JS: introduce persistent read/write pairs as a taint step

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/Concepts.qll

@@ -65,3 +65,27 @@ abstract class DatabaseAccess extends DataFlow::Node {
   /** Gets an argument to this database access that is interpreted as a query. */
   abstract DataFlow::Node getAQueryArgument();
 }
+
+/**
+ * A data flow node that reads persistent data.
+ */
+abstract class PersistentReadAccess extends DataFlow::Node {
+
+  /**
+   * Gets the corresponding persistent write, if any.
+   */
+  abstract PersistentWriteAccess getAWrite();
+
+}
+
+/**
+ * A data flow node that writes persistent data.
+ */
+abstract class PersistentWriteAccess extends DataFlow::Node {
+
+  /**
+   * Gets the data flow node corresponding to the written value.
+   */
+  abstract DataFlow::Node getValue();
+
+}

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -232,6 +232,21 @@ module TaintTracking {
     }
   }
 
+  private class StorageTaintStep extends AdditionalTaintStep {
+
+    PersistentReadAccess read;
+
+    StorageTaintStep() {
+      this = read
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+        pred = read.getAWrite().getValue() and
+        succ = read
+    }
+
+  }
+
   /**
    * A taint propagating data flow edge caused by the builtin array functions.
    */