JS: Fix FP in js/type-confusion-through-parameter-tampering

javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll

@@ -27,4 +27,32 @@ class Configuration extends DataFlow::Configuration {
   }
 
   override predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+
+  override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
+    guard instanceof TypeOfTestBarrier or
+    guard instanceof IsArrayBarrier
+  }
+}
+
+private class TypeOfTestBarrier extends DataFlow::BarrierGuardNode, DataFlow::ValueNode {
+  override EqualityTest astNode;
+  private Expr operand;
+
+  TypeOfTestBarrier() { astNode.getAnOperand().(TypeofExpr).getOperand() = operand }
+
+  override predicate blocks(boolean outcome, Expr e) {
+    e = operand and
+    if astNode.getAnOperand().getStringValue() = ["string", "object"]
+    then outcome = [true, false] // separation between string/array removes type confusion in both branches
+    else outcome = astNode.getPolarity() // block flow to branch where value is neither string nor array
+  }
+}
+
+private class IsArrayBarrier extends DataFlow::BarrierGuardNode, DataFlow::CallNode {
+  IsArrayBarrier() { this = DataFlow::globalVarRef("Array").getAMemberCall("isArray").getACall() }
+
+  override predicate blocks(boolean outcome, Expr e) {
+    e = getArgument(0).asExpr() and
+    outcome = [true, false] // separation between string/array removes type confusion in both branches
+  }
 }