JS: Add sanitizer for "in" exprs

javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql

@@ -286,6 +286,7 @@ class PropNameTracking extends DataFlow::Configuration {
     node instanceof BlacklistEqualityGuard or
     node instanceof WhitelistEqualityGuard or
     node instanceof HasOwnPropertyGuard or
+    node instanceof InExprGuard or
     node instanceof InstanceOfGuard or
     node instanceof TypeofGuard or
     node instanceof BlacklistInclusionGuard or
@@ -353,6 +354,25 @@ class HasOwnPropertyGuard extends DataFlow::BarrierGuardNode, CallNode {
   }
 }
 
+/**
+ * Sanitizer guard for `key in dst`.
+ *
+ * Since `"__proto__" in obj` and `"constructor" in obj` is true for most objects,
+ * this is seen as a sanitizer for `key` in the false outcome.
+ */
+class InExprGuard extends DataFlow::BarrierGuardNode, DataFlow::ValueNode {
+  override InExpr astNode;
+
+  InExprGuard() {
+    // Exclude tests of form `key in src` for the same reason as in HasOwnPropertyGuard
+    not arePropertiesEnumerated(astNode.getRightOperand().flow().getALocalSource())
+  }
+
+  override predicate blocks(boolean outcome, Expr e) {
+    e = astNode.getLeftOperand() and outcome = false
+  }
+}
+
 /**
  * Sanitizer guard for `instanceof` expressions.
  *

javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility.expected

@@ -815,6 +815,23 @@ nodes
 | PrototypePollutionUtility/tests.js:322:28:322:32 | value |
 | PrototypePollutionUtility/tests.js:322:28:322:32 | value |
 | PrototypePollutionUtility/tests.js:322:28:322:32 | value |
+| PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:44 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:44 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:30 | src |
+| PrototypePollutionUtility/tests.js:338:28:338:30 | src |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst |
 | examples/PrototypePollutionUtility.js:1:21:1:23 | src |
@@ -1950,6 +1967,23 @@ edges
 | PrototypePollutionUtility/tests.js:320:42:320:44 | key | PrototypePollutionUtility/tests.js:320:38:320:45 | dst[key] |
 | PrototypePollutionUtility/tests.js:320:48:320:52 | value | PrototypePollutionUtility/tests.js:314:36:314:38 | src |
 | PrototypePollutionUtility/tests.js:320:48:320:52 | value | PrototypePollutionUtility/tests.js:314:36:314:38 | src |
+| PrototypePollutionUtility/tests.js:328:30:328:32 | src | PrototypePollutionUtility/tests.js:336:42:336:44 | src |
+| PrototypePollutionUtility/tests.js:328:30:328:32 | src | PrototypePollutionUtility/tests.js:336:42:336:44 | src |
+| PrototypePollutionUtility/tests.js:328:30:328:32 | src | PrototypePollutionUtility/tests.js:338:28:338:30 | src |
+| PrototypePollutionUtility/tests.js:328:30:328:32 | src | PrototypePollutionUtility/tests.js:338:28:338:30 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:44 | src | PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:336:42:336:44 | src | PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] | PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] | PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] | PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] | PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] | PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:336:42:336:49 | src[key] | PrototypePollutionUtility/tests.js:328:30:328:32 | src |
+| PrototypePollutionUtility/tests.js:338:28:338:30 | src | PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:30 | src | PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:30 | src | PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:30 | src | PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
+| PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] | PrototypePollutionUtility/tests.js:338:28:338:35 | src[key] |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:5:19:5:21 | dst |
 | examples/PrototypePollutionUtility.js:1:16:1:18 | dst | examples/PrototypePollutionUtility.js:7:13:7:15 | dst |

javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js

@@ -324,3 +324,19 @@ function mergeRephinementNode(dst, src) {
         }
     }
 }
+
+function mergeSelective(dst, src) {
+    for (let key in src) {
+        if (src.hasOwnProperty(key)) {
+            // Only 'prefs' is merged recursively
+            if (key in dst && key !== 'prefs') {
+                continue;
+            }
+            if (dst[key]) {
+                mergeSelective(dst[key], src[key]);
+            } else {
+                dst[key] = src[key]; // OK
+            }
+        }
+    }
+}