JS: add ad hoc whitelist checks as sanitizers

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 42fc28bc557e · 2018-09-24T11:17:35.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -625,6 +625,28 @@ module TaintTracking {
 
   }
 
+  /**
+   * A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its "then" branch.
+   *
+   * `<isWhitelisted>` is a call with callee name 'safe', 'whitelist', 'allow', or similar.
+   */
+  private class AdHocWhitelistCheckSanitizer extends AdditionalSanitizerGuardNode, DataFlow::CallNode {
+    AdHocWhitelistCheckSanitizer() {
+      getCalleeName().regexpMatch("(?i).*(safe|whitelist|allow|auth).*") and
+      getNumArgument() = 1
+    }
+
+    override predicate sanitizes(boolean outcome, Expr e) {
+      outcome = true and
+      e = getArgument(0).asExpr()
+    }
+
+    override predicate appliesTo(Configuration cfg) {
+      any()
+    }
+
+  }
+
   /** A check of the form `if(x in o)`, which sanitizes `x` in its "then" branch. */
   class InSanitizer extends AdditionalSanitizerGuardNode, DataFlow::ValueNode {
 
diff --git a/javascript/ql/test/library-tests/TaintBarriers/SanitizingGuard.expected b/javascript/ql/test/library-tests/TaintBarriers/SanitizingGuard.expected
@@ -36,3 +36,5 @@
 | tst.js:214:9:214:24 | o.indexOf(v) < 0 | ExampleConfiguration | false | tst.js:214:19:214:19 | v |
 | tst.js:220:9:220:25 | o.indexOf(v) > -1 | ExampleConfiguration | true | tst.js:220:19:220:19 | v |
 | tst.js:226:9:226:26 | -1 >= o.indexOf(v) | ExampleConfiguration | false | tst.js:226:25:226:25 | v |
+| tst.js:236:9:236:24 | isWhitelisted(v) | ExampleConfiguration | true | tst.js:236:23:236:23 | v |
+| tst.js:240:9:240:28 | config.allowValue(v) | ExampleConfiguration | true | tst.js:240:27:240:27 | v |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/TaintedSink.expected b/javascript/ql/test/library-tests/TaintBarriers/TaintedSink.expected
@@ -34,3 +34,5 @@
 | tst.js:215:14:215:14 | v | tst.js:199:13:199:20 | SOURCE() |
 | tst.js:223:14:223:14 | v | tst.js:199:13:199:20 | SOURCE() |
 | tst.js:227:14:227:14 | v | tst.js:199:13:199:20 | SOURCE() |
+| tst.js:239:14:239:14 | v | tst.js:235:13:235:20 | SOURCE() |
+| tst.js:243:14:243:14 | v | tst.js:235:13:235:20 | SOURCE() |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected b/javascript/ql/test/library-tests/TaintBarriers/isBarrier.expected
@@ -29,3 +29,5 @@
 | tst.js:217:14:217:14 | v | ExampleConfiguration |
 | tst.js:221:14:221:14 | v | ExampleConfiguration |
 | tst.js:229:14:229:14 | v | ExampleConfiguration |
+| tst.js:237:14:237:14 | v | ExampleConfiguration |
+| tst.js:241:14:241:14 | v | ExampleConfiguration |
diff --git a/javascript/ql/test/library-tests/TaintBarriers/tst.js b/javascript/ql/test/library-tests/TaintBarriers/tst.js
@@ -230,3 +230,16 @@ function RelationalIndexOfCheckSanitizer () {
     }
 
 }
+
+function adhocWhitelisting() {
+    var v = SOURCE();
+    if (isWhitelisted(v))
+        SINK(v);
+    else
+        SINK(v);
+    if (config.allowValue(v))
+        SINK(v);
+    else
+        SINK(v);
+
+}
