JS: Replace ClearTextLogging::isSanitizerEdge with a node

asgerf · asgerf · commit 944a2ca82527 · 2023-07-11T14:20:17.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BuildArtifactLeakQuery.qll
@@ -27,10 +27,6 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }
 
-  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
-    CleartextLogging::isSanitizerEdge(pred, succ)
-  }
-
   override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
     CleartextLogging::isAdditionalTaintStep(src, trg)
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingCustomizations.qll
@@ -175,12 +175,24 @@ module CleartextLogging {
   }
 
   /**
+   * DEPRECATED. Use `Barrier` instead, sanitized have been replaced by sanitized nodes.
+   *
    * Holds if the edge `pred` -> `succ` should be sanitized for clear-text logging of sensitive information.
    */
-  predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+  deprecated predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
     succ.(DataFlow::PropRead).getBase() = pred
   }
 
+  private class PropReadAsBarrier extends Barrier {
+    PropReadAsBarrier() {
+      this = any(DataFlow::PropRead read).getBase() and
+      // the 'foo' in 'foo.bar()' may have flow, we only want to suppress plain property reads
+      not this = any(DataFlow::MethodCallNode call).getReceiver() and
+      // do not block custom taint steps from this node
+      not isAdditionalTaintStep(this, _)
+    }
+  }
+
   /**
    * Holds if the edge `src` -> `trg` is an additional taint-step for clear-text logging of sensitive information.
    */
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CleartextLoggingQuery.qll
@@ -33,10 +33,6 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }
 
-  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
-    CleartextLogging::isSanitizerEdge(pred, succ)
-  }
-
   override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {
     CleartextLogging::isAdditionalTaintStep(src, trg)
   }
diff --git a/javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected b/javascript/ql/test/query-tests/Security/CWE-312/BuildArtifactLeak.expected
@@ -9,12 +9,15 @@ nodes
 | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:15:24:15:34 | process.env |
 | build-leaks.js:15:24:15:34 | process.env |
+| build-leaks.js:15:24:15:39 | process.env[key] |
 | build-leaks.js:16:20:16:22 | env |
 | build-leaks.js:21:11:26:5 | stringifed |
 | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } |
 | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
 | build-leaks.js:22:49:22:51 | env |
+| build-leaks.js:23:24:23:47 | JSON.st ... w[key]) |
 | build-leaks.js:23:39:23:41 | raw |
+| build-leaks.js:23:39:23:46 | raw[key] |
 | build-leaks.js:24:20:24:22 | env |
 | build-leaks.js:30:22:30:31 | stringifed |
 | build-leaks.js:34:26:34:57 | getEnv( ... ngified |
@@ -36,13 +39,19 @@ edges
 | build-leaks.js:14:18:14:20 | env | build-leaks.js:16:20:16:22 | env |
 | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:15:24:15:34 | process.env | build-leaks.js:14:18:14:20 | env |
+| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:24:15:39 | process.env[key] |
+| build-leaks.js:15:24:15:34 | process.env | build-leaks.js:15:24:15:39 | process.env[key] |
+| build-leaks.js:15:24:15:39 | process.env[key] | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:16:20:16:22 | env | build-leaks.js:13:17:19:10 | Object. ...      }) |
 | build-leaks.js:16:20:16:22 | env | build-leaks.js:14:18:14:20 | env |
 | build-leaks.js:21:11:26:5 | stringifed | build-leaks.js:30:22:30:31 | stringifed |
 | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } | build-leaks.js:21:11:26:5 | stringifed |
 | build-leaks.js:22:24:25:14 | Object. ...  }, {}) | build-leaks.js:21:24:26:5 | {\\n      ... )\\n    } |
 | build-leaks.js:22:49:22:51 | env | build-leaks.js:24:20:24:22 | env |
+| build-leaks.js:23:24:23:47 | JSON.st ... w[key]) | build-leaks.js:22:49:22:51 | env |
 | build-leaks.js:23:39:23:41 | raw | build-leaks.js:22:49:22:51 | env |
+| build-leaks.js:23:39:23:41 | raw | build-leaks.js:23:39:23:46 | raw[key] |
+| build-leaks.js:23:39:23:46 | raw[key] | build-leaks.js:23:24:23:47 | JSON.st ... w[key]) |
 | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:24:25:14 | Object. ...  }, {}) |
 | build-leaks.js:24:20:24:22 | env | build-leaks.js:22:49:22:51 | env |
 | build-leaks.js:30:22:30:31 | stringifed | build-leaks.js:34:26:34:57 | getEnv( ... ngified |

Original file line number	Diff line number	Diff line change
`@@ -27,10 +27,6 @@ class Configuration extends TaintTracking::Configuration {`
`27`	`27`
`28`	`28`	`override predicate isSanitizer(DataFlow::Node node) { node instanceof CleartextLogging::Barrier }`
`29`	`29`
`30`		`- override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {`
`31`		`- CleartextLogging::isSanitizerEdge(pred, succ)`
`32`		`- }`
`33`		`-`
`34`	`30`	`override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {`
`35`	`31`	`CleartextLogging::isAdditionalTaintStep(src, trg)`
`36`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,10 +33,6 @@ class Configuration extends TaintTracking::Configuration {`
`33`	`33`
`34`	`34`	`override predicate isSanitizer(DataFlow::Node node) { node instanceof Barrier }`
`35`	`35`
`36`		`- override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {`
`37`		`- CleartextLogging::isSanitizerEdge(pred, succ)`
`38`		`- }`
`39`		`-`
`40`	`36`	`override predicate isAdditionalTaintStep(DataFlow::Node src, DataFlow::Node trg) {`
`41`	`37`	`CleartextLogging::isAdditionalTaintStep(src, trg)`
`42`	`38`	`}`