From 903ff33b0d6fc2c29ba9b9145dfddc94f76ca844 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 18 Jan 2021 10:51:59 +0000 Subject: [PATCH] Add class for default taint sanitizer guards This allows us to specify taint sanitizer guards that apply in all configurations. --- .../go/dataflow/internal/TaintTrackingUtil.qll | 13 +++++++++++++ .../internal/tainttracking1/TaintTrackingImpl.qll | 4 +++- .../internal/tainttracking2/TaintTrackingImpl.qll | 4 +++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll b/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll index 92d12bd3f00..db7b3c23b18 100644 --- a/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll +++ b/ql/src/semmle/go/dataflow/internal/TaintTrackingUtil.qll @@ -187,3 +187,16 @@ abstract class DefaultTaintSanitizer extends DataFlow::Node { } * but not in local taint. */ predicate isDefaultTaintSanitizer(DataFlow::Node node) { node instanceof DefaultTaintSanitizer } + +/** + * A sanitizer guard in all global taint flow configurations but not in local taint. + */ +abstract class DefaultTaintSanitizerGuard extends DataFlow::BarrierGuard { } + +/** + * Holds if `guard` should be a sanitizer guard in all global taint flow configurations + * but not in local taint. + */ +predicate isDefaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { + guard instanceof DefaultTaintSanitizerGuard +} diff --git a/ql/src/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/ql/src/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll index a75f0444f73..37047c63099 100644 --- a/ql/src/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll +++ b/ql/src/semmle/go/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @@ -92,7 +92,9 @@ abstract class Configuration extends DataFlow::Configuration { /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */ predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() } - final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) } + final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { + isSanitizerGuard(guard) or isDefaultTaintSanitizerGuard(guard) + } /** * Holds if the additional taint propagation step from `node1` to `node2` diff --git a/ql/src/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/ql/src/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll index a75f0444f73..37047c63099 100644 --- a/ql/src/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll +++ b/ql/src/semmle/go/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @@ -92,7 +92,9 @@ abstract class Configuration extends DataFlow::Configuration { /** Holds if taint propagation through nodes guarded by `guard` is prohibited. */ predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() } - final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) } + final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { + isSanitizerGuard(guard) or isDefaultTaintSanitizerGuard(guard) + } /** * Holds if the additional taint propagation step from `node1` to `node2`