JS: Move 'this' sanitizer to customizations

asgerf · asgerf · commit b728f71b4b41 · 2023-04-17T12:11:18.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginCustomizations.qll
@@ -31,6 +31,13 @@ module UnsafeJQueryPlugin {
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
+  /**
+   * The receiver of a function, seen as a sanitizer.
+   *
+   * Plugins often do `$(this)` to coerce an existing DOM element to a jQuery object.
+   */
+  private class ThisSanitizer extends Sanitizer instanceof DataFlow::ThisNode { }
+
   /**
    * An argument that may act as an HTML fragment rather than a CSS selector, as a sink for remote unsafe jQuery plugins.
    */
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll
@@ -23,9 +23,6 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof DomBasedXss::Sanitizer
     or
     node instanceof Sanitizer
-    or
-    // Plugins usually do `$(this)` to coerce an existing DOM element to a jQuery object.
-    node instanceof DataFlow::ThisNode
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {

Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,6 @@ class Configuration extends TaintTracking::Configuration {`
`23`	`23`	`node instanceof DomBasedXss::Sanitizer`
`24`	`24`	`or`
`25`	`25`	`node instanceof Sanitizer`
`26`		`- or`
`27`		- // Plugins usually do `$(this)` to coerce an existing DOM element to a jQuery object.
`28`		`- node instanceof DataFlow::ThisNode`
`29`	`26`	`}`
`30`	`27`
`31`	`28`	`override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {`