JS: Port barriers in UrlConcatenation.qll

asgerf · asgerf · commit 395f52303c81 · 2023-10-13T13:15:04.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UrlConcatenation.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UrlConcatenation.qll
@@ -103,8 +103,16 @@ predicate hostnameSanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sin
 class HostnameSanitizerGuard extends TaintTracking::SanitizerGuardNode, StringOps::StartsWith {
   HostnameSanitizerGuard() { hasHostnameSanitizingSubstring(this.getSubstring()) }
 
-  override predicate sanitizes(boolean outcome, Expr e) {
+  override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+  /** Holds if this node blocks flow through `e`, provided it evaluates to `outcome`. */
+  predicate blocksExpr(boolean outcome, Expr e) {
     outcome = this.getPolarity() and
     e = this.getBaseString().asExpr()
   }
 }
+
+/**
+ * A check that sanitizes the hostname of a URL.
+ */
+module HostnameSanitizerGuard = DataFlow::MakeBarrierGuard<HostnameSanitizerGuard>;
