JS: Reduce duplication in UnsafeDynamicMethodAccessQuery

2026-04-22 23:35:14 +02:00 · 2024-03-13 12:29:56 +01:00
parent ea4bc9cdbb
commit fa8933eb41
1 changed files with 14 additions and 24 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
@@ -43,7 +43,7 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
    label.isTaint()
  }

-  predicate isAdditionalFlowStep(
+  additional predicate additionalFlowStep(
    DataFlow::Node src, DataFlow::FlowLabel srclabel, DataFlow::Node dst,
    DataFlow::FlowLabel dstlabel
  ) {
@@ -64,7 +64,16 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
      srclabel.isTaint() and
      dstlabel = unsafeFunction()
    )
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::FlowLabel srclabel, DataFlow::Node dst,
+    DataFlow::FlowLabel dstlabel
+  ) {
+    additionalFlowStep(src, srclabel, dst, dstlabel)
    or
+    // We're not using a taint-tracking config because taint steps would then apply to all flow states.
+    // So we use a plain data flow config and manually add the default taint steps.
    srclabel.isTaint() and
    TaintTracking::defaultTaintStep(src, dst) and
    srclabel = dstlabel
@@ -83,20 +92,17 @@ deprecated class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "UnsafeDynamicMethodAccess" }

  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Source).getFlowLabel() = label
+    UnsafeDynamicMethodAccessConfig::isSource(source, label)
  }

  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink.(Sink).getFlowLabel() = label
+    UnsafeDynamicMethodAccessConfig::isSink(sink, label)
  }

  override predicate isSanitizer(DataFlow::Node node) {
    super.isSanitizer(node)
    or
-    node instanceof Sanitizer
-    or
-    exists(StringConcatenation::getOperand(node, _)) and
-    not StringConcatenation::isCoercion(node)
+    UnsafeDynamicMethodAccessConfig::isBarrier(node)
  }

  /**
@@ -110,22 +116,6 @@ deprecated class Configuration extends TaintTracking::Configuration {
    DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
    DataFlow::FlowLabel dstlabel
  ) {
-    // Reading a property of the global object or of a function
-    exists(DataFlow::PropRead read |
-      this.hasUnsafeMethods(read.getBase().getALocalSource()) and
-      src = read.getPropertyNameExpr().flow() and
-      dst = read and
-      srclabel.isTaint() and
-      dstlabel = unsafeFunction()
-    )
-    or
-    // Reading a chain of properties from any object with a prototype can lead to Function
-    exists(PropertyProjection proj |
-      not PropertyInjection::isPrototypeLessObject(proj.getObject().getALocalSource()) and
-      src = proj.getASelector() and
-      dst = proj and
-      srclabel.isTaint() and
-      dstlabel = unsafeFunction()
-    )
+    UnsafeDynamicMethodAccessConfig::additionalFlowStep(src, srclabel, dst, dstlabel)
  }
 }