Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 12e60c7

Browse files
erik-krogherik-krogh
committed
move TypeTestGuard to the Query.qll file
1 parent b1bad27 commit 12e60c7

2 files changed

Lines changed: 28 additions & 28 deletions

File tree

javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll

Lines changed: 0 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -137,34 +137,6 @@ module XssThroughDom {
137137
/** DEPRECATED: Alias for DomTextSource */
138138
deprecated class DOMTextSource = DomTextSource;
139139

140-
/**
141-
* A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
142-
*
143-
* This sanitizer helps prune infeasible paths in type-overloaded functions.
144-
*/
145-
class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
146-
override EqualityTest astNode;
147-
Expr operand;
148-
boolean polarity;
149-
150-
TypeTestGuard() {
151-
exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
152-
// typeof x === "string" sanitizes `x` when it evaluates to false
153-
tag = "string" and
154-
polarity = astNode.getPolarity().booleanNot()
155-
or
156-
// typeof x === "object" sanitizes `x` when it evaluates to true
157-
tag != "string" and
158-
polarity = astNode.getPolarity()
159-
)
160-
}
161-
162-
override predicate sanitizes(boolean outcome, Expr e) {
163-
polarity = outcome and
164-
e = operand
165-
}
166-
}
167-
168140
/** The `files` property of an `<input />` element */
169141
class FilesSource extends Source {
170142
FilesSource() { this = DOM::domValueRef().getAPropertyRead("files") }

javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,34 @@ class Configuration extends TaintTracking::Configuration {
5252
}
5353
}
5454

55+
/**
56+
* A test of form `typeof x === "something"`, preventing `x` from being a string in some cases.
57+
*
58+
* This sanitizer helps prune infeasible paths in type-overloaded functions.
59+
*/
60+
class TypeTestGuard extends TaintTracking::SanitizerGuardNode, DataFlow::ValueNode {
61+
override EqualityTest astNode;
62+
Expr operand;
63+
boolean polarity;
64+
65+
TypeTestGuard() {
66+
exists(TypeofTag tag | TaintTracking::isTypeofGuard(astNode, operand, tag) |
67+
// typeof x === "string" sanitizes `x` when it evaluates to false
68+
tag = "string" and
69+
polarity = astNode.getPolarity().booleanNot()
70+
or
71+
// typeof x === "object" sanitizes `x` when it evaluates to true
72+
tag != "string" and
73+
polarity = astNode.getPolarity()
74+
)
75+
}
76+
77+
override predicate sanitizes(boolean outcome, Expr e) {
78+
polarity = outcome and
79+
e = operand
80+
}
81+
}
82+
5583
private import semmle.javascript.security.dataflow.Xss::Shared as Shared
5684

5785
private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,

0 commit comments

Comments
 (0)