JS: Heuristics

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -234,6 +234,15 @@ module TaintTracking {
      * data flow edge, in the URI category.
      */
     predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
+
+    /**
+     * Holds if `pred` → `succ` should be considered a taint-propagating
+     * data flow edge, in the heuristic category.
+     *
+     * Note that this set of steps will be empty unless libraries from
+     * `semmle.javascript.heuristics` are explicitly imported.
+     */
+    predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) { none() }
   }
 
   /**
@@ -244,6 +253,8 @@ module TaintTracking {
     or
     any(AdditionalTaintStep step).step(pred, succ)
     or
+    any(SharedTaintStep step).heuristicStep(pred, succ)
+    or
     uriStep(pred, succ)
   }
 

javascript/ql/src/semmle/javascript/heuristics/AdditionalTaintSteps.qll

@@ -7,16 +7,24 @@
 import javascript
 
 /**
- * A heuristic additional flow step in a security query.
+ * DEPRECATED.
+ *
+ * The target of a heuristic additional flow step in a security query.
  */
-abstract class HeuristicAdditionalTaintStep extends DataFlow::ValueNode { }
+deprecated class HeuristicAdditionalTaintStep extends DataFlow::Node {
+  HeuristicAdditionalTaintStep() {
+    any(TaintTracking::SharedTaintStep step).heuristicStep(_, this)
+  }
+}
 
 /**
  * A call to `tainted.replace(x, y)` that preserves taint.
  */
-private class HeuristicStringManipulationTaintStep extends HeuristicAdditionalTaintStep,
-  TaintTracking::AdditionalTaintStep, StringReplaceCall {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    pred = getReceiver() and succ = this
+private class HeuristicStringManipulationTaintStep extends TaintTracking::SharedTaintStep {
+  override predicate heuristicStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(StringReplaceCall call |
+      pred = call.getReceiver() and
+      succ = call
+    )
   }
 }