JS: Migrate UnsafeHtmlConstruction

2026-04-26 17:25:19 +02:00 · 2024-12-12 13:57:34 +01:00
parent 8907252814
commit d9a43dbd85
2 changed files with 18 additions and 17 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll
@@ -13,6 +13,7 @@ module UnsafeHtmlConstruction {
  private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
  private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
  private import semmle.javascript.PackageExports as Exports
+  import semmle.javascript.security.CommonFlowState

  /**
   * A source for unsafe HTML constructed from library input.
@@ -71,16 +72,16 @@ module UnsafeHtmlConstruction {
    predicate blocksExpr(boolean outcome, Expr e) { none() }

    /**
-     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     * Holds if this node acts as a barrier for `state`, blocking further flow from `e` if `this` evaluates to `outcome`.
     */
-    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+    predicate blocksExpr(boolean outcome, Expr e, FlowState state) { none() }

    /** DEPRECATED. Use `blocksExpr` instead. */
    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }

    /** DEPRECATED. Use `blocksExpr` instead. */
    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      this.blocksExpr(outcome, e, FlowState::fromFlowLabel(label))
    }
  }

@@ -218,10 +219,10 @@ module UnsafeHtmlConstruction {

    TypeTestGuard() { TaintTracking::isStringTypeGuard(astNode, operand, polarity) }

-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
      polarity = outcome and
      e = operand and
-      lbl.isTaint()
+      state.isTaint()
    }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll
@@ -16,16 +16,16 @@ deprecated class Configration = Configuration;
 * A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities.
 */
 module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  import semmle.javascript.security.CommonFlowState

-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
+  predicate isSource(DataFlow::Node source, FlowState state) {
    source instanceof Source and
-    label = [TaintedObject::label(), DataFlow::FlowLabel::taint(), DataFlow::FlowLabel::data()]
+    state = [FlowState::taintedObject(), FlowState::taint()]
  }

-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
+  predicate isSink(DataFlow::Node sink, FlowState state) {
    sink instanceof Sink and
-    label = DataFlow::FlowLabel::taint()
+    state = FlowState::taint()
  }

  predicate isBarrier(DataFlow::Node node) {
@@ -38,14 +38,14 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
    node = Shared::BarrierGuard::getABarrierNode()
  }

-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
-    TaintTracking::defaultSanitizer(node) and label.isTaint()
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    TaintTracking::defaultSanitizer(node) and state.isTaint()
    or
-    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label)
+    node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
  }

  predicate isAdditionalFlowStep(
-    DataFlow::Node pred, DataFlow::FlowLabel inlbl, DataFlow::Node succ, DataFlow::FlowLabel outlbl
+    DataFlow::Node pred, FlowState inlbl, DataFlow::Node succ, FlowState outlbl
  ) {
    // TODO: localFieldStep is too expensive with dataflow2
    // DataFlow::localFieldStep(pred, succ) and
@@ -53,12 +53,12 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
    // outlbl.isTaint()
    none()
    or
-    TaintedObject::step(pred, succ, inlbl, outlbl)
+    TaintedObject::isAdditionalFlowStep(pred, inlbl, succ, outlbl)
    or
    // property read from a tainted object is considered tainted
    succ.(DataFlow::PropRead).getBase() = pred and
-    inlbl = TaintedObject::label() and
-    outlbl = DataFlow::FlowLabel::taint()
+    inlbl.isTaintedObject() and
+    outlbl.isTaint()
    or
    TaintTracking::defaultTaintStep(pred, succ) and
    inlbl.isTaint() and