Skip to content

Commit 86e96c6

Browse files
author
Max Schaefer
committed
JavaScript: Introduce is{Barrier,Sanitizer}Edge predicate.
This name is more intuitive than the previous binary `is{Barrier,Sanitizer}` predicates, and is consistent with the other languages.
1 parent 6468721 commit 86e96c6

File tree

9 files changed

+53
-15
lines changed

9 files changed

+53
-15
lines changed

change-notes/1.21/analysis-javascript.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,5 +46,6 @@
4646

4747
* `RegExpLiteral` is now a `DataFlow::SourceNode`.
4848
* `JSDocTypeExpr` now has source locations and is a subclass of `Locatable` and `TypeAnnotation`.
49+
* The two-parameter versions of predicate `isBarrier` in `DataFlow::Configuration` and of predicate `isSanitizer` in `TaintTracking::Configuration` have been renamed to `isBarrierEdge` and `isSanitizerEdge`, respectively. The old names are maintained for backwards-compatibility in this version, but will be deprecated in the next version and subsequently removed.
4950
* Various predicates named `getTypeAnnotation()` now return `TypeAnnotation` instead of `TypeExpr`.
5051
In rare cases, this may cause compilation errors. Cast the result to `TypeExpr` if this happens.

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -154,15 +154,29 @@ abstract class Configuration extends string {
154154
}
155155

156156
/**
157+
* DEPRECATED: Use `isBarrierEdge` instead.
158+
*
157159
* Holds if flow from `src` to `trg` is prohibited.
158160
*/
159161
predicate isBarrier(DataFlow::Node src, DataFlow::Node trg) { none() }
160162

161163
/**
164+
* DEPRECATED: Use `isBarrierEdge` instead.
165+
*
162166
* Holds if flow with label `lbl` cannot flow from `src` to `trg`.
163167
*/
164168
predicate isBarrier(DataFlow::Node src, DataFlow::Node trg, FlowLabel lbl) { none() }
165169

170+
/**
171+
* Holds if flow from `pred` to `succ` is prohibited.
172+
*/
173+
predicate isBarrierEdge(DataFlow::Node pred, DataFlow::Node succ) { none() }
174+
175+
/**
176+
* Holds if flow with label `lbl` cannot flow from `pred` to `succ`.
177+
*/
178+
predicate isBarrierEdge(DataFlow::Node pred, DataFlow::Node succ, FlowLabel lbl) { none() }
179+
166180
/**
167181
* Holds if flow with label `lbl` cannot flow into `node`.
168182
*/
@@ -440,6 +454,7 @@ private predicate basicFlowStep(
440454
exists(FlowLabel predlbl, FlowLabel succlbl |
441455
localFlowStep(pred, succ, cfg, predlbl, succlbl) and
442456
not cfg.isBarrier(pred, succ, predlbl) and
457+
not cfg.isBarrierEdge(pred, succ, predlbl) and
443458
summary = MkPathSummary(false, false, predlbl, succlbl)
444459
)
445460
or
@@ -553,7 +568,8 @@ private predicate callInputStep(
553568
)
554569
) and
555570
not cfg.isBarrier(succ) and
556-
not cfg.isBarrier(pred, succ)
571+
not cfg.isBarrier(pred, succ) and
572+
not cfg.isBarrierEdge(pred, succ)
557573
}
558574

559575
/**
@@ -608,6 +624,7 @@ private predicate flowThroughCall(
608624
calls(output, f) and // Do not consider partial calls
609625
reachableFromInput(f, output, input, ret, cfg, summary) and
610626
not cfg.isBarrier(ret, output) and
627+
not cfg.isBarrierEdge(ret, output) and
611628
not cfg.isLabeledBarrier(output, summary.getEndLabel())
612629
)
613630
or
@@ -617,6 +634,7 @@ private predicate flowThroughCall(
617634
calls(invk, f) and
618635
reachableFromInput(f, invk, input, ret, cfg, summary) and
619636
not cfg.isBarrier(ret, output) and
637+
not cfg.isBarrierEdge(ret, output) and
620638
not cfg.isLabeledBarrier(output, summary.getEndLabel())
621639
)
622640
}
@@ -803,6 +821,7 @@ private predicate flowStep(
803821
) and
804822
not cfg.isBarrier(succ) and
805823
not cfg.isBarrier(pred, succ) and
824+
not cfg.isBarrierEdge(pred, succ) and
806825
not cfg.isLabeledBarrier(succ, summary.getEndLabel())
807826
}
808827

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

Lines changed: 26 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -51,14 +51,30 @@ module TaintTracking {
5151
/** Holds if the intermediate node `node` is a taint sanitizer. */
5252
predicate isSanitizer(DataFlow::Node node) { none() }
5353

54-
/** Holds if the edge from `source` to `sink` is a taint sanitizer. */
54+
/**
55+
* DEPRECATED: Use `isSanitizerEdge` instead.
56+
*
57+
* Holds if the edge from `source` to `sink` is a taint sanitizer.
58+
*/
5559
predicate isSanitizer(DataFlow::Node source, DataFlow::Node sink) { none() }
5660

57-
/** Holds if the edge from `source` to `sink` is a taint sanitizer for data labelled with `lbl`. */
61+
/**
62+
* DEPRECATED: Use `isSanitizerEdge` instead.
63+
*
64+
* Holds if the edge from `source` to `sink` is a taint sanitizer for data labelled with `lbl`.
65+
*/
5866
predicate isSanitizer(DataFlow::Node source, DataFlow::Node sink, DataFlow::FlowLabel lbl) {
5967
none()
6068
}
6169

70+
/** Holds if the edge from `pred` to `succ` is a taint sanitizer. */
71+
predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) { none() }
72+
73+
/** Holds if the edge from `pred` to `succ` is a taint sanitizer for data labelled with `lbl`. */
74+
predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel lbl) {
75+
none()
76+
}
77+
6278
/**
6379
* Holds if data flow node `guard` can act as a sanitizer when appearing
6480
* in a condition.
@@ -74,16 +90,18 @@ module TaintTracking {
7490
isSanitizer(node)
7591
}
7692

77-
final override predicate isBarrier(DataFlow::Node source, DataFlow::Node sink) {
78-
super.isBarrier(source, sink) or
79-
isSanitizer(source, sink)
93+
final override predicate isBarrierEdge(DataFlow::Node source, DataFlow::Node sink) {
94+
super.isBarrierEdge(source, sink) or
95+
isSanitizer(source, sink) or
96+
isSanitizerEdge(source, sink)
8097
}
8198

82-
final override predicate isBarrier(
99+
final override predicate isBarrierEdge(
83100
DataFlow::Node source, DataFlow::Node sink, DataFlow::FlowLabel lbl
84101
) {
85-
super.isBarrier(source, sink, lbl) or
86-
isSanitizer(source, sink, lbl)
102+
super.isBarrierEdge(source, sink, lbl) or
103+
isSanitizer(source, sink, lbl) or
104+
isSanitizerEdge(source, sink, lbl)
87105
}
88106

89107
final override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirect.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ module ClientSideUrlRedirect {
5151
node instanceof Sanitizer
5252
}
5353

54-
override predicate isSanitizer(DataFlow::Node source, DataFlow::Node sink) {
54+
override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
5555
hostnameSanitizingPrefixEdge(source, sink)
5656
}
5757

javascript/ql/src/semmle/javascript/security/dataflow/InsecureRandomness.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ module InsecureRandomness {
3636
node instanceof Sanitizer
3737
}
3838

39-
override predicate isSanitizer(DataFlow::Node pred, DataFlow::Node succ) {
39+
override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
4040
// stop propagation at the sinks to avoid double reporting
4141
pred instanceof Sink and
4242
// constrain succ

javascript/ql/src/semmle/javascript/security/dataflow/RequestForgery.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ module RequestForgery {
4646
node instanceof Sanitizer
4747
}
4848

49-
override predicate isSanitizer(DataFlow::Node source, DataFlow::Node sink) {
49+
override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
5050
sanitizingPrefixEdge(source, sink)
5151
}
5252
}

javascript/ql/src/semmle/javascript/security/dataflow/ServerSideUrlRedirect.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ module ServerSideUrlRedirect {
3838
node instanceof Sanitizer
3939
}
4040

41-
override predicate isSanitizer(DataFlow::Node source, DataFlow::Node sink) {
41+
override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
4242
hostnameSanitizingPrefixEdge(source, sink)
4343
}
4444

javascript/ql/test/library-tests/InterProceduralFlow/DataFlowConfig.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ class TestDataFlowConfiguration extends DataFlow::Configuration {
1717
)
1818
}
1919

20-
override predicate isBarrier(DataFlow::Node src, DataFlow::Node snk) {
20+
override predicate isBarrierEdge(DataFlow::Node src, DataFlow::Node snk) {
2121
src = src and
2222
snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
2323
or

javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {
1717
)
1818
}
1919

20-
override predicate isSanitizer(DataFlow::Node src, DataFlow::Node snk) {
20+
override predicate isSanitizerEdge(DataFlow::Node src, DataFlow::Node snk) {
2121
src = src and
2222
snk.asExpr().(PropAccess).getPropertyName() = "notTracked"
2323
or

0 commit comments

Comments
 (0)