add an additional barrier guard that finds "=== true" versions of previous barrier guards

erik-krogh · erik-krogh · commit 9549cac3e549 · 2023-02-14T14:15:23.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll
@@ -368,6 +368,8 @@ private predicate barrierGuardBlocksExpr(
   // Handle labelled barrier guard functions specially, to avoid negative recursion
   // through the non-abstract 3-argument version of blocks().
   guard.(AdditionalBarrierGuardCall).internalBlocksLabel(outcome, test, label)
+  or
+  guard.(CallAgainstEqualityCheck).internalBlocksLabel(outcome, test, label)
 }
 
 /**
@@ -1999,6 +2001,42 @@ private class AdditionalBarrierGuardCall extends AdditionalBarrierGuardNode, Dat
   override predicate appliesTo(Configuration cfg) { f.appliesTo(cfg) }
 }
 
+/**
+ * A sanitizer where an inner sanitizer is compared against a boolean.
+ * E.g. (assuming `sanitizes(e)` is an existing sanitizer):
+ * ```javascript
+ * if (sanitizes(e) === true) {
+ *  // e is sanitized
+ * }
+ * ```
+ */
+private class CallAgainstEqualityCheck extends AdditionalBarrierGuardNode {
+  DataFlow::BarrierGuardNode prev;
+  boolean polarity;
+
+  CallAgainstEqualityCheck() {
+    prev instanceof DataFlow::CallNode and
+    exists(EqualityTest test, BooleanLiteral bool |
+      this.asExpr() = test and
+      test.hasOperands(prev.asExpr(), bool) and
+      polarity = test.getPolarity().booleanXor(bool.getBoolValue())
+    )
+  }
+
+  override predicate blocks(boolean outcome, Expr e) {
+    none() // handled by internalBlocksLabel
+  }
+
+  predicate internalBlocksLabel(boolean outcome, Expr e, DataFlow::FlowLabel lbl) {
+    exists(boolean prevOutcome |
+      barrierGuardBlocksExpr(prev, prevOutcome, e, lbl) and
+      outcome = prevOutcome.booleanXor(polarity)
+    )
+  }
+
+  override predicate appliesTo(Configuration cfg) { cfg.isBarrierGuard(prev) }
+}
+
 /**
  * A guard node for a variable in a negative condition, such as `x` in `if(!x)`.
  * Can be added to a `isBarrier` in a data-flow configuration to block flow through such checks.
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/UnsafeShellCommandConstruction.expected
@@ -301,6 +301,16 @@ nodes
 | lib/lib.js:562:26:562:29 | name |
 | lib/lib.js:566:26:566:29 | name |
 | lib/lib.js:566:26:566:29 | name |
+| lib/lib.js:572:41:572:44 | name |
+| lib/lib.js:572:41:572:44 | name |
+| lib/lib.js:573:22:573:25 | name |
+| lib/lib.js:573:22:573:25 | name |
+| lib/lib.js:579:25:579:28 | name |
+| lib/lib.js:579:25:579:28 | name |
+| lib/lib.js:590:29:590:32 | name |
+| lib/lib.js:590:29:590:32 | name |
+| lib/lib.js:593:25:593:28 | name |
+| lib/lib.js:593:25:593:28 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name |
 | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
@@ -703,6 +713,22 @@ edges
 | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
 | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
 | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name |
+| lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
 | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name |
@@ -826,6 +852,10 @@ edges
 | lib/lib.js:560:14:560:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:560:26:560:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:560:9:560:30 | exec("r ... + name) | shell command |
 | lib/lib.js:562:14:562:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:562:26:562:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:562:9:562:30 | exec("r ... + name) | shell command |
 | lib/lib.js:566:14:566:29 | "rm -rf " + name | lib/lib.js:558:41:558:44 | name | lib/lib.js:566:26:566:29 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:558:41:558:44 | name | library input | lib/lib.js:566:9:566:30 | exec("r ... + name) | shell command |
+| lib/lib.js:573:10:573:25 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:573:22:573:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:573:2:573:26 | cp.exec ... + name) | shell command |
+| lib/lib.js:579:13:579:28 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:579:25:579:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:579:5:579:29 | cp.exec ... + name) | shell command |
+| lib/lib.js:590:17:590:32 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:590:29:590:32 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:590:9:590:33 | cp.exec ... + name) | shell command |
+| lib/lib.js:593:13:593:28 | "rm -rf " + name | lib/lib.js:572:41:572:44 | name | lib/lib.js:593:25:593:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/lib.js:572:41:572:44 | name | library input | lib/lib.js:593:5:593:29 | cp.exec ... + name) | shell command |
 | lib/subLib2/compiled-file.ts:4:13:4:28 | "rm -rf " + name | lib/subLib2/compiled-file.ts:3:26:3:29 | name | lib/subLib2/compiled-file.ts:4:25:4:28 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/compiled-file.ts:3:26:3:29 | name | library input | lib/subLib2/compiled-file.ts:4:5:4:29 | cp.exec ... + name) | shell command |
 | lib/subLib2/special-file.js:4:10:4:25 | "rm -rf " + name | lib/subLib2/special-file.js:3:28:3:31 | name | lib/subLib2/special-file.js:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib2/special-file.js:3:28:3:31 | name | library input | lib/subLib2/special-file.js:4:2:4:26 | cp.exec ... + name) | shell command |
 | lib/subLib3/my-file.ts:4:10:4:25 | "rm -rf " + name | lib/subLib3/my-file.ts:3:28:3:31 | name | lib/subLib3/my-file.ts:4:22:4:25 | name | This string concatenation which depends on $@ is later used in a $@. | lib/subLib3/my-file.ts:3:28:3:31 | name | library input | lib/subLib3/my-file.ts:4:2:4:26 | cp.exec ... + name) | shell command |
diff --git a/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js b/javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction/lib/lib.js
@@ -568,3 +568,27 @@ module.exports.badSanitizer = function (name) {
         exec("rm -rf " + name); // OK
     }
 }
+
+module.exports.safeWithBool = function (name) {
+	cp.exec("rm -rf " + name); // NOT OK
+
+	if (isSafeName(name)) {
+		cp.exec("rm -rf " + name); // OK
+	}
+
+    cp.exec("rm -rf " + name); // NOT OK
+
+    if (isSafeName(name) === true) {
+        cp.exec("rm -rf " + name); // OK
+    }
+
+    if (isSafeName(name) !== false) {
+        cp.exec("rm -rf " + name); // OK
+    }
+
+    if (isSafeName(name) == false) {
+        cp.exec("rm -rf " + name); // NOT OK
+    }
+
+    cp.exec("rm -rf " + name); // NOT OK
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -68,17 +68,6 @@ nodes
 | json-schema-validator.js:59:22:59:26 | query |
 | json-schema-validator.js:61:22:61:26 | query |
 | json-schema-validator.js:61:22:61:26 | query |
-| koarouter.js:5:11:5:33 | version |
-| koarouter.js:5:13:5:19 | version |
-| koarouter.js:5:13:5:19 | version |
-| koarouter.js:11:11:11:28 | conditions |
-| koarouter.js:11:24:11:28 | ['1'] |
-| koarouter.js:14:25:14:46 | `versio ... rsion}` |
-| koarouter.js:14:38:14:44 | version |
-| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
-| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
-| koarouter.js:17:52:17:61 | conditions |
-| koarouter.js:17:52:17:75 | conditi ...  and ') |
 | ldap.js:20:7:20:34 | q |
 | ldap.js:20:11:20:34 | url.par ... , true) |
 | ldap.js:20:21:20:27 | req.url |
@@ -493,16 +482,6 @@ edges
 | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | json-schema-validator.js:50:15:50:48 | query |
 | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
-| koarouter.js:5:11:5:33 | version | koarouter.js:14:38:14:44 | version |
-| koarouter.js:5:13:5:19 | version | koarouter.js:5:11:5:33 | version |
-| koarouter.js:5:13:5:19 | version | koarouter.js:5:11:5:33 | version |
-| koarouter.js:11:11:11:28 | conditions | koarouter.js:17:52:17:61 | conditions |
-| koarouter.js:11:24:11:28 | ['1'] | koarouter.js:11:11:11:28 | conditions |
-| koarouter.js:14:25:14:46 | `versio ... rsion}` | koarouter.js:11:24:11:28 | ['1'] |
-| koarouter.js:14:38:14:44 | version | koarouter.js:14:25:14:46 | `versio ... rsion}` |
-| koarouter.js:17:52:17:61 | conditions | koarouter.js:17:52:17:75 | conditi ...  and ') |
-| koarouter.js:17:52:17:75 | conditi ...  and ') | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
-| koarouter.js:17:52:17:75 | conditi ...  and ') | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
 | ldap.js:20:7:20:34 | q | ldap.js:22:18:22:18 | q |
 | ldap.js:20:11:20:34 | url.par ... , true) | ldap.js:20:7:20:34 | q |
 | ldap.js:20:21:20:27 | req.url | ldap.js:20:11:20:34 | url.par ... , true) |
@@ -950,7 +929,6 @@ edges
 | json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
 | json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
 | json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
-| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | koarouter.js:5:13:5:19 | version | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | This query depends on a $@. | koarouter.js:5:13:5:19 | version | user-provided value |
 | ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
 | ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
 | ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js
@@ -14,7 +14,7 @@ new Router().get("/hello", (ctx) => {
         conditions.push(`version = ${version}`)
     }
 
-    new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK - but still flagged [INCONSISTENCY]
+    new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK
 });
 
 function validVersion(version) {

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ new Router().get("/hello", (ctx) => {`
`14`	`14`	conditions.push(`version = ${version}`)
`15`	`15`	`}`
`16`	`16`
`17`		- new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK - but still flagged [INCONSISTENCY]
	`17`	+ new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK
`18`	`18`	`});`
`19`	`19`
`20`	`20`	`function validVersion(version) {`