Add option for default taint sanitizer guard

owen-mc · owen-mc · commit 9ec3d7787ca5 · 2022-01-12T14:44:55.000Z
This allows languages to specify A sanitizer guard in all
global taint flow configurations but not in local taint.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -113,6 +113,13 @@ private module Cached {
     node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
     node.asExpr() instanceof ValidatedVariableAccess
   }
+
+  /**
+   * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
+   * but not in local taint.
+   */
+  cached
+  predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 }
 
 import Cached
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {
   predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
 
   final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    this.isSanitizerGuard(guard)
+    this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)
   }
 
   /**

Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,13 @@ private module Cached {`
`113`	`113`	`node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or`
`114`	`114`	`node.asExpr() instanceof ValidatedVariableAccess`
`115`	`115`	`}`
	`116`	`+`
	`117`	`+ /**`
	`118`	+ * Holds if `guard` should be a sanitizer guard in all global taint flow configurations
	`119`	`+ * but not in local taint.`
	`120`	`+ */`
	`121`	`+ cached`
	`122`	`+ predicate defaultTaintSanitizerGuard(DataFlow::BarrierGuard guard) { none() }`
`116`	`123`	`}`
`117`	`124`
`118`	`125`	`import Cached`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ abstract class Configuration extends DataFlow::Configuration {`
`93`	`93`	`predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }`
`94`	`94`
`95`	`95`	`final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {`
`96`		`- this.isSanitizerGuard(guard)`
	`96`	`+ this.isSanitizerGuard(guard) or defaultTaintSanitizerGuard(guard)`
`97`	`97`	`}`
`98`	`98`
`99`	`99`	`/**`