use a barrier directly instead of a barrier guard

erik-krogh · erik-krogh · commit e359e1a373d4 · 2020-02-18T10:57:28.000+01:00
diff --git a/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql b/javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql
@@ -185,6 +185,12 @@ class PropNameTracking extends DataFlow::Configuration {
     )
   }
 
+  override predicate isBarrier(DataFlow::Node node) {
+    super.isBarrier(node)
+    or
+    node instanceof DataFlow::VarAccessBarrier
+  }
+
   override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
     node instanceof BlacklistEqualityGuard or
     node instanceof WhitelistEqualityGuard or
@@ -193,8 +199,7 @@ class PropNameTracking extends DataFlow::Configuration {
     node instanceof InstanceOfGuard or
     node instanceof TypeofGuard or
     node instanceof BlacklistInclusionGuard or
-    node instanceof WhitelistInclusionGuard or
-    node instanceof DataFlow::VarAccessBarrierGuard
+    node instanceof WhitelistInclusionGuard
   }
 }
 
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1483,16 +1483,15 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat
 
 /**
   * A check of the form `if(x)`, which sanitizes `x` in its "else" branch. 
-  * Can be added to a `isBarrierGuard` in a configuration to add the sanitization. 
+  * Can be added to a `isBarrier` in a configuration to add the sanitization.
   */
-class VarAccessBarrierGuard extends BarrierGuardNode, DataFlow::Node {
-  VarAccess var;
-
-  VarAccessBarrierGuard() {
-    var = this.getEnclosingExpr()
-  }
-
-  override predicate blocks(boolean outcome, Expr e) {
-    var = e and outcome = false
+class VarAccessBarrier extends DataFlow::Node {
+  VarAccessBarrier() {
+    exists(ConditionGuardNode guard, SsaRefinementNode refinement |
+      this = DataFlow::ssaDefinitionNode(refinement) and
+      refinement.getGuard() = guard and
+      guard.getTest() instanceof VarAccess and
+      guard.getOutcome() = false
+    )
   }
 }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -89,7 +89,8 @@ module TaintTracking {
 
     final override predicate isBarrier(DataFlow::Node node) {
       super.isBarrier(node) or
-      isSanitizer(node)
+      isSanitizer(node) or
+      node instanceof DataFlow::VarAccessBarrier
     }
 
     final override predicate isBarrierEdge(DataFlow::Node source, DataFlow::Node sink) {
@@ -914,19 +915,4 @@ module TaintTracking {
     DataFlow::localFlowStep(pred, succ) or
     any(AdditionalTaintStep s).step(pred, succ)
   }
-
-  /** A check of the form `if(x)`, which sanitizes `x` in its "else" branch. */
-  private class VarAccessBarrierGuard extends AdditionalSanitizerGuardNode, DataFlow::Node {
-    DataFlow::VarAccessBarrierGuard guard;
-
-    VarAccessBarrierGuard() {
-      this = guard
-    }
-
-    override predicate sanitizes(boolean outcome, Expr e) {
-      guard.blocks(outcome, e)
-    }
-
-    override predicate appliesTo(Configuration cfg) { any() }
-  }
 }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll
@@ -35,8 +35,7 @@ module TaintedPath {
       guard instanceof StartsWithDotDotSanitizer or
       guard instanceof StartsWithDirSanitizer or
       guard instanceof IsAbsoluteSanitizer or
-      guard instanceof ContainsDotDotSanitizer or
-      guard instanceof DataFlow::VarAccessBarrierGuard
+      guard instanceof ContainsDotDotSanitizer
     }
 
     override predicate isAdditionalFlowStep(
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -355,6 +355,11 @@ module TaintedPath {
     }
   }
 
+  /**
+   * A check of the form `if(x)`, which sanitizes `x` in its "else" branch.
+   */
+  class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }
+
   /**
    * A source of remote user input, considered as a flow source for
    * tainted-path vulnerabilities.
diff --git a/javascript/ql/test/library-tests/TaintBarriers/SanitizingGuard.expected b/javascript/ql/test/library-tests/TaintBarriers/SanitizingGuard.expected

Original file line number	Diff line number	Diff line change
`@@ -185,6 +185,12 @@ class PropNameTracking extends DataFlow::Configuration {`
`185`	`185`	`)`
`186`	`186`	`}`
`187`	`187`
	`188`	`+ override predicate isBarrier(DataFlow::Node node) {`
	`189`	`+ super.isBarrier(node)`
	`190`	`+ or`
	`191`	`+ node instanceof DataFlow::VarAccessBarrier`
	`192`	`+ }`
	`193`	`+`
`188`	`194`	`override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {`
`189`	`195`	`node instanceof BlacklistEqualityGuard or`
`190`	`196`	`node instanceof WhitelistEqualityGuard or`
`@@ -193,8 +199,7 @@ class PropNameTracking extends DataFlow::Configuration {`
`193`	`199`	`node instanceof InstanceOfGuard or`
`194`	`200`	`node instanceof TypeofGuard or`
`195`	`201`	`node instanceof BlacklistInclusionGuard or`
`196`		`- node instanceof WhitelistInclusionGuard or`
`197`		`- node instanceof DataFlow::VarAccessBarrierGuard`
	`202`	`+ node instanceof WhitelistInclusionGuard`
`198`	`203`	`}`
`199`	`204`	`}`
`200`	`205`
Original file line number	Diff line number	Diff line change
`@@ -35,8 +35,7 @@ module TaintedPath {`
`35`	`35`	`guard instanceof StartsWithDotDotSanitizer or`
`36`	`36`	`guard instanceof StartsWithDirSanitizer or`
`37`	`37`	`guard instanceof IsAbsoluteSanitizer or`
`38`		`- guard instanceof ContainsDotDotSanitizer or`
`39`		`- guard instanceof DataFlow::VarAccessBarrierGuard`
	`38`	`+ guard instanceof ContainsDotDotSanitizer`
`40`	`39`	`}`
`41`	`40`
`42`	`41`	`override predicate isAdditionalFlowStep(`
Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,11 @@ module TaintedPath {`
`355`	`355`	`}`
`356`	`356`	`}`
`357`	`357`
	`358`	`+ /**`
	`359`	+ * A check of the form `if(x)`, which sanitizes `x` in its "else" branch.
	`360`	`+ */`
	`361`	`+ class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }`
	`362`	`+`
`358`	`363`	`/**`
`359`	`364`	`* A source of remote user input, considered as a flow source for`
`360`	`365`	`* tainted-path vulnerabilities.`