JS: Migrate LoopBoundInjection

asgerf · asgerf · commit 8e8de5cf23d3 · 2024-12-13T10:08:11.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionCustomizations.qll
@@ -8,6 +8,7 @@ import javascript
 
 module LoopBoundInjection {
   import semmle.javascript.security.TaintedObject
+  import semmle.javascript.security.CommonFlowState
 
   /**
    * Holds if an exception will be thrown whenever `e` evaluates to `undefined` or `null`.
@@ -176,16 +177,16 @@ module LoopBoundInjection {
     predicate blocksExpr(boolean outcome, Expr e) { none() }
 
     /**
-     * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
+     * Holds if this node acts as a barrier for `state`, blocking further flow from `e` if `this` evaluates to `outcome`.
      */
-    predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
+    predicate blocksExpr(boolean outcome, Expr e, FlowState state) { none() }
 
     /** DEPRECATED. Use `blocksExpr` instead. */
     deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
 
     /** DEPRECATED. Use `blocksExpr` instead. */
     deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      this.blocksExpr(outcome, e, label)
+      this.blocksExpr(outcome, e, FlowState::fromFlowLabel(label))
     }
   }
 
@@ -214,10 +215,10 @@ module LoopBoundInjection {
 
     IsArraySanitizerGuard() { astNode.getCalleeName() = "isArray" }
 
-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
       true = outcome and
       e = astNode.getAnArgument() and
-      label = TaintedObject::label()
+      state.isTaintedObject()
     }
   }
 
@@ -232,10 +233,10 @@ module LoopBoundInjection {
       DataFlow::globalVarRef("Array").flowsToExpr(astNode.getRightOperand())
     }
 
-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
       true = outcome and
       e = astNode.getLeftOperand() and
-      label = TaintedObject::label()
+      state.isTaintedObject()
     }
   }
 
@@ -253,10 +254,10 @@ module LoopBoundInjection {
       propRead.getPropertyName() = "length"
     }
 
-    override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+    override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
       false = outcome and
       e = propRead.getBase().asExpr() and
-      label = TaintedObject::label()
+      state.isTaintedObject()
     }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LoopBoundInjectionQuery.qll
@@ -14,29 +14,29 @@ import LoopBoundInjectionCustomizations::LoopBoundInjection
  * A taint tracking configuration for reasoning about looping on tainted objects with unbounded length.
  */
 module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  import semmle.javascript.security.CommonFlowState
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    source instanceof Source and label = TaintedObject::label()
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof Source and state.isTaintedObject()
   }
 
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    sink instanceof Sink and label = TaintedObject::label()
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof Sink and state.isTaintedObject()
   }
 
   predicate isBarrier(DataFlow::Node node) {
     node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
   }
 
-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
-    node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label) or
-    node = TaintedObject::SanitizerGuard::getABarrierNode(label)
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state) or
+    node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node src, DataFlow::FlowLabel inlbl, DataFlow::Node trg, DataFlow::FlowLabel outlbl
+    DataFlow::Node src, FlowState inlbl, DataFlow::Node trg, FlowState outlbl
   ) {
-    TaintedObject::step(src, trg, inlbl, outlbl)
+    TaintedObject::isAdditionalFlowStep(src, inlbl, trg, outlbl)
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import javascript`
`8`	`8`
`9`	`9`	`module LoopBoundInjection {`
`10`	`10`	`import semmle.javascript.security.TaintedObject`
	`11`	`+ import semmle.javascript.security.CommonFlowState`
`11`	`12`
`12`	`13`	`/**`
`13`	`14`	* Holds if an exception will be thrown whenever `e` evaluates to `undefined` or `null`.
`@@ -176,16 +177,16 @@ module LoopBoundInjection {`
`176`	`177`	`predicate blocksExpr(boolean outcome, Expr e) { none() }`
`177`	`178`
`178`	`179`	`/**`
`179`		- * Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
	`180`	+ * Holds if this node acts as a barrier for `state`, blocking further flow from `e` if `this` evaluates to `outcome`.
`180`	`181`	`*/`
`181`		`- predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }`
	`182`	`+ predicate blocksExpr(boolean outcome, Expr e, FlowState state) { none() }`
`182`	`183`
`183`	`184`	/** DEPRECATED. Use `blocksExpr` instead. */
`184`	`185`	`deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }`
`185`	`186`
`186`	`187`	/** DEPRECATED. Use `blocksExpr` instead. */
`187`	`188`	`deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {`
`188`		`- this.blocksExpr(outcome, e, label)`
	`189`	`+ this.blocksExpr(outcome, e, FlowState::fromFlowLabel(label))`
`189`	`190`	`}`
`190`	`191`	`}`
`191`	`192`
`@@ -214,10 +215,10 @@ module LoopBoundInjection {`
`214`	`215`
`215`	`216`	`IsArraySanitizerGuard() { astNode.getCalleeName() = "isArray" }`
`216`	`217`
`217`		`- override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {`
	`218`	`+ override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {`
`218`	`219`	`true = outcome and`
`219`	`220`	`e = astNode.getAnArgument() and`
`220`		`- label = TaintedObject::label()`
	`221`	`+ state.isTaintedObject()`
`221`	`222`	`}`
`222`	`223`	`}`
`223`	`224`
`@@ -232,10 +233,10 @@ module LoopBoundInjection {`
`232`	`233`	`DataFlow::globalVarRef("Array").flowsToExpr(astNode.getRightOperand())`
`233`	`234`	`}`
`234`	`235`
`235`		`- override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {`
	`236`	`+ override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {`
`236`	`237`	`true = outcome and`
`237`	`238`	`e = astNode.getLeftOperand() and`
`238`		`- label = TaintedObject::label()`
	`239`	`+ state.isTaintedObject()`
`239`	`240`	`}`
`240`	`241`	`}`
`241`	`242`
`@@ -253,10 +254,10 @@ module LoopBoundInjection {`
`253`	`254`	`propRead.getPropertyName() = "length"`
`254`	`255`	`}`
`255`	`256`
`256`		`- override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) {`
	`257`	`+ override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {`
`257`	`258`	`false = outcome and`
`258`	`259`	`e = propRead.getBase().asExpr() and`
`259`		`- label = TaintedObject::label()`
	`260`	`+ state.isTaintedObject()`
`260`	`261`	`}`
`261`	`262`	`}`
`262`	`263`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,29 +14,29 @@ import LoopBoundInjectionCustomizations::LoopBoundInjection`
`14`	`14`	`* A taint tracking configuration for reasoning about looping on tainted objects with unbounded length.`
`15`	`15`	`*/`
`16`	`16`	`module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {`
`17`		`- class FlowState = DataFlow::FlowLabel;`
	`17`	`+ import semmle.javascript.security.CommonFlowState`
`18`	`18`
`19`		`- predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {`
`20`		`- source instanceof Source and label = TaintedObject::label()`
	`19`	`+ predicate isSource(DataFlow::Node source, FlowState state) {`
	`20`	`+ source instanceof Source and state.isTaintedObject()`
`21`	`21`	`}`
`22`	`22`
`23`		`- predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {`
`24`		`- sink instanceof Sink and label = TaintedObject::label()`
	`23`	`+ predicate isSink(DataFlow::Node sink, FlowState state) {`
	`24`	`+ sink instanceof Sink and state.isTaintedObject()`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`predicate isBarrier(DataFlow::Node node) {`
`28`	`28`	`node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()`
`29`	`29`	`}`
`30`	`30`
`31`		`- predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {`
`32`		`- node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label) or`
`33`		`- node = TaintedObject::SanitizerGuard::getABarrierNode(label)`
	`31`	`+ predicate isBarrier(DataFlow::Node node, FlowState state) {`
	`32`	`+ node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state) or`
	`33`	`+ node = TaintedObject::SanitizerGuard::getABarrierNode(state)`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`predicate isAdditionalFlowStep(`
`37`		`- DataFlow::Node src, DataFlow::FlowLabel inlbl, DataFlow::Node trg, DataFlow::FlowLabel outlbl`
	`37`	`+ DataFlow::Node src, FlowState inlbl, DataFlow::Node trg, FlowState outlbl`
`38`	`38`	`) {`
`39`		`- TaintedObject::step(src, trg, inlbl, outlbl)`
	`39`	`+ TaintedObject::isAdditionalFlowStep(src, inlbl, trg, outlbl)`
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`