JS: Replace sanitizing prefix edge with node

asgerf · asgerf · commit 094302a27ba0 · 2023-07-11T14:48:13.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll
@@ -31,9 +31,7 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 
-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    sanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     isAdditionalRequestForgeryStep(pred, succ)
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll
@@ -33,9 +33,7 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 
-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    hostnameSanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
 
   override predicate isAdditionalFlowStep(
     DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel f, DataFlow::FlowLabel g
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll
@@ -26,9 +26,7 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 
-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    sanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     isAdditionalRequestForgeryStep(pred, succ)
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -27,9 +27,7 @@ class Configuration extends TaintTracking::Configuration {
     node instanceof Sanitizer
   }
 
-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    hostnameSanitizingPrefixEdge(source, sink)
-  }
+  override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
     guard instanceof LocalUrlSanitizingGuard or
diff --git a/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll b/javascript/ql/src/experimental/Security/CWE-918/SSRF.qll
@@ -29,8 +29,8 @@ class Configuration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {
-    this.strictSanitizingPrefixEdge(source, sink)
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    this.strictSanitizingPrefixEdge(node, _)
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {

Original file line number	Diff line number	Diff line change
`@@ -31,9 +31,7 @@ class Configuration extends TaintTracking::Configuration {`
`31`	`31`	`node instanceof Sanitizer`
`32`	`32`	`}`
`33`	`33`
`34`		`- override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {`
`35`		`- sanitizingPrefixEdge(source, sink)`
`36`		`- }`
	`34`	`+ override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }`
`37`	`35`
`38`	`36`	`override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {`
`39`	`37`	`isAdditionalRequestForgeryStep(pred, succ)`
Original file line number	Diff line number	Diff line change
`@@ -33,9 +33,7 @@ class Configuration extends TaintTracking::Configuration {`
`33`	`33`	`node instanceof Sanitizer`
`34`	`34`	`}`
`35`	`35`
`36`		`- override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {`
`37`		`- hostnameSanitizingPrefixEdge(source, sink)`
`38`		`- }`
	`36`	`+ override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }`
`39`	`37`
`40`	`38`	`override predicate isAdditionalFlowStep(`
`41`	`39`	`DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel f, DataFlow::FlowLabel g`
Original file line number	Diff line number	Diff line change
`@@ -26,9 +26,7 @@ class Configuration extends TaintTracking::Configuration {`
`26`	`26`	`node instanceof Sanitizer`
`27`	`27`	`}`
`28`	`28`
`29`		`- override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {`
`30`		`- sanitizingPrefixEdge(source, sink)`
`31`		`- }`
	`29`	`+ override predicate isSanitizerOut(DataFlow::Node node) { sanitizingPrefixEdge(node, _) }`
`32`	`30`
`33`	`31`	`override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {`
`34`	`32`	`isAdditionalRequestForgeryStep(pred, succ)`
Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,7 @@ class Configuration extends TaintTracking::Configuration {`
`27`	`27`	`node instanceof Sanitizer`
`28`	`28`	`}`
`29`	`29`
`30`		`- override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {`
`31`		`- hostnameSanitizingPrefixEdge(source, sink)`
`32`		`- }`
	`30`	`+ override predicate isSanitizerOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }`
`33`	`31`
`34`	`32`	`override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {`
`35`	`33`	`guard instanceof LocalUrlSanitizingGuard or`
Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,8 @@ class Configuration extends TaintTracking::Configuration {`
`29`	`29`	`)`
`30`	`30`	`}`
`31`	`31`
`32`		`- override predicate isSanitizerEdge(DataFlow::Node source, DataFlow::Node sink) {`
`33`		`- this.strictSanitizingPrefixEdge(source, sink)`
	`32`	`+ override predicate isSanitizerOut(DataFlow::Node node) {`
	`33`	`+ this.strictSanitizingPrefixEdge(node, _)`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode nd) {`