JS: Add DataFlow::Configuration test

asger-semmle · asger-semmle · commit 9989fcee2170 · 2019-05-20T09:22:02.000+01:00
diff --git a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.expected
@@ -0,0 +1,33 @@
+| access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
+| advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
+| callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
+| callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |
+| callbacks.js:5:6:5:13 | source() | callbacks.js:35:27:35:27 | x |
+| callbacks.js:25:16:25:23 | source() | callbacks.js:47:26:47:26 | x |
+| callbacks.js:25:16:25:23 | source() | callbacks.js:48:26:48:26 | x |
+| callbacks.js:37:17:37:24 | source() | callbacks.js:37:37:37:37 | x |
+| callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
+| callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
+| callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
+| captured-sanitizer.js:25:3:25:10 | source() | captured-sanitizer.js:15:10:15:10 | x |
+| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
+| constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |
+| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:26:8:26:14 | d.taint |
+| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:30:8:30:19 | d_safe.taint |
+| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
+| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
+| indexOf.js:4:11:4:18 | source() | indexOf.js:9:10:9:10 | x |
+| indexOf.js:4:11:4:18 | source() | indexOf.js:13:10:13:10 | x |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
+| sanitizer-guards.js:2:11:2:18 | source() | sanitizer-guards.js:4:8:4:8 | x |
+| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:15:10:15:15 | this.x |
+| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:21:14:21:19 | this.x |
+| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:26:9:26:14 | this.x |
+| thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
+| thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
+| tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
diff --git a/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.ql b/javascript/ql/test/library-tests/TaintTracking/DataFlowTracking.ql
@@ -0,0 +1,27 @@
+import javascript
+
+DataFlow::CallNode getACall(string name) { result.getCalleeName() = name }
+
+class BasicConfig extends DataFlow::Configuration {
+  BasicConfig() { this = "BasicConfig" }
+
+  override predicate isSource(DataFlow::Node node) { node = getACall("source") }
+
+  override predicate isSink(DataFlow::Node node) { node = getACall("sink").getAnArgument() }
+
+  override predicate isBarrierGuard(DataFlow::BarrierGuardNode node) {
+    node instanceof BasicBarrierGuard
+  }
+}
+
+class BasicBarrierGuard extends DataFlow::BarrierGuardNode, DataFlow::CallNode {
+  BasicBarrierGuard() { this = getACall("isSafe") }
+
+  override predicate blocks(boolean outcome, Expr e) {
+    outcome = true and e = getArgument(0).asExpr()
+  }
+}
+
+from BasicConfig cfg, DataFlow::Node src, DataFlow::Node sink
+where cfg.hasFlow(src, sink)
+select src, sink
