint()
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof DomBasedXss::Sanitizer
+    or
+    node instanceof UnsafeJQueryPlugin::Sanitizer
+    or
+    DomBasedXss::isOptionallySanitizedNode(node)
+  }
+
+  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
+    TaintTracking::defaultSanitizer(node) and label.isTaint()
+    or
+    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label)
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node pred, DataFlow::FlowLabel inlbl, DataFlow::Node succ, DataFlow::FlowLabel outlbl
+  ) {
+    // TODO: localFieldStep is too expensive with dataflow2
+    // DataFlow::localFieldStep(pred, succ) and
+    // inlbl.isTaint() and
+    // outlbl.isTaint()
+    none()
+    or
+    TaintedObject::step(pred, succ, inlbl, outlbl)
+    or
+    // property read from a tainted object is considered tainted
+    succ.(DataFlow::PropRead).getBase() = pred and
+    inlbl = TaintedObject::label() and
+    outlbl = DataFlow::FlowLabel::taint()
+    or
+    TaintTracking::defaultTaintStep(pred, succ) and
+    inlbl.isTaint() and
+    outlbl = inlbl
+  }
+
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+/**
+ * Taint-tracking for reasoning about unsafe HTML constructed from library input vulnerabilities.
+ */
+module UnsafeHtmlConstructionFlow = DataFlow::GlobalWithState<UnsafeHtmlConstructionConfig>;
+
+/**
+ * DEPRECATED. Use the `UnsafeHtmlConstructionFlow` module instead.
+ */
+deprecated class Configration extends TaintTracking::Configuration {
  Configration() { this = "UnsafeHtmlConstruction" }

  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
@@ -65,11 +124,10 @@ class Configration extends TaintTracking::Configuration {

 private import semmle.javascript.security.dataflow.Xss::Shared as Shared

-private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+private class QuoteGuard extends Shared::QuoteGuard {
  QuoteGuard() { this = this }
 }

-private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard
-{
+private class ContainsHtmlGuard extends Shared::ContainsHtmlGuard {
  ContainsHtmlGuard() { this = this }
 }