Skip to content

Commit e359e1a

Browse files
committed
use a barrier directly instead of a barrier guard
1 parent d913654 commit e359e1a

File tree

6 files changed

+24
-381
lines changed

6 files changed

+24
-381
lines changed

javascript/ql/src/Security/CWE-400/PrototypePollutionUtility.ql

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,12 @@ class PropNameTracking extends DataFlow::Configuration {
185185
)
186186
}
187187

188+
override predicate isBarrier(DataFlow::Node node) {
189+
super.isBarrier(node)
190+
or
191+
node instanceof DataFlow::VarAccessBarrier
192+
}
193+
188194
override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
189195
node instanceof BlacklistEqualityGuard or
190196
node instanceof WhitelistEqualityGuard or
@@ -193,8 +199,7 @@ class PropNameTracking extends DataFlow::Configuration {
193199
node instanceof InstanceOfGuard or
194200
node instanceof TypeofGuard or
195201
node instanceof BlacklistInclusionGuard or
196-
node instanceof WhitelistInclusionGuard or
197-
node instanceof DataFlow::VarAccessBarrierGuard
202+
node instanceof WhitelistInclusionGuard
198203
}
199204
}
200205

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1483,16 +1483,15 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat
14831483

14841484
/**
14851485
* A check of the form `if(x)`, which sanitizes `x` in its "else" branch.
1486-
* Can be added to a `isBarrierGuard` in a configuration to add the sanitization.
1486+
* Can be added to a `isBarrier` in a configuration to add the sanitization.
14871487
*/
1488-
class VarAccessBarrierGuard extends BarrierGuardNode, DataFlow::Node {
1489-
VarAccess var;
1490-
1491-
VarAccessBarrierGuard() {
1492-
var = this.getEnclosingExpr()
1493-
}
1494-
1495-
override predicate blocks(boolean outcome, Expr e) {
1496-
var = e and outcome = false
1488+
class VarAccessBarrier extends DataFlow::Node {
1489+
VarAccessBarrier() {
1490+
exists(ConditionGuardNode guard, SsaRefinementNode refinement |
1491+
this = DataFlow::ssaDefinitionNode(refinement) and
1492+
refinement.getGuard() = guard and
1493+
guard.getTest() instanceof VarAccess and
1494+
guard.getOutcome() = false
1495+
)
14971496
}
14981497
}

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 2 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,8 @@ module TaintTracking {
8989

9090
final override predicate isBarrier(DataFlow::Node node) {
9191
super.isBarrier(node) or
92-
isSanitizer(node)
92+
isSanitizer(node) or
93+
node instanceof DataFlow::VarAccessBarrier
9394
}
9495

9596
final override predicate isBarrierEdge(DataFlow::Node source, DataFlow::Node sink) {
@@ -914,19 +915,4 @@ module TaintTracking {
914915
DataFlow::localFlowStep(pred, succ) or
915916
any(AdditionalTaintStep s).step(pred, succ)
916917
}
917-
918-
/** A check of the form `if(x)`, which sanitizes `x` in its "else" branch. */
919-
private class VarAccessBarrierGuard extends AdditionalSanitizerGuardNode, DataFlow::Node {
920-
DataFlow::VarAccessBarrierGuard guard;
921-
922-
VarAccessBarrierGuard() {
923-
this = guard
924-
}
925-
926-
override predicate sanitizes(boolean outcome, Expr e) {
927-
guard.blocks(outcome, e)
928-
}
929-
930-
override predicate appliesTo(Configuration cfg) { any() }
931-
}
932918
}

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPath.qll

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,7 @@ module TaintedPath {
3535
guard instanceof StartsWithDotDotSanitizer or
3636
guard instanceof StartsWithDirSanitizer or
3737
guard instanceof IsAbsoluteSanitizer or
38-
guard instanceof ContainsDotDotSanitizer or
39-
guard instanceof DataFlow::VarAccessBarrierGuard
38+
guard instanceof ContainsDotDotSanitizer
4039
}
4140

4241
override predicate isAdditionalFlowStep(

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -355,6 +355,11 @@ module TaintedPath {
355355
}
356356
}
357357

358+
/**
359+
* A check of the form `if(x)`, which sanitizes `x` in its "else" branch.
360+
*/
361+
class VarAccessBarrier extends Sanitizer, DataFlow::VarAccessBarrier { }
362+
358363
/**
359364
* A source of remote user input, considered as a flow source for
360365
* tainted-path vulnerabilities.

0 commit comments

Comments
 (0)