use the sanitizers from ReflectedXSS in unsafe-html-construction

2026-04-22 23:35:14 +02:00 · 2024-03-20 10:11:07 +01:00
parent 0bb86fc087
commit db3bf0e482
2 changed files with 8 additions and 9 deletions
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionCustomizations.qll
@@ -7,6 +7,7 @@
 private import ruby
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.frameworks.core.Gem::Gem as Gem
+private import codeql.ruby.security.XSS::ReflectedXss as ReflectedXss
 private import codeql.ruby.typetracking.TypeTracking

 /**
@@ -34,7 +35,11 @@ module UnsafeHtmlConstruction {
    abstract string getSinkType();
  }

-  private import codeql.ruby.security.XSS::ReflectedXss as ReflectedXss
+  /** A sanitizer for HTML constructed from library input vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  // inherit all the sanitizers from ReflectedXss
+  class ReflectedXssSanitizers extends Sanitizer instanceof ReflectedXss::Sanitizer { }

  /** Gets a node that eventually ends up in the XSS `sink`. */
  private DataFlow::Node getANodeThatEndsInXssSink(ReflectedXss::Sink sink) {
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
@@ -23,10 +23,7 @@ deprecated class Configuration extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }

  // override to require the path doesn't have unmatched return steps
  override DataFlow::FlowFeature getAFeature() {
@@ -39,10 +36,7 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

-  predicate isBarrier(DataFlow::Node node) {
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

  // override to require the path doesn't have unmatched return steps
  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }