JS: Add FlowState class to TaintedUrlSuffix

2026-04-27 09:45:15 +02:00 · 2024-12-11 09:47:22 +01:00
parent a53d294d91
commit a8fdd759f9
1 changed files with 49 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/TaintedUrlSuffixCustomizations.qll
@@ -1,5 +1,5 @@
 /**
- * Provides a flow label for reasoning about URLs with a tainted query and fragment part,
+ * Provides a flow state for reasoning about URLs with a tainted query and fragment part,
 * which we collectively refer to as the "suffix" of the URL.
 */

@@ -7,12 +7,59 @@ import javascript
 private import semmle.javascript.dataflow.internal.DataFlowPrivate as DataFlowPrivate

 /**
- * Provides a flow label for reasoning about URLs with a tainted query and fragment part,
+ * Provides a flow state for reasoning about URLs with a tainted query and fragment part,
 * which we collectively refer to as the "suffix" of the URL.
 */
 module TaintedUrlSuffix {
  private import DataFlow

+  private newtype TFlowState =
+    TTaint() or
+    TTaintedUrlSuffix()
+
+  /**
+   * A flow state with two values, `taint` and `tainted-url-suffix`.
+   *
+   * The `tainted-url-suffix` state represents a URL with a tainted query and fragment part,
+   * which we collectively refer to as the "suffix" of the URL.
+   *
+   * The `taint` state corresponds to ordinary taint.
+   */
+  class FlowState extends TFlowState {
+    /**
+     * Holds if this represents a value that is considered entirely tainted.
+     */
+    predicate isTaint() { this = TTaint() }
+
+    /**
+     * Holds if this represents a URL whose fragment and/or query parts are considered tainted.
+     */
+    predicate isTaintedUrlSuffix() { this = TTaintedUrlSuffix() }
+
+    /** Gets a string representation of this flow state. */
+    string toString() {
+      this.isTaint() and result = "taint"
+      or
+      this.isTaintedUrlSuffix() and result = "tainted-url-suffix"
+    }
+
+    /** DEPRECATED. Gets the corresponding flow label. */
+    deprecated DataFlow::FlowLabel toFlowLabel() {
+      this.isTaint() and result.isTaint()
+      or
+      this.isTaintedUrlSuffix() and result instanceof TaintedUrlSuffixLabel
+    }
+  }
+
+  /** Convenience predicates for working with flow states. */
+  module FlowState {
+    /** Gets the `taint` flow state. */
+    FlowState taint() { result.isTaint() }
+
+    /** Gets the `tainted-url-suffix` flow state. */
+    FlowState taintedUrlSuffix() { result.isTaintedUrlSuffix() }
+  }
+
  /**
   * The flow label representing a URL with a tainted query and fragment part.
   *