Merge pull request #7587 from owen-mc/add-default-taint-sanitizer-guard

Dataflow: Add default taint sanitizer guard
2026-04-27 09:45:15 +02:00 · 2022-01-13 14:44:55 +01:00
parent 61490e74d8 7e42ccfbf1
commit c44cf29992
23 changed files with 53 additions and 17 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -118,6 +118,12 @@ private module Cached {
  }
 }

+/**
+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+ * but not in local taint.
+ */
+predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
 import Cached

 private RefType getElementType(RefType container) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**
--- a/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
  predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }

  final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
  }

  /**