hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 15:16:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
62fb745eaca4d98ee40da64e41bb93cde40ee406
codeql/javascript/ql/test/library-tests/TaintBarriers/tst.js
Max Schaefer fb78e14db1 JavaScript: Add support for sanitising dynamic property accesses. 
This generalises our previous handling of sanitisers operating on property accesses to support dynamic property accesses where the property name is an SSA variable by representing them as access paths.
2018-11-28 12:37:53 +00:00

386 lines
6.1 KiB
JavaScript
Raw Blame History

function SanitizingRegExpTest () {
var v = SOURCE();
SINK(v);
if (/x/.test(v)) {
SINK(v);
} else {
SINK(v);
}
if (v.match(/x/)) {
SINK(v);
} else {
SINK(v);
}
}
function HasOwnPropertySanitizer () {
var v = SOURCE();
SINK(v);
if (o.hasOwnProperty(v)) {
SINK(v);
} else {
SINK(v);
}
}
function InSanitizer () {
var v = SOURCE();
SINK(v);
if (v in o) {
SINK(v);
} else {
SINK(v);
}
}
function UndefinedCheckSanitizer () {
var v = SOURCE();
SINK(v);
if (o[v] == undefined) {
SINK(v);
} else {
SINK(v);
}
if (undefined === o[v]) {
SINK(v);
} else {
SINK(v);
}
if (o[v] !== undefined) {
SINK(v);
} else {
SINK(v);
}
}
function IndexOfCheckSanitizer () {
var v = SOURCE();
SINK(v);
if (o.indexOf(v) == -1) {
SINK(v);
} else {
SINK(v);
}
if (-1 === o.indexOf(v)) {
SINK(v);
} else {
SINK(v);
}
if (o.indexOf(v) !== -1) {
SINK(v);
} else {
SINK(v);
}
}
function containsSanitizer () {
var v = SOURCE();
SINK(v);
if (o.contains(v)) {
SINK(v);
} else {
SINK(v);
}
}
function hasSanitizer () {
var v = SOURCE();
SINK(v);
if (o.has(v)) {
SINK(v);
} else {
SINK(v);
}
}
function includesSanitizer () {
var v = SOURCE();
SINK(v);
if (o.includes(v)) {
SINK(v);
} else {
SINK(v);
}
}
function propertySanitization(o) {
var v = SOURCE();
SINK(v.p.q);
if (o.hasOwnProperty(v)) {
SINK(v);
} else if (o.hasOwnProperty(v.p)) {
SINK(v.p);
} else if (o.hasOwnProperty(v.p.q)) {
SINK(v.p.q);
} else if (o.hasOwnProperty(v.p)) {
SINK(v);
} else if (o.hasOwnProperty(v["p.q"])) {
SINK(v.p.q);
}
}
function constantComparisonSanitizer () {
var v = SOURCE();
SINK(v);
if (v == "white-listed") {
SINK(v);
} else {
SINK(v);
}
if ("white-listed" != v) {
SINK(v);
} else {
SINK(v);
}
if (v === "white-listed-1" || v === "white-listed-2") {
SINK(v);
} else {
SINK(v);
}
if (v == !!0) {
SINK(v);
} else {
SINK(v);
}
}
function customSanitizer() {
function SANITIZE(x){ return x; }
var v = SOURCE();
v = SANITIZE(v);
SINK(v);
}
function BitwiseIndexOfCheckSanitizer () {
var v = SOURCE();
SINK(v);
if (~o.indexOf(v)) {
SINK(v);
} else {
SINK(v);
}
if (!~o.indexOf(v)) {
SINK(v);
} else {
SINK(v);
}
}
function RelationalIndexOfCheckSanitizer () {
var v = SOURCE();
SINK(v);
if (o.indexOf(v) <= -1) {
SINK(v);
} else {
SINK(v);
}
if (o.indexOf(v) >= 0) {
SINK(v);
} else {
SINK(v);
}
if (o.indexOf(v) < 0) {
SINK(v);
} else {
SINK(v);
}
if (o.indexOf(v) > -1) {
SINK(v);
} else {
SINK(v);
}
if (-1 >= o.indexOf(v)) {
SINK(v);
} else {
SINK(v);
}
}
function adhocWhitelisting() {
var v = SOURCE();
if (isWhitelisted(v))
SINK(v);
else
SINK(v);
if (config.allowValue(v))
SINK(v);
else
SINK(v);
}
function IndirectSanitizer () {
var v = SOURCE();
SINK(v);
function f(x) {
return whitelist.contains(x);
}
if (f(v)) {
SINK(v);
} else {
SINK(v);
}
function g(y) {
var sanitized = whitelist.contains(y);
return sanitized;
}
if (g(v)) {
SINK(v);
} else {
SINK(v);
}
function h(z) {
var sanitized = whitelist.contains(z);
return somethingElse();
}
if (h(v)) {
SINK(v);
} else {
SINK(v);
}
function f2(x2) {
return x2 != null && whitelist.contains(x2);
}
if (f2(v)) {
SINK(v);
} else {
SINK(v);
}
function f3(x3) {
return x3 == null || whitelist.contains(x3);
}
if (f3(v)) {
SINK(v); // SANITIZATION OF THIS IS NOT YET SUPPORTED
} else {
SINK(v);
}
function f4(x4) {
return !whitelist.contains(x4);
}
if (f4(v)) {
SINK(v);
} else {
SINK(v); // SANITIZATION OF THIS IS NOT YET SUPPORTED
}
function f5(x5) {
return !!whitelist.contains(x5);
}
if (f5(v)) {
SINK(v); // SANITIZATION OF THIS IS NOT YET SUPPORTED
} else {
SINK(v);
}
function f6(x6) {
var sanitized = !whitelist.contains(x6);
return !sanitized;
}
if (f6(v)) {
SINK(v);
} else {
SINK(v); // SANITIZATION OF THIS IS NOT YET SUPPORTED
}
function f7(x7) {
var sanitized = x7 != null && whitelist.contains(x7);
return sanitized;
}
if (f7(v)) {
SINK(v);
} else {
SINK(v);
}
function f8(x8) {
var sanitized = whitelist.contains(x8);
return x8 != null && sanitized;
}
if (f8(v)) {
SINK(v); // SANITIZATION OF THIS IS NOT YET SUPPORTED
} else {
SINK(v);
}
function f9(x9) {
return unknown() && whitelist.contains(x9) && unknown();
}
if (f9(v)) {
SINK(v); // SANITIZATION OF THIS IS NOT YET SUPPORTED
} else {
SINK(v);
}
function f10(x10) {
return x10 !== null || x10 !== undefined;
}
if (f10(v)) {
SINK(v);
} else {
SINK(v);
}
}
function constantComparisonSanitizer2() {
var o = SOURCE();
SINK(o.p); // flagged
if (o.p == "white-listed") {
SINK(o.p); // not flagged
} else {
SINK(o.p); // flagged
}
for (var p in o) {
if (o[p] == "white-listed") {
SINK(o[p]); // not flagged
p = somethingElse();
SINK(o[p]); // flagged
} else {
SINK(o[p]); // flagged
}
}
}
Reference in New Issue View Git Blame Copy Permalink