JS: address review comments: improve regex, limit sanitizer usage

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -629,10 +629,12 @@ module TaintTracking {
    * A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its "then" branch.
    *
    * `<isWhitelisted>` is a call with callee name 'safe', 'whitelist', 'allow', or similar.
+   *
+   * This sanitizer is not enabled by default.
    */
-  private class AdHocWhitelistCheckSanitizer extends AdditionalSanitizerGuardNode, DataFlow::CallNode {
+  class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
     AdHocWhitelistCheckSanitizer() {
-      getCalleeName().regexpMatch("(?i).*(safe|whitelist|allow|auth).*") and
+      getCalleeName().regexpMatch("(?i).*((?<!un)safe|whitelist|allow|(?<!un)auth(?!or\\b)).*") and
       getNumArgument() = 1
     }
 
@@ -641,10 +643,6 @@ module TaintTracking {
       e = getArgument(0).asExpr()
     }
 
-    override predicate appliesTo(Configuration cfg) {
-      any()
-    }
-
   }
 
   /** A check of the form `if(x in o)`, which sanitizes `x` in its "then" branch. */

javascript/ql/src/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentials.qll

@@ -49,6 +49,11 @@ module CorsMisconfigurationForCredentials {
       super.isSanitizer(node) or
       node instanceof Sanitizer
     }
+
+    override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+      guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
+    }
+
   }
 
   /** A source of remote user input, considered as a flow source for CORS misconfiguration. */

javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll

@@ -23,4 +23,9 @@ class ExampleConfiguration extends TaintTracking::Configuration {
     )
   }
 
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    // add additional generic sanitizers
+    guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
+  }
+
 }