Skip to content

Commit 52061b3

Browse files
author
Esben Sparre Andreasen
committed
JS: address review comments: improve regex, limit sanitizer usage
1 parent 42fc28b commit 52061b3

File tree

3 files changed

+14
-6
lines changed

3 files changed

+14
-6
lines changed

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -629,10 +629,12 @@ module TaintTracking {
629629
* A check of the form `if(<isWhitelisted>(x))`, which sanitizes `x` in its "then" branch.
630630
*
631631
* `<isWhitelisted>` is a call with callee name 'safe', 'whitelist', 'allow', or similar.
632+
*
633+
* This sanitizer is not enabled by default.
632634
*/
633-
private class AdHocWhitelistCheckSanitizer extends AdditionalSanitizerGuardNode, DataFlow::CallNode {
635+
class AdHocWhitelistCheckSanitizer extends SanitizerGuardNode, DataFlow::CallNode {
634636
AdHocWhitelistCheckSanitizer() {
635-
getCalleeName().regexpMatch("(?i).*(safe|whitelist|allow|auth).*") and
637+
getCalleeName().regexpMatch("(?i).*((?<!un)safe|whitelist|allow|(?<!un)auth(?!or\\b)).*") and
636638
getNumArgument() = 1
637639
}
638640

@@ -641,10 +643,6 @@ module TaintTracking {
641643
e = getArgument(0).asExpr()
642644
}
643645

644-
override predicate appliesTo(Configuration cfg) {
645-
any()
646-
}
647-
648646
}
649647

650648
/** A check of the form `if(x in o)`, which sanitizes `x` in its "then" branch. */

javascript/ql/src/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentials.qll

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,11 @@ module CorsMisconfigurationForCredentials {
4949
super.isSanitizer(node) or
5050
node instanceof Sanitizer
5151
}
52+
53+
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
54+
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
55+
}
56+
5257
}
5358

5459
/** A source of remote user input, considered as a flow source for CORS misconfiguration. */

javascript/ql/test/library-tests/TaintBarriers/ExampleConfiguration.qll

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,9 @@ class ExampleConfiguration extends TaintTracking::Configuration {
2323
)
2424
}
2525

26+
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
27+
// add additional generic sanitizers
28+
guard instanceof TaintTracking::AdHocWhitelistCheckSanitizer
29+
}
30+
2631
}

0 commit comments

Comments
 (0)