move initialization of sanitizer-guards to Query.qll files

Author: erik-krogh

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/XssATM.qll

@@ -99,10 +99,27 @@ class Configuration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof DomBasedXss::SanitizerGuard
+    guard instanceof PrefixStringSanitizerActivated or
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
   }
 
   override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
     DomBasedXss::isOptionallySanitizedEdge(pred, succ)
   }
 }
+
+private import semmle.javascript.security.dataflow.Xss::Shared as Shared
+
+private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode,
+  DomBasedXss::PrefixStringSanitizer {
+  PrefixStringSanitizerActivated() { this = this }
+}
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
+}

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -18,9 +18,6 @@ module DomBasedXss {
   /** A sanitizer for DOM-based XSS vulnerabilities. */
   abstract class Sanitizer extends Shared::Sanitizer { }
 
-  /** A sanitizer guard for DOM-based XSS vulnerabilities. */
-  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
-
   /**
    * An expression whose value is interpreted as HTML
    * and may be inserted into the DOM through a library.
@@ -287,8 +284,6 @@ module DomBasedXss {
 
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
-  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
-
   /**
    * Holds if there exists two dataflow edges to `succ`, where one edges is sanitized, and the other edge starts with `pred`.
    */
@@ -319,8 +314,6 @@ module DomBasedXss {
     )
   }
 
-  private class ContainsHtmlGuard extends SanitizerGuard, Shared::ContainsHtmlGuard { }
-
   /** A source of remote user input, considered as a flow source for DOM-based XSS. */
   class RemoteFlowSourceAsSource extends Source {
     RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
@@ -335,4 +328,16 @@ module DomBasedXss {
 
   /** Gets the flow-label representing tainted values where the prefix is attacker controlled. */
   PrefixString prefixLabel() { any() }
+
+  /**
+   * A sanitizer that blocks the `PrefixString` label when the start of the string is being tested as being of a particular prefix.
+   */
+  abstract class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
+    TaintTracking::LabeledSanitizerGuardNode instanceof StringOps::StartsWith {
+    override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
+      e = super.getBaseString().asExpr() and
+      label = prefixLabel() and
+      outcome = super.getPolarity()
+    }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll

@@ -6,6 +6,7 @@
 import javascript
 private import semmle.javascript.security.TaintedUrlSuffix
 import DomBasedXssCustomizations::DomBasedXss
+private import Xss::Shared as Shared
 
 /**
  * DEPRECATED. Use `Vue::VHtmlSourceWrite` instead.
@@ -71,7 +72,9 @@ class Configuration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof SanitizerGuard
+    guard instanceof PrefixStringSanitizer or
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
   }
 
   override predicate isLabeledBarrier(DataFlow::Node node, DataFlow::FlowLabel lbl) {
@@ -124,13 +127,15 @@ class Configuration extends TaintTracking::Configuration {
   }
 }
 
-/**
- * A sanitizer that blocks the `PrefixString` label when the start of the string is being tested as being of a particular prefix.
- */
-class PrefixStringSanitizer extends SanitizerGuard, TaintTracking::LabeledSanitizerGuardNode instanceof StringOps::StartsWith {
-  override predicate sanitizes(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-    e = super.getBaseString().asExpr() and
-    label = prefixLabel() and
-    outcome = super.getPolarity()
-  }
+private class PrefixStringSanitizerActivated extends TaintTracking::SanitizerGuardNode,
+  PrefixStringSanitizer {
+  PrefixStringSanitizerActivated() { this = this }
+}
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll

@@ -17,9 +17,6 @@ module ReflectedXss {
   /** A sanitizer for reflected XSS vulnerabilities. */
   abstract class Sanitizer extends Shared::Sanitizer { }
 
-  /** A sanitizer guard for reflected XSS vulnerabilities. */
-  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
-
   /**
    * An expression that is sent as part of an HTTP response, considered as an XSS sink.
    *
@@ -110,10 +107,6 @@ module ReflectedXss {
 
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
 
-  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
-
-  private class ContainsHtmlGuard extends SanitizerGuard, Shared::ContainsHtmlGuard { }
-
   /** A third-party controllable request input, considered as a flow source for reflected XSS. */
   class ThirdPartyRequestInputAccessAsSource extends Source {
     ThirdPartyRequestInputAccessAsSource() {

javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssQuery.qll

@@ -5,6 +5,7 @@
 
 import javascript
 import ReflectedXssCustomizations::ReflectedXss
+private import Xss::Shared as Shared
 
 /**
  * A taint-tracking configuration for reasoning about XSS.
@@ -22,6 +23,15 @@ class Configuration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof SanitizerGuard
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
   }
 }
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
+}

javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssCustomizations.qll

@@ -17,9 +17,6 @@ module StoredXss {
   /** A sanitizer for stored XSS vulnerabilities. */
   abstract class Sanitizer extends Shared::Sanitizer { }
 
-  /** A sanitizer guard for stored XSS vulnerabilities. */
-  abstract class SanitizerGuard extends Shared::SanitizerGuard { }
-
   /** An arbitrary XSS sink, considered as a flow sink for stored XSS. */
   private class AnySink extends Sink {
     AnySink() { this instanceof Shared::Sink }
@@ -40,8 +37,4 @@ module StoredXss {
   }
 
   private class IsEscapedInSwitchSanitizer extends Sanitizer, Shared::IsEscapedInSwitchSanitizer { }
-
-  private class QuoteGuard extends SanitizerGuard, Shared::QuoteGuard { }
-
-  private class ContainsHtmlGuard extends SanitizerGuard, Shared::ContainsHtmlGuard { }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssQuery.qll

@@ -5,6 +5,7 @@
 
 import javascript
 import StoredXssCustomizations::StoredXss
+private import Xss::Shared as Shared
 
 /**
  * A taint-tracking configuration for reasoning about XSS.
@@ -22,7 +23,8 @@ class Configuration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof SanitizerGuard
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
   }
 }
 
@@ -35,3 +37,11 @@ class FileNameSourceAsSource extends Source {
 class UserControlledTorrentInfoAsSource extends Source {
   UserControlledTorrentInfoAsSource() { this instanceof ParseTorrent::UserControlledTorrentInfo }
 }
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
+}

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll

@@ -39,4 +39,25 @@ class Configration extends TaintTracking::Configuration {
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     DataFlow::localFieldStep(pred, succ)
   }
+
+  override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
+    guard instanceof PrefixStringSanitizer or
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
+  }
+}
+
+private import semmle.javascript.security.dataflow.Xss::Shared as Shared
+
+private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
+  DomBasedXss::PrefixStringSanitizer {
+  PrefixStringSanitizer() { this = this }
+}
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/Xss.qll

@@ -23,9 +23,6 @@ module Shared {
   /** A sanitizer for XSS vulnerabilities. */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /** A sanitizer guard for XSS vulnerabilities. */
-  abstract class SanitizerGuard extends TaintTracking::SanitizerGuardNode { }
-
   /**
    * A global regexp replacement involving the `<`, `'`, or `"` meta-character, viewed as a sanitizer for
    * XSS vulnerabilities.
@@ -70,7 +67,7 @@ module Shared {
   /**
    * A guard that checks if a string can contain quotes, which is a guard for strings that are inside a HTML attribute.
    */
-  class QuoteGuard extends SanitizerGuard, StringOps::Includes {
+  abstract class QuoteGuard extends TaintTracking::SanitizerGuardNode, StringOps::Includes {
     QuoteGuard() {
       this.getSubstring().mayHaveStringValue("\"") and
       this.getBaseString()
@@ -87,7 +84,7 @@ module Shared {
    * A sanitizer guard that checks for the existence of HTML chars in a string.
    * E.g. `/["'&<>]/.exec(str)`.
    */
-  class ContainsHtmlGuard extends SanitizerGuard, StringOps::RegExpTest {
+  abstract class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, StringOps::RegExpTest {
     ContainsHtmlGuard() {
       exists(RegExpCharacterClass regExp |
         regExp = this.getRegExp() and

javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomQuery.qll

@@ -28,7 +28,9 @@ class Configuration extends TaintTracking::Configuration {
     guard instanceof TypeTestGuard or
     guard instanceof UnsafeJQuery::PropertyPresenceSanitizer or
     guard instanceof UnsafeJQuery::NumberGuard or
-    guard instanceof DomBasedXss::SanitizerGuard
+    guard instanceof PrefixStringSanitizer or
+    guard instanceof QuoteGuard or
+    guard instanceof ContainsHtmlGuard
   }
 
   override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
@@ -49,3 +51,18 @@ class Configuration extends TaintTracking::Configuration {
     )
   }
 }
+
+private import semmle.javascript.security.dataflow.Xss::Shared as Shared
+
+private class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
+  DomBasedXss::PrefixStringSanitizer {
+  PrefixStringSanitizer() { this = this }
+}
+
+private class QuoteGuard extends TaintTracking::SanitizerGuardNode, Shared::QuoteGuard {
+  QuoteGuard() { this = this }
+}
+
+private class ContainsHtmlGuard extends TaintTracking::SanitizerGuardNode, Shared::ContainsHtmlGuard {
+  ContainsHtmlGuard() { this = this }
+}