JS: Update two more uses of SanitizerGuardNode

asgerf · asgerf · commit 0d79c7141c3f · 2024-12-03T14:30:35.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectQuery.qll
@@ -70,14 +70,22 @@ deprecated class Configuration extends TaintTracking::Configuration {
  * A call to a function called `isLocalUrl` or similar, which is
  * considered to sanitize a variable for purposes of URL redirection.
  */
-class LocalUrlSanitizingGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
+class LocalUrlSanitizingGuard extends DataFlow::CallNode {
   LocalUrlSanitizingGuard() { this.getCalleeName().regexpMatch("(?i)(is_?)?local_?url") }
 
-  override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  /** DEPRECATED. Use `blocksExpr` instead. */
+  deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
 
   /** Holds if this node blocks flow through `e`, provided it evaluates to `outcome`. */
   predicate blocksExpr(boolean outcome, Expr e) {
     this.getAnArgument().asExpr() = e and
     outcome = true
   }
 }
+
+deprecated private class LocalUrlSanitizingGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof LocalUrlSanitizingGuard
+{
+  override predicate sanitizes(boolean outcome, Expr e) {
+    LocalUrlSanitizingGuard.super.sanitizes(outcome, e)
+  }
+}
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UrlConcatenation.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UrlConcatenation.qll
@@ -100,10 +100,11 @@ predicate hostnameSanitizingPrefixEdge(DataFlow::Node source, DataFlow::Node sin
 /**
  * A check that sanitizes the hostname of a URL.
  */
-class HostnameSanitizerGuard extends TaintTracking::SanitizerGuardNode, StringOps::StartsWith {
+class HostnameSanitizerGuard extends StringOps::StartsWith {
   HostnameSanitizerGuard() { hasHostnameSanitizingSubstring(this.getSubstring()) }
 
-  override predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
+  /** DEPRECATED. Use `blocksExpr` instead. */
+  deprecated predicate sanitizes(boolean outcome, Expr e) { this.blocksExpr(outcome, e) }
 
   /** Holds if this node blocks flow through `e`, provided it evaluates to `outcome`. */
   predicate blocksExpr(boolean outcome, Expr e) {
@@ -112,6 +113,13 @@ class HostnameSanitizerGuard extends TaintTracking::SanitizerGuardNode, StringOp
   }
 }
 
+deprecated private class HostnameSanitizerGuardLegacy extends TaintTracking::SanitizerGuardNode instanceof HostnameSanitizerGuard
+{
+  override predicate sanitizes(boolean outcome, Expr e) {
+    HostnameSanitizerGuard.super.sanitizes(outcome, e)
+  }
+}
+
 /**
  * A check that sanitizes the hostname of a URL.
  */
