hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

JS: Update barriers in TaintedObject

Browse Source
This commit is contained in:
Asger F
2023-10-04 21:59:08 +02:00
parent bc68b6a7f8
commit aa5a2836f5
1 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
javascript/ql/lib/semmle/javascript/security/TaintedObject.qll
View File

@@ -81,7 +81,24 @@ module TaintedObject {
/**
* A sanitizer guard that blocks deep object taint.
*/
abstract class SanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode { }
abstract class SanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode {
/** Holds if this node blocks flow through `e`, provided it evaluates to `outcome`. */
predicate blocksExpr(boolean outcome, Expr e) { none() }
/** Holds if this node blocks flow of `label` through `e`, provided it evaluates to `outcome`. */
predicate blocksExpr(boolean outcome, Expr e, FlowLabel label) { none() }
override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
this.blocksExpr(outcome, e, label)
}
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
}
/**
* A sanitizer guard that blocks deep object taint.
*/
module SanitizerGuard = DataFlow::MakeLabeledBarrierGuard<SanitizerGuard>;
/**
* A test of form `typeof x === "something"`, preventing `x` from being an object in some cases.
@@ -103,7 +120,7 @@ module TaintedObject {
)
}
override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
override predicate blocksExpr(boolean outcome, Expr e, FlowLabel label) {
polarity = outcome and
e = operand and
label = label()
@@ -117,7 +134,7 @@ module TaintedObject {
NumberGuard() { TaintTracking::isNumberGuard(this, x, polarity) }
override predicate sanitizes(boolean outcome, Expr e) { e = x and outcome = polarity }
override predicate blocksExpr(boolean outcome, Expr e) { e = x and outcome = polarity }
}
/** A guard that checks whether an input a valid string identifier using `mongoose.Types.ObjectId.isValid` */
@@ -145,7 +162,7 @@ module TaintedObject {
JsonSchemaValidationGuard() { this = call.getAValidationResultAccess(polarity) }
override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
override predicate blocksExpr(boolean outcome, Expr e, FlowLabel label) {
outcome = polarity and
e = call.getInput().asExpr() and
label = label()