move hasPathWithoutUnmatchedReturn to Configuration.qll

2026-05-03 12:45:27 +02:00 · 2021-05-10 10:55:09 +02:00
parent b4e35f54d9
commit d913668943
4 changed files with 13 additions and 16 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -2068,3 +2068,14 @@ class VarAccessBarrier extends DataFlow::Node {
    )
  }
 }
+
+/**
+ *  Holds if there is a path without unmatched return steps from `source` to `sink`.
+ */
+predicate hasPathWithoutUnmatchedReturn(SourcePathNode source, SinkPathNode sink) {
+  exists(MidPathNode mid |
+    source.getASuccessor*() = mid and
+    sink = mid.getASuccessor() and
+    mid.getPathSummary().hasReturn() = false
+  )
+}
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstruction.qll
@@ -38,7 +38,7 @@ module UnsafeHtmlConstruction {
    // override to require that there is a path without unmatched return steps
    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
      super.hasFlowPath(source, sink) and
-      hasPathWithoutUnmatchedReturn(source, sink)
+      DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
    }

    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -174,17 +174,4 @@ module UnsafeHtmlConstruction {

    override string describe() { result = "Markdown rendering" }
  }
-
-  /**
-   *  Holds if there is a path without unmatched return steps from `source` to `sink`.
-   */
-  predicate hasPathWithoutUnmatchedReturn(
-    DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink
-  ) {
-    exists(DataFlow::MidPathNode mid |
-      source.getASuccessor*() = mid and
-      sink = mid.getASuccessor() and
-      mid.getPathSummary().hasReturn() = false
-    )
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstruction.qll
@@ -14,7 +14,6 @@ import javascript
 */
 module UnsafeShellCommandConstruction {
  import UnsafeShellCommandConstructionCustomizations::UnsafeShellCommandConstruction
-  import UnsafeHtmlConstructionCustomizations

  /**
   * A taint-tracking configuration for reasoning about shell command constructed from library input vulnerabilities.
@@ -36,7 +35,7 @@ module UnsafeShellCommandConstruction {
    // override to require that there is a path without unmatched return steps
    override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
      super.hasFlowPath(source, sink) and
-      UnsafeHtmlConstruction::requireMatchedReturn(source, sink)
+      DataFlow::hasPathWithoutUnmatchedReturn(source, sink)
    }

    override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {