Merge pull request #13719 from asgerf/js/barrier-inout

JS: Replace barrier edges with barrier nodes

javascript/ql/test/library-tests/InterProceduralFlow/DataFlowConfig.qll

@@ -22,10 +22,7 @@ class TestDataFlowConfiguration extends DataFlow::Configuration {
       f.getName().matches("%noReturnTracking%") and
       node = f.getAReturnedExpr().flow()
     )
-  }
-
-  override predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node snk) {
-    src = src and
-    snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
+    or
+    node.asExpr().(PropAccess).getPropertyName() = "notTracked"
   }
 }

javascript/ql/test/library-tests/InterProceduralFlow/tests.ql

@@ -61,11 +61,8 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
       f.getName().matches("%noReturnTracking%") and
       node = f.getAReturnedExpr().flow()
     )
-  }
-
-  override predicate isSanitizerEdge(DataFlow::Node src, DataFlow::Node snk) {
-    src = src and
-    snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
+    or
+    node.asExpr().(PropAccess).getPropertyName() = "notTracked"
   }
 }
 
@@ -99,11 +96,8 @@ class GermanFlowConfig extends DataFlow::Configuration {
       f.getName().matches("%noReturnTracking%") and
       node = f.getAReturnedExpr().flow()
     )
-  }
-
-  override predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node snk) {
-    src = src and
-    snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
+    or
+    node.asExpr().(PropAccess).getPropertyName() = "notTracked"
   }
 }
 

javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll

@@ -1,10 +1,18 @@
 import javascript
 
+DataFlow::Node sourceVariable() { result.asExpr().(VarRef).getName() = "sourceVariable" }
+
+StringOps::ConcatenationRoot sinkConcatenation() {
+  result.getConstantStringParts().matches("<sink>%</sink>")
+}
+
 class ExampleConfiguration extends TaintTracking::Configuration {
   ExampleConfiguration() { this = "ExampleConfiguration" }
 
   override predicate isSource(DataFlow::Node source) {
     source.asExpr().(CallExpr).getCalleeName() = "SOURCE"
+    or
+    source = sourceVariable()
   }
 
   override predicate isSink(DataFlow::Node sink) {
@@ -12,8 +20,14 @@ class ExampleConfiguration extends TaintTracking::Configuration {
       callExpr.getCalleeName() = "SINK" and
       DataFlow::valueNode(callExpr.getArgument(0)) = sink
     )
+    or
+    sink = sinkConcatenation()
   }
 
+  override predicate isSanitizerIn(DataFlow::Node node) { node = sourceVariable() }
+
+  override predicate isSanitizerOut(DataFlow::Node node) { node = sinkConcatenation() }
+
   override predicate isSanitizer(DataFlow::Node node) {
     exists(CallExpr callExpr |
       callExpr.getCalleeName() = "SANITIZE" and

javascript/ql/test/library-tests/TaintBarriers/sanitizer-in-out.js

@@ -0,0 +1,18 @@
+import 'dummy';
+
+function barrierIn() {
+    var sourceVariable = 123;
+    SINK(sourceVariable); // NOT OK
+
+    flowWithSourceParam(sourceVariable);
+}
+
+function barrierInParameter(sourceVariable) {
+    SINK(sourceVariable); // NOT OK, but only report the parameter as the source
+}
+
+function barrierOut() {
+    let taint = SOURCE();
+    taint = "<sink>" + taint + "</sink>"; // NOT OK
+    taint = "<sink>" + taint + "</sink>"; // OK - only report first instance
+}

javascript/ql/test/library-tests/TaintBarriers/tests.expected

@@ -133,6 +133,9 @@ sanitizingGuard
 | tst.js:399:16:399:41 | o.hasOw ... "p.q"]) | tst.js:399:33:399:40 | v["p.q"] | true |
 | tst.js:401:16:401:34 | Object.hasOwn(o, v) | tst.js:401:33:401:33 | v | true |
 taintedSink
+| sanitizer-in-out.js:5:10:5:23 | sourceVariable | sanitizer-in-out.js:5:10:5:23 | sourceVariable |
+| sanitizer-in-out.js:11:10:11:23 | sourceVariable | sanitizer-in-out.js:11:10:11:23 | sourceVariable |
+| sanitizer-in-out.js:15:17:15:24 | SOURCE() | sanitizer-in-out.js:16:13:16:40 | "<sink> ... /sink>" |
 | tst.js:2:13:2:20 | SOURCE() | tst.js:3:10:3:10 | v |
 | tst.js:2:13:2:20 | SOURCE() | tst.js:8:14:8:14 | v |
 | tst.js:2:13:2:20 | SOURCE() | tst.js:12:14:12:14 | v |

javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected

@@ -9,12 +9,15 @@ nodes
 | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:15:24:15:34 | process.env |
 | build-leaks.js:15:24:15:34 | process.env |
+| build-leaks.js:15:24:15:39 | process.env[key] |
 | build-leaks.js:16:20:16:22 | env |
 | build-leaks.js:21:11:26:5 | stringifed |
 | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } |
 | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
 | build-leaks.js:22:49:22:51 | env |
+| build-leaks.js:23:24:23:47 | JSON.st ... w[key]) |
 | build-leaks.js:23:39:23:41 | raw |
+| build-leaks.js:23:39:23:46 | raw[key] |
 | build-leaks.js:24:20:24:22 | env |
 | build-leaks.js:30:22:30:31 | stringifed |
 | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
@@ -36,13 +39,19 @@ edges
 | build-leaks.js:14:18:14:20 | env | build-leaks.js:16:20:16:22 | env |
 | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
+| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:24:15:39 | process.env[key] |
+| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:24:15:39 | process.env[key] |
+| build-leaks.js:15:24:15:39 | process.env[key] | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:16:20:16:22 | env | build-leaks.js:13:17:19:10 | Object. ...      }) |
 | build-leaks.js:16:20:16:22 | env | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:21:11:26:5 | stringifed | build-leaks.js:30:22:30:31 | stringifed |
 | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } | build-leaks.js:21:11:26:5 | stringifed |
 | build-leaks.js:22:24:25:14 | Object. ...  }, {}) | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } |
 | build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env |
+| build-leaks.js:23:24:23:47 | JSON.st ... w[key]) | build-leaks.js:22:49:22:51 | env |
 | build-leaks.js:23:39:23:41 | raw | build-leaks.js:22:49:22:51 | env |
+| build-leaks.js:23:39:23:41 | raw | build-leaks.js:23:39:23:46 | raw[key] |
+| build-leaks.js:23:39:23:46 | raw[key] | build-leaks.js:23:24:23:47 | JSON.st ... w[key]) |
 | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
 | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:49:22:51 | env |
 | build-leaks.js:30:22:30:31 | stringifed | build-leaks.js:34:26:34:57 | getEnv( ... ngified |