JS: Fix bad join in isOptionallySanitizedEdgeInternal

This was previously called from isBarrier(node, state) but without restricting the state. The call was therefore moved to isBarrier(node), but this caused some optimisation changes resulting in a bad join.
This commit is contained in:
Asger F
2024-12-16 10:48:17 +01:00
parent 947b785d47
commit e5ae7e0231

View File

@@ -329,6 +329,12 @@ module DomBasedXss {
*/
deprecated predicate isOptionallySanitizedEdge = isOptionallySanitizedEdgeInternal/2;
bindingset[call]
pragma[inline_late]
private SsaVariable getSanitizedSsaVariable(HtmlSanitizerCall call) {
call.getAnArgument().asExpr().(VarAccess).getVariable() = result.getSourceVariable()
}
private predicate isOptionallySanitizedEdgeInternal(DataFlow::Node pred, DataFlow::Node succ) {
exists(HtmlSanitizerCall sanitizer |
// sanitized = sanitize ? sanitizer(source) : source;
@@ -348,7 +354,7 @@ module DomBasedXss {
count(phi.getAnInput()) = 2 and
not a = b and
sanitizer = DataFlow::valueNode(a.getDef().getSource()) and
sanitizer.getAnArgument().asExpr().(VarAccess).getVariable() = b.getSourceVariable()
getSanitizedSsaVariable(sanitizer) = b
|
pred = DataFlow::ssaDefinitionNode(b) and
succ = DataFlow::ssaDefinitionNode(phi)