hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Avoid use of LabeledSanitizerGuardNode in TaintedObject

Browse Source 
Drive-by bugfix: Rename sanitizes -> blocksExpr.
This fixes a bug that caused the sanitizer guard not to work in df2.

The test output reflects the fact that the barrier guard works now.
This commit is contained in:
Asger F
2024-11-28 13:55:06 +01:00
parent 0ce1fe767d
commit e6680dec8f
2 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
javascript/ql/lib/semmle/javascript/security/TaintedObject.qll
View File

@@ -81,18 +81,31 @@ module TaintedObject {
/**
* A sanitizer guard that blocks deep object taint.
*/
abstract class SanitizerGuard extends TaintTracking::LabeledSanitizerGuardNode {
abstract class SanitizerGuard extends DataFlow::Node {
/** Holds if this node blocks flow through `e`, provided it evaluates to `outcome`. */
predicate blocksExpr(boolean outcome, Expr e) { none() }
/** Holds if this node blocks flow of `label` through `e`, provided it evaluates to `outcome`. */
predicate blocksExpr(boolean outcome, Expr e, FlowLabel label) { none() }
override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
/** DEPRECATED. Use `blocksExpr` instead. */
deprecated predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
this.blocksExpr(outcome, e, label)
}
override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
/** DEPRECATED. Use `blocksExpr` instead. */
deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
}
deprecated private class SanitizerGuardLegacy extends TaintTracking::LabeledSanitizerGuardNode instanceof SanitizerGuard
{
deprecated override predicate sanitizes(boolean outcome, Expr e, FlowLabel label) {
SanitizerGuard.super.sanitizes(outcome, e, label)
}
deprecated override predicate sanitizes(boolean outcome, Expr e) {
SanitizerGuard.super.sanitizes(outcome, e)
}
}
/**
@@ -148,7 +161,7 @@ module TaintedObject {
.getACall()
}
override predicate sanitizes(boolean outcome, Expr e, FlowLabel lbl) {
override predicate blocksExpr(boolean outcome, Expr e, FlowLabel lbl) {
e = super.getAnArgument().asExpr() and outcome = true and lbl = label()
}
}