Skip to content

Commit d9a43db

Browse files
asgerfasgerf
committed
JS: Migrate UnsafeHtmlConstruction
1 parent 8907252 commit d9a43db

File tree

2 files changed

+18
-17
lines changed

2 files changed

+18
-17
lines changed

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionCustomizations.qll

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ module UnsafeHtmlConstruction {
1313
private import semmle.javascript.security.dataflow.DomBasedXssCustomizations::DomBasedXss as DomBasedXss
1414
private import semmle.javascript.security.dataflow.UnsafeJQueryPluginCustomizations::UnsafeJQueryPlugin as UnsafeJQueryPlugin
1515
private import semmle.javascript.PackageExports as Exports
16+
import semmle.javascript.security.CommonFlowState
1617

1718
/**
1819
* A source for unsafe HTML constructed from library input.
@@ -71,16 +72,16 @@ module UnsafeHtmlConstruction {
7172
predicate blocksExpr(boolean outcome, Expr e) { none() }
7273

7374
/**
74-
* Holds if this node acts as a barrier for `label`, blocking further flow from `e` if `this` evaluates to `outcome`.
75+
* Holds if this node acts as a barrier for `state`, blocking further flow from `e` if `this` evaluates to `outcome`.
7576
*/
76-
predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel label) { none() }
77+
predicate blocksExpr(boolean outcome, Expr e, FlowState state) { none() }
7778

7879
/** DEPRECATED. Use `blocksExpr` instead. */
7980
deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
8081

8182
/** DEPRECATED. Use `blocksExpr` instead. */
8283
deprecated predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
83-
this.blocksExpr(outcome, e, label)
84+
this.blocksExpr(outcome, e, FlowState::fromFlowLabel(label))
8485
}
8586
}
8687

@@ -218,10 +219,10 @@ module UnsafeHtmlConstruction {
218219

219220
TypeTestGuard() { TaintTracking::isStringTypeGuard(astNode, operand, polarity) }
220221

221-
override predicate blocksExpr(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
222+
override predicate blocksExpr(boolean outcome, Expr e, FlowState state) {
222223
polarity = outcome and
223224
e = operand and
224-
lbl.isTaint()
225+
state.isTaint()
225226
}
226227
}
227228
}

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -16,16 +16,16 @@ deprecated class Configration = Configuration;
1616
* A taint-tracking configuration for reasoning about unsafe HTML constructed from library input vulnerabilities.
1717
*/
1818
module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
19-
class FlowState = DataFlow::FlowLabel;
19+
import semmle.javascript.security.CommonFlowState
2020

21-
predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
21+
predicate isSource(DataFlow::Node source, FlowState state) {
2222
source instanceof Source and
23-
label = [TaintedObject::label(), DataFlow::FlowLabel::taint(), DataFlow::FlowLabel::data()]
23+
state = [FlowState::taintedObject(), FlowState::taint()]
2424
}
2525

26-
predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
26+
predicate isSink(DataFlow::Node sink, FlowState state) {
2727
sink instanceof Sink and
28-
label = DataFlow::FlowLabel::taint()
28+
state = FlowState::taint()
2929
}
3030

3131
predicate isBarrier(DataFlow::Node node) {
@@ -38,27 +38,27 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
3838
node = Shared::BarrierGuard::getABarrierNode()
3939
}
4040

41-
predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
42-
TaintTracking::defaultSanitizer(node) and label.isTaint()
41+
predicate isBarrier(DataFlow::Node node, FlowState state) {
42+
TaintTracking::defaultSanitizer(node) and state.isTaint()
4343
or
44-
node = DataFlow::MakeLabeledBarrierGuard<BarrierGuard>::getABarrierNode(label)
44+
node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
4545
}
4646

4747
predicate isAdditionalFlowStep(
48-
DataFlow::Node pred, DataFlow::FlowLabel inlbl, DataFlow::Node succ, DataFlow::FlowLabel outlbl
48+
DataFlow::Node pred, FlowState inlbl, DataFlow::Node succ, FlowState outlbl
4949
) {
5050
// TODO: localFieldStep is too expensive with dataflow2
5151
// DataFlow::localFieldStep(pred, succ) and
5252
// inlbl.isTaint() and
5353
// outlbl.isTaint()
5454
none()
5555
or
56-
TaintedObject::step(pred, succ, inlbl, outlbl)
56+
TaintedObject::isAdditionalFlowStep(pred, inlbl, succ, outlbl)
5757
or
5858
// property read from a tainted object is considered tainted
5959
succ.(DataFlow::PropRead).getBase() = pred and
60-
inlbl = TaintedObject::label() and
61-
outlbl = DataFlow::FlowLabel::taint()
60+
inlbl.isTaintedObject() and
61+
outlbl.isTaint()
6262
or
6363
TaintTracking::defaultTaintStep(pred, succ) and
6464
inlbl.isTaint() and

0 commit comments

Comments
 (0)