move the if(!x) from DataFLow to TaintTracking

erik-krogh · erik-krogh · commit ade93e66e1b5 · 2020-02-06T15:44:22.000+01:00
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -356,7 +356,8 @@ class PropNameTracking extends DataFlow::Configuration {
     node instanceof InstanceOfGuard or
     node instanceof TypeofGuard or
     node instanceof BlacklistInclusionGuard or
-    node instanceof WhitelistInclusionGuard
+    node instanceof WhitelistInclusionGuard or
+    node instanceof DataFlow::VarAccessBarrierGuard
   }
 }
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1481,8 +1481,11 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat
   override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
 }
 
-/** A check of the `if(x)`, which sanitizes `x` in its "else" branch. */
-private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow::Node {
+/**
+  * A check of the `if(x)`, which sanitizes `x` in its "else" branch. 
+  * Can be added to a `isBarrierGuard` in a configuration to add the sanitization. 
+  */
+class VarAccessBarrierGuard extends BarrierGuardNode, DataFlow::Node {
   VarAccess var;
 
   VarAccessBarrierGuard() {
@@ -1492,6 +1495,4 @@ private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow
   override predicate blocks(boolean outcome, Expr e) {
     var = e and outcome = false
   }
-
-  override predicate appliesTo(Configuration cfg) { any() }
 }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -914,4 +914,19 @@ module TaintTracking {
     DataFlow::localFlowStep(pred, succ) or
     any(AdditionalTaintStep s).step(pred, succ)
   }
+
+  /** A check of the form `if(x)`, which sanitizes `x` in its "else" branch. */
+  private class VarAccessBarrierGuard extends AdditionalSanitizerGuardNode, DataFlow::Node {
+    DataFlow::VarAccessBarrierGuard guard;
+
+    VarAccessBarrierGuard() {
+      this = guard
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      guard.blocks(outcome, e)
+    }
+
+    override predicate appliesTo(Configuration cfg) { any() }
+  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -35,7 +35,8 @@ module TaintedPath {
       guard instanceof StartsWithDotDotSanitizer or
       guard instanceof StartsWithDirSanitizer or
       guard instanceof IsAbsoluteSanitizer or
-      guard instanceof ContainsDotDotSanitizer
+      guard instanceof ContainsDotDotSanitizer or
+      guard instanceof DataFlow::VarAccessBarrierGuard
     }
 
     override predicate isAdditionalFlowStep(

Original file line number	Diff line number	Diff line change
`@@ -356,7 +356,8 @@ class PropNameTracking extends DataFlow::Configuration {`
`356`	`356`	`node instanceof InstanceOfGuard or`
`357`	`357`	`node instanceof TypeofGuard or`
`358`	`358`	`node instanceof BlacklistInclusionGuard or`
`359`		`- node instanceof WhitelistInclusionGuard`
	`359`	`+ node instanceof WhitelistInclusionGuard or`
	`360`	`+ node instanceof DataFlow::VarAccessBarrierGuard`
`360`	`361`	`}`
`361`	`362`	`}`
`362`	`363`
Original file line number	Diff line number	Diff line change
`@@ -1481,8 +1481,11 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat`
`1481`	`1481`	`override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }`
`1482`	`1482`	`}`
`1483`	`1483`
`1484`		-/** A check of the `if(x)`, which sanitizes `x` in its "else" branch. */
`1485`		`-private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow::Node {`
	`1484`	`+/**`
	`1485`	+ * A check of the `if(x)`, which sanitizes `x` in its "else" branch.
	`1486`	+ * Can be added to a `isBarrierGuard` in a configuration to add the sanitization.
	`1487`	`+ */`
	`1488`	`+class VarAccessBarrierGuard extends BarrierGuardNode, DataFlow::Node {`
`1486`	`1489`	`VarAccess var;`
`1487`	`1490`
`1488`	`1491`	`VarAccessBarrierGuard() {`
`@@ -1492,6 +1495,4 @@ private class VarAccessBarrierGuard extends AdditionalBarrierGuardNode, DataFlow`
`1492`	`1495`	`override predicate blocks(boolean outcome, Expr e) {`
`1493`	`1496`	`var = e and outcome = false`
`1494`	`1497`	`}`
`1495`		`-`
`1496`		`- override predicate appliesTo(Configuration cfg) { any() }`
`1497`	`1498`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,8 @@ module TaintedPath {`
`35`	`35`	`guard instanceof StartsWithDotDotSanitizer or`
`36`	`36`	`guard instanceof StartsWithDirSanitizer or`
`37`	`37`	`guard instanceof IsAbsoluteSanitizer or`
`38`		`- guard instanceof ContainsDotDotSanitizer`
	`38`	`+ guard instanceof ContainsDotDotSanitizer or`
	`39`	`+ guard instanceof DataFlow::VarAccessBarrierGuard`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`override predicate isAdditionalFlowStep(`