JS: Migrate LoopBoundInjection

2026-04-26 17:25:19 +02:00 · 2024-12-12 13:08:00 +01:00
parent daddff0dc6
commit 8e8de5cf23
2 changed files with 20 additions and 19 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll
@@ -8,6 +8,7 @@ import javascript

 module LoopBoundInjection {
  import semmle.javascript.security.TaintedObject
+  import semmle.javascript.security.CommonFlowState

  /**
   * Holds if an exception will be thrown whenever `e` evaluates to `undefined` or `null`.
@@ -176,16 +177,16 @@ module LoopBoundInjection {
    predicate blocksExpr(boolean outcome, Expr e) { none() }

    /**
-     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     * Holds if this node acts as a barrier for `state`, blocking further flow from `e` if `this` evaluates to `outcome`.
     */
-    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+    predicate blocksExpr(boolean outcome, Expr e, FlowState state) { none() }

    /** DEPRECATED. Use `blocksExpr` instead. */
    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }

    /** DEPRECATED. Use `blocksExpr` instead. */
    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      this.blocksExpr(outcome, e, FlowState::fromFlowLabel(label))
    }
  }

@@ -214,10 +215,10 @@ module LoopBoundInjection {

    IsArraySanitizerGuard() { astNode.getCalleeName() = "isArray" }

-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
      true = outcome and
      e = astNode.getAnArgument() and
-      label = TaintedObject::label()
+      state.isTaintedObject()
    }
  }

@@ -232,10 +233,10 @@ module LoopBoundInjection {
      DataFlow::globalVarRef("Array").flowsToExpr(astNode.getRightOperand())
    }

-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
      true = outcome and
      e = astNode.getLeftOperand() and
-      label = TaintedObject::label()
+      state.isTaintedObject()
    }
  }

@@ -253,10 +254,10 @@ module LoopBoundInjection {
      propRead.getPropertyName() = "length"
    }

-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
      false = outcome and
      e = propRead.getBase().asExpr() and
-      label = TaintedObject::label()
+      state.isTaintedObject()
    }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
@@ -14,29 +14,29 @@ import LoopBoundInjectionCustomizations::LoopBoundInjection
 * A taint tracking configuration for reasoning about looping on tainted objects with unbounded length.
 */
 module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  import semmle.javascript.security.CommonFlowState

-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source instanceof Source and label = TaintedObject::label()
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof Source and state.isTaintedObject()
  }

-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink instanceof Sink and label = TaintedObject::label()
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and state.isTaintedObject()
  }

  predicate isBarrier(DataFlow::Node node) {
    node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
  }

-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
-    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label) or
-    node = TaintedObject::SanitizerGuard::getABarrierNode(label)
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state) or
+    node = TaintedObject::SanitizerGuard::getABarrierNode(state)
  }

  predicate isAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::FlowLabel inlbl, DataFlow::Node trg, DataFlow::FlowLabel outlbl
+    DataFlow::Node src, FlowState inlbl, DataFlow::Node trg, FlowState outlbl
  ) {
-    TaintedObject::step(src, trg, inlbl, outlbl)
+    TaintedObject::isAdditionalFlowStep(src, inlbl, trg, outlbl)
  }
 }