add sanitizer guard for typeof undefined

2026-05-11 01:39:28 +02:00 · 2020-06-04 21:31:59 +02:00
parent ad2d1d531b
commit 815671f5d0
3 changed files with 48 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -827,6 +827,28 @@ module TaintTracking {
    override predicate appliesTo(Configuration cfg) { any() }
  }

+  /** A check of the form `type x === "undefined`, which sanitized `x` in its "then" branch. */
+  class TypeOfCheck extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
+    Expr x;
+    override EqualityTest astNode;
+
+    TypeOfCheck() {
+      exists(StringLiteral str, TypeofExpr typeof |
+        astNode.hasOperands(str, typeof)
+      |
+        str.getValue() = "undefined" and
+        typeof.getOperand() = x
+      )
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = astNode.getPolarity() and
+      e = x
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
+
  /** DEPRECATED. This class has been renamed to `MembershipTestSanitizer`. */
  deprecated class StringInclusionSanitizer = MembershipTestSanitizer;