move the if(!x) from DataFLow to TaintTracking

2025-12-24 04:36:35 +01:00 · 2020-02-06 15:44:22 +01:00
parent 1f7dda7fbc
commit ade93e66e1
4 changed files with 24 additions and 6 deletions
--- a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
+++ b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -356,7 +356,8 @@ class PropNameTracking extends DataFlow::Configuration {
    node instanceof InstanceOfGuard or
    node instanceof TypeofGuard or
    node instanceof BlacklistInclusionGuard or
-    node instanceof WhitelistInclusionGuard
+    node instanceof WhitelistInclusionGuard or
+    node instanceof DataFlow::VarAccessBarrierGuard
  }
 }

--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1481,8 +1481,11 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat
  override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
 }

-/** A check of the `if(x)`, which sanitizes `x` in its "else" branch. */
-private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow::Node {
+/**
+  * A check of the `if(x)`, which sanitizes `x` in its "else" branch. 
+  * Can be added to a `isBarrierGuard` in a configuration to add the sanitization. 
+  */
+class VarAccessBarrierGuard extends BarrierGuardNode, DataFlow::Node {
  VarAccess var;

  VarAccessBarrierGuard() {
@@ -1492,6 +1495,4 @@ private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow
  override predicate blocks(boolean outcome, Expr e) {
    var = e and outcome = false
  }
-
-  override predicate appliesTo(Configuration cfg) { any() }
 }
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -914,4 +914,19 @@ module TaintTracking {
    DataFlow::localFlowStep(pred, succ) or
    any(AdditionalTaintStep s).step(pred, succ)
  }
+
+  /** A check of the form `if(x)`, which sanitizes `x` in its "else" branch. */
+  private class VarAccessBarrierGuard extends AdditionalSanitizerGuardNode, DataFlow::Node {
+    DataFlow::VarAccessBarrierGuard guard;
+
+    VarAccessBarrierGuard() {
+      this = guard
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      guard.blocks(outcome, e)
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -35,7 +35,8 @@ module TaintedPath {
      guard instanceof StartsWithDotDotSanitizer or
      guard instanceof StartsWithDirSanitizer or
      guard instanceof IsAbsoluteSanitizer or
-      guard instanceof ContainsDotDotSanitizer
+      guard instanceof ContainsDotDotSanitizer or
+      guard instanceof DataFlow::VarAccessBarrierGuard
    }

    override predicate isAdditionalFlowStep(