JS: Refactor BarrierGuardLegacy pattern to not depend on SanitizerGuardNode

Previously our barrier guard classes were direct descendents of SanitizerGuardNode which made it hard to deprecate that class.

Now our barrier guards are not descending from any shared class. Instead they are contributed to SanitizerGuardNode via a private helper class we can remove in the future.

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -31,14 +31,25 @@ module DomBasedXss {
      * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
     predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
   }
 
   /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
-  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
-    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  deprecated final private class BarrierGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof BarrierGuard
+  {
+    override predicate sanitizes(boolean outcome, Expr e) {
+      BarrierGuard.super.sanitizes(outcome, e)
+    }
 
     override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      BarrierGuard.super.sanitizes(outcome, e, label)
     }
   }
 
@@ -378,7 +389,7 @@ module DomBasedXss {
   /**
    * A sanitizer that blocks the `PrefixString` label when the start of the string is being tested as being of a particular prefix.
    */
-  abstract class PrefixStringSanitizer extends BarrierGuardLegacy instanceof StringOps::StartsWith {
+  abstract class PrefixStringSanitizer extends BarrierGuard instanceof StringOps::StartsWith {
     override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
       e = super.getBaseString().asExpr() and
       label = prefixLabel() and

javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll

@@ -179,14 +179,25 @@ module LoopBoundInjection {
      * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
     predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
   }
 
   /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
-  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
-    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  deprecated final private class BarrierGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof BarrierGuard
+  {
+    override predicate sanitizes(boolean outcome, Expr e) {
+      BarrierGuard.super.sanitizes(outcome, e)
+    }
 
     override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      BarrierGuard.super.sanitizes(outcome, e, label)
     }
   }
 
@@ -198,7 +209,7 @@ module LoopBoundInjection {
   /**
    * A sanitizer that blocks taint flow if the array is checked to be an array using an `isArray` function.
    */
-  class IsArraySanitizerGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
+  class IsArraySanitizerGuard extends BarrierGuard, DataFlow::ValueNode {
     override CallExpr astNode;
 
     IsArraySanitizerGuard() { astNode.getCalleeName() = "isArray" }
@@ -213,7 +224,7 @@ module LoopBoundInjection {
   /**
    * A sanitizer that blocks taint flow if the array is checked to be an array using an `X instanceof Array` check.
    */
-  class InstanceofArraySanitizerGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
+  class InstanceofArraySanitizerGuard extends BarrierGuard, DataFlow::ValueNode {
     override BinaryExpr astNode;
 
     InstanceofArraySanitizerGuard() {
@@ -233,7 +244,7 @@ module LoopBoundInjection {
    *
    * Also implicitly makes sure that only the first DoS-prone loop is selected by the query (as the .length test has outcome=false when exiting the loop).
    */
-  class LengthCheckSanitizerGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
+  class LengthCheckSanitizerGuard extends BarrierGuard, DataFlow::ValueNode {
     override RelationalComparison astNode;
     DataFlow::PropRead propRead;
 

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentCustomizations.qll

@@ -51,14 +51,25 @@ module PrototypePollutingAssignment {
      * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
     predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
   }
 
   /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
-  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
-    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  deprecated final private class BarrierGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof BarrierGuard
+  {
+    override predicate sanitizes(boolean outcome, Expr e) {
+      BarrierGuard.super.sanitizes(outcome, e)
+    }
 
     override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      BarrierGuard.super.sanitizes(outcome, e, label)
     }
   }
 

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutingAssignmentQuery.qll

@@ -256,7 +256,7 @@ private predicate isPropertyPresentOnObjectPrototype(string prop) {
 }
 
 /** A check of form `e.prop` where `prop` is not present on `Object.prototype`. */
-private class PropertyPresenceCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
+private class PropertyPresenceCheck extends BarrierGuard, DataFlow::ValueNode {
   override PropAccess astNode;
 
   PropertyPresenceCheck() {
@@ -272,7 +272,7 @@ private class PropertyPresenceCheck extends BarrierGuardLegacy, DataFlow::ValueN
 }
 
 /** A check of form `"prop" in e` where `prop` is not present on `Object.prototype`. */
-private class InExprCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
+private class InExprCheck extends BarrierGuard, DataFlow::ValueNode {
   override InExpr astNode;
 
   InExprCheck() {
@@ -287,7 +287,7 @@ private class InExprCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
 }
 
 /** A check of form `e instanceof X`, which is always false for `Object.prototype`. */
-private class InstanceofCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
+private class InstanceofCheck extends BarrierGuard, DataFlow::ValueNode {
   override InstanceofExpr astNode;
 
   override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
@@ -298,7 +298,7 @@ private class InstanceofCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
 }
 
 /** A check of form `typeof e === "string"`. */
-private class TypeofCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
+private class TypeofCheck extends BarrierGuard, DataFlow::ValueNode {
   override EqualityTest astNode;
   Expr operand;
   boolean polarity;
@@ -319,7 +319,7 @@ private class TypeofCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
 }
 
 /** A guard that checks whether `x` is a number. */
-class NumberGuard extends BarrierGuardLegacy instanceof DataFlow::CallNode {
+class NumberGuard extends BarrierGuard instanceof DataFlow::CallNode {
   Expr x;
   boolean polarity;
 
@@ -329,7 +329,7 @@ class NumberGuard extends BarrierGuardLegacy instanceof DataFlow::CallNode {
 }
 
 /** A call to `Array.isArray`, which is false for `Object.prototype`. */
-private class IsArrayCheck extends BarrierGuardLegacy, DataFlow::CallNode {
+private class IsArrayCheck extends BarrierGuard, DataFlow::CallNode {
   IsArrayCheck() { this = DataFlow::globalVarRef("Array").getAMemberCall("isArray") }
 
   override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
@@ -342,7 +342,7 @@ private class IsArrayCheck extends BarrierGuardLegacy, DataFlow::CallNode {
 /**
  * Sanitizer guard of form `x !== "__proto__"`.
  */
-private class EqualityCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
+private class EqualityCheck extends BarrierGuard, DataFlow::ValueNode {
   override EqualityTest astNode;
 
   EqualityCheck() { astNode.getAnOperand().getStringValue() = "__proto__" }
@@ -356,7 +356,7 @@ private class EqualityCheck extends BarrierGuardLegacy, DataFlow::ValueNode {
 /**
  * Sanitizer guard of the form `x.includes("__proto__")`.
  */
-private class IncludesCheck extends BarrierGuardLegacy, InclusionTest {
+private class IncludesCheck extends BarrierGuard, InclusionTest {
   IncludesCheck() { this.getContainedNode().mayHaveStringValue("__proto__") }
 
   override predicate blocksExpr(boolean outcome, Expr e) {
@@ -368,7 +368,7 @@ private class IncludesCheck extends BarrierGuardLegacy, InclusionTest {
 /**
  * A sanitizer guard that checks tests whether `x` is included in a list like `["__proto__"].includes(x)`.
  */
-private class DenyListInclusionGuard extends BarrierGuardLegacy, InclusionTest {
+private class DenyListInclusionGuard extends BarrierGuard, InclusionTest {
   DenyListInclusionGuard() {
     this.getContainerNode()
         .getALocalSource()

javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll

@@ -39,11 +39,17 @@ module ResourceExhaustion {
      * Holds if this node acts as a barrier for data flow, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
     predicate blocksExpr(boolean outcome, Expr e) { none() }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
   }
 
   /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
-  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
-    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  deprecated final private class BarrierGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof BarrierGuard
+  {
+    override predicate sanitizes(boolean outcome, Expr e) {
+      BarrierGuard.super.sanitizes(outcome, e)
+    }
   }
 
   /**

javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionQuery.qll

@@ -73,7 +73,7 @@ predicate isNumericFlowStep(DataFlow::Node src, DataFlow::Node dst) {
 /**
  * A sanitizer that blocks taint flow if the size of a number is limited.
  */
-class UpperBoundsCheckSanitizerGuard extends BarrierGuardLegacy, DataFlow::ValueNode {
+class UpperBoundsCheckSanitizerGuard extends BarrierGuard, DataFlow::ValueNode {
   override RelationalComparison astNode;
 
   override predicate blocksExpr(boolean outcome, Expr e) {

javascript/ql/lib/semmle/javascript/security/dataflow/SecondOrderCommandInjectionCustomizations.qll

@@ -96,14 +96,25 @@ module SecondOrderCommandInjection {
      * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
     predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
   }
 
   /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
-  abstract class BarrierGuardLegacy extends BarrierGuard, TaintTracking::SanitizerGuardNode {
-    override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  deprecated final private class BarrierGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof BarrierGuard
+  {
+    override predicate sanitizes(boolean outcome, Expr e) {
+      BarrierGuard.super.sanitizes(outcome, e)
+    }
 
     override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      BarrierGuard.super.sanitizes(outcome, e, label)
     }
   }
 
@@ -214,7 +225,7 @@ module SecondOrderCommandInjection {
   /**
    * A sanitizer that blocks flow when a string is tested to start with a certain prefix.
    */
-  class PrefixStringSanitizer extends BarrierGuardLegacy instanceof StringOps::StartsWith {
+  class PrefixStringSanitizer extends BarrierGuard instanceof StringOps::StartsWith {
     override predicate blocksExpr(boolean outcome, Expr e) {
       e = super.getBaseString().asExpr() and
       outcome = super.getPolarity()
@@ -224,7 +235,7 @@ module SecondOrderCommandInjection {
   /**
    * A sanitizer that blocks flow when a string does not start with "--"
    */
-  class DoubleDashSanitizer extends BarrierGuardLegacy instanceof StringOps::StartsWith {
+  class DoubleDashSanitizer extends BarrierGuard instanceof StringOps::StartsWith {
     DoubleDashSanitizer() { super.getSubstring().mayHaveStringValue("--") }
 
     override predicate blocksExpr(boolean outcome, Expr e) {

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -41,14 +41,25 @@ module TaintedPath {
      * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
     predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+
+    /** DEPRECATED. Use `blocksExpr` instead. */
+    deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      this.blocksExpr(outcome, e, label)
+    }
   }
 
   /** A subclass of `BarrierGuard` that is used for backward compatibility with the old data flow library. */
-  abstract class BarrierGuardLegacy extends BarrierGuard, DataFlow::BarrierGuardNode {
-    override predicate blocks(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  deprecated final private class BarrierGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof BarrierGuard
+  {
+    override predicate sanitizes(boolean outcome, Expr e) {
+      BarrierGuard.super.sanitizes(outcome, e)
+    }
 
-    override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      BarrierGuard.super.sanitizes(outcome, e, label)
     }
   }
 
@@ -366,7 +377,7 @@ module TaintedPath {
    *
    * This is relevant for paths that are known to be normalized.
    */
-  class StartsWithDotDotSanitizer extends BarrierGuardLegacy instanceof StringOps::StartsWith {
+  class StartsWithDotDotSanitizer extends BarrierGuard instanceof StringOps::StartsWith {
     StartsWithDotDotSanitizer() { isDotDotSlashPrefix(super.getSubstring()) }
 
     override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
@@ -386,7 +397,7 @@ module TaintedPath {
   /**
    * A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its "then" branch.
    */
-  class MembershipTestBarrierGuard extends BarrierGuardLegacy {
+  class MembershipTestBarrierGuard extends BarrierGuard {
     MembershipCandidate candidate;
 
     MembershipTestBarrierGuard() { this = candidate.getTest() }
@@ -401,7 +412,7 @@ module TaintedPath {
    * A check of form `x.startsWith(dir)` that sanitizes normalized absolute paths, since it is then
    * known to be in a subdirectory of `dir`.
    */
-  class StartsWithDirSanitizer extends BarrierGuardLegacy {
+  class StartsWithDirSanitizer extends BarrierGuard {
     StringOps::StartsWith startsWith;
 
     StartsWithDirSanitizer() {
@@ -425,7 +436,7 @@ module TaintedPath {
    * A call to `path.isAbsolute` as a sanitizer for relative paths in true branch,
    * and a sanitizer for absolute paths in the false branch.
    */
-  class IsAbsoluteSanitizer extends BarrierGuardLegacy {
+  class IsAbsoluteSanitizer extends BarrierGuard {
     DataFlow::Node operand;
     boolean polarity;
     boolean negatable;
@@ -461,7 +472,7 @@ module TaintedPath {
   /**
    * An expression of form `x.includes("..")` or similar.
    */
-  class ContainsDotDotSanitizer extends BarrierGuardLegacy instanceof StringOps::Includes {
+  class ContainsDotDotSanitizer extends BarrierGuard instanceof StringOps::Includes {
     ContainsDotDotSanitizer() { isDotDotSlashPrefix(super.getSubstring()) }
 
     override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
@@ -474,7 +485,7 @@ module TaintedPath {
   /**
    * An expression of form `x.matches(/\.\./)` or similar.
    */
-  class ContainsDotDotRegExpSanitizer extends BarrierGuardLegacy instanceof StringOps::RegExpTest {
+  class ContainsDotDotRegExpSanitizer extends BarrierGuard instanceof StringOps::RegExpTest {
     ContainsDotDotRegExpSanitizer() { super.getRegExp().getAMatchedString() = [".", "..", "../"] }
 
     override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
@@ -505,7 +516,7 @@ module TaintedPath {
    * }
    * ```
    */
-  class RelativePathStartsWithSanitizer extends BarrierGuardLegacy {
+  class RelativePathStartsWithSanitizer extends BarrierGuard {
     StringOps::StartsWith startsWith;
     DataFlow::CallNode pathCall;
     string member;
@@ -563,7 +574,7 @@ module TaintedPath {
    * An expression of form `isInside(x, y)` or similar, where `isInside` is
    * a library check for the relation between `x` and `y`.
    */
-  class IsInsideCheckSanitizer extends BarrierGuardLegacy {
+  class IsInsideCheckSanitizer extends BarrierGuard {
     DataFlow::Node checked;
     boolean onlyNormalizedAbsolutePaths;