use MemberShipTest in TaintedPath

erik-krogh · erik-krogh · commit 550c578c3cd9 · 2020-06-04T10:51:08.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -1814,3 +1814,19 @@ class VarAccessBarrier extends DataFlow::Node {
     )
   }
 }
+
+/**
+ * A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its "then" branch.
+ * 
+ * Can be added to `isBarrierGuard` in a data-flow configuration to block flow through such checks.
+ */
+class MembershipTestBarrierGuard extends BarrierGuardNode {
+  MembershipCandidate candidate;
+
+  MembershipTestBarrierGuard() { this = candidate.getTest() }
+
+  override predicate blocks(boolean outcome, Expr e) {
+    candidate = e.flow() and
+    candidate.getTestPolarity() = outcome
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
@@ -370,6 +370,15 @@ module TaintedPath {
     }
   }
 
+  /**
+   * A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its "then" branch.
+   */
+  class MembershipTestBarrierGuard extends BarrierGuardNode, DataFlow::MembershipTestBarrierGuard {
+    override predicate blocks(boolean outcome, Expr e) {
+      DataFlow::MembershipTestBarrierGuard.super.blocks(outcome, e)
+    }
+  }
+
   /**
    * A check of form `x.startsWith(dir)` that sanitizes normalized absolute paths, since it is then
    * known to be in a subdirectory of `dir`.
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected
@@ -211,40 +211,6 @@ nodes
 | TaintedPath.js:24:33:24:36 | path |
 | TaintedPath.js:24:33:24:36 | path |
 | TaintedPath.js:24:33:24:36 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:30:31:30:34 | path |
 | TaintedPath.js:33:31:33:34 | path |
 | TaintedPath.js:33:31:33:34 | path |
 | TaintedPath.js:33:31:33:34 | path |
@@ -2968,70 +2934,6 @@ edges
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:24:33:24:36 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:27:31:27:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
-| TaintedPath.js:9:7:9:48 | path | TaintedPath.js:30:31:30:34 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path |
 | TaintedPath.js:9:7:9:48 | path | TaintedPath.js:33:31:33:34 | path |
@@ -6671,8 +6573,6 @@ edges
 | TaintedPath.js:18:33:18:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:18:33:18:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:21:33:21:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:21:33:21:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:24:33:24:36 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:24:33:24:36 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
-| TaintedPath.js:27:31:27:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:27:31:27:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
-| TaintedPath.js:30:31:30:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:30:31:30:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:33:31:33:34 | path | TaintedPath.js:9:24:9:30 | req.url | TaintedPath.js:33:31:33:34 | path | This path depends on $@. | TaintedPath.js:9:24:9:30 | req.url | a user-provided value |
 | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:42:29:42:52 | pathMod ... e(path) | This path depends on $@. | TaintedPath.js:38:20:38:26 | req.url | a user-provided value |
 | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | TaintedPath.js:38:20:38:26 | req.url | TaintedPath.js:46:29:46:49 | pathMod ... n(path) | This path depends on $@. | TaintedPath.js:38:20:38:26 | req.url | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js b/javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.js
@@ -24,10 +24,10 @@ var server = http.createServer(function(req, res) {
       res.write(fs.readFileSync(path)); // BAD: Insufficient sanitisation
 
   if (path === 'foo.txt')
-    res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list [INCONSISTENCY]
+    res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list
 
   if (path === 'foo.txt' || path === 'bar.txt')
-    res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list [INCONSISTENCY]
+    res.write(fs.readFileSync(path)); // GOOD: Path is compared to white-list
 
   if (path === 'foo.txt' || path === 'bar.txt' || someOpaqueCondition())
     res.write(fs.readFileSync(path)); // BAD: Path is incompletely compared to white-list
