XSS: expose extension point for defining barrier sinks

smowton · smowton · commit 3e7ea3405436 · 2021-06-30T12:04:20.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -25,6 +25,8 @@ class XSSConfig extends TaintTracking::Configuration {
 
   override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
 
+  override predicate isSanitizerOut(DataFlow::Node node) { node instanceof XssSinkBarrier }
+
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XssAdditionalTaintStep s).step(node1, node2)
   }
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -15,6 +15,12 @@ abstract class XssSink extends DataFlow::Node { }
 /** A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack. */
 abstract class XssSanitizer extends DataFlow::Node { }
 
+/**
+ * A sink that represent a method that outputs data without applying contextual output encoding,
+ * and which should truncate flow paths such that downstream sinks are not flagged as well.
+ */
+abstract class XssSinkBarrier extends XssSink { }
+
 /**
  * A unit class for adding additional taint steps.
  *

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ class XSSConfig extends TaintTracking::Configuration {`
`25`	`25`
`26`	`26`	`override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }`
`27`	`27`
	`28`	`+ override predicate isSanitizerOut(DataFlow::Node node) { node instanceof XssSinkBarrier }`
	`29`	`+`
`28`	`30`	`override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {`
`29`	`31`	`any(XssAdditionalTaintStep s).step(node1, node2)`
`30`	`32`	`}`