JS: Reduce duplication in UnsafeDynamicMethodAccessQuery

asgerf · asgerf · commit fa8933eb415e · 2024-03-13T12:30:05.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDynamicMethodAccessQuery.qll
@@ -43,7 +43,7 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
     label.isTaint()
   }
 
-  predicate isAdditionalFlowStep(
+  additional predicate additionalFlowStep(
     DataFlow::Node src, DataFlow::FlowLabel srclabel, DataFlow::Node dst,
     DataFlow::FlowLabel dstlabel
   ) {
@@ -64,7 +64,16 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
       srclabel.isTaint() and
       dstlabel = unsafeFunction()
     )
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::FlowLabel srclabel, DataFlow::Node dst,
+    DataFlow::FlowLabel dstlabel
+  ) {
+    additionalFlowStep(src, srclabel, dst, dstlabel)
     or
+    // We're not using a taint-tracking config because taint steps would then apply to all flow states.
+    // So we use a plain data flow config and manually add the default taint steps.
     srclabel.isTaint() and
     TaintTracking::defaultTaintStep(src, dst) and
     srclabel = dstlabel
@@ -83,20 +92,17 @@ deprecated class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "UnsafeDynamicMethodAccess" }
 
   override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source.(Source).getFlowLabel() = label
+    UnsafeDynamicMethodAccessConfig::isSource(source, label)
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink.(Sink).getFlowLabel() = label
+    UnsafeDynamicMethodAccessConfig::isSink(sink, label)
   }
 
   override predicate isSanitizer(DataFlow::Node node) {
     super.isSanitizer(node)
     or
-    node instanceof Sanitizer
-    or
-    exists(StringConcatenation::getOperand(node, _)) and
-    not StringConcatenation::isCoercion(node)
+    UnsafeDynamicMethodAccessConfig::isBarrier(node)
   }
 
   /**
@@ -110,22 +116,6 @@ deprecated class Configuration extends TaintTracking::Configuration {
     DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
     DataFlow::FlowLabel dstlabel
   ) {
-    // Reading a property of the global object or of a function
-    exists(DataFlow::PropRead read |
-      this.hasUnsafeMethods(read.getBase().getALocalSource()) and
-      src = read.getPropertyNameExpr().flow() and
-      dst = read and
-      srclabel.isTaint() and
-      dstlabel = unsafeFunction()
-    )
-    or
-    // Reading a chain of properties from any object with a prototype can lead to Function
-    exists(PropertyProjection proj |
-      not PropertyInjection::isPrototypeLessObject(proj.getObject().getALocalSource()) and
-      src = proj.getASelector() and
-      dst = proj and
-      srclabel.isTaint() and
-      dstlabel = unsafeFunction()
-    )
+    UnsafeDynamicMethodAccessConfig::additionalFlowStep(src, srclabel, dst, dstlabel)
   }
 }
