JS: FlowLabel -> FlowState in ZipSlip

asgerf · asgerf · commit 38c9023dd993 · 2024-12-10T11:16:07.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipCustomizations.qll
@@ -14,15 +14,25 @@ module ZipSlip {
    */
   abstract class Source extends DataFlow::Node {
     /** Gets a flow label denoting the type of value for which this is a source. */
-    TaintedPath::Label::PosixPath getAFlowLabel() { result.isRelative() }
+    TaintedPath::FlowState::PosixPath getAFlowState() { result.isRelative() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated TaintedPath::Label::PosixPath getAFlowLabel() {
+      result = this.getAFlowState().toFlowLabel()
+    }
   }
 
   /**
    * A data flow sink for unsafe archive extraction.
    */
   abstract class Sink extends DataFlow::Node {
     /** Gets a flow label denoting the type of value for which this is a sink. */
-    TaintedPath::Label::PosixPath getAFlowLabel() { any() }
+    TaintedPath::FlowState::PosixPath getAFlowState() { any() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated TaintedPath::Label::PosixPath getAFlowLabel() {
+      result = this.getAFlowState().toFlowLabel()
+    }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ZipSlipQuery.qll
@@ -11,40 +11,38 @@ import javascript
 import ZipSlipCustomizations::ZipSlip
 
 // Materialize flow labels
-private class ConcretePosixPath extends TaintedPath::Label::PosixPath {
+deprecated private class ConcretePosixPath extends TaintedPath::Label::PosixPath {
   ConcretePosixPath() { this = this }
 }
 
-private class ConcreteSplitPath extends TaintedPath::Label::SplitPath {
+deprecated private class ConcreteSplitPath extends TaintedPath::Label::SplitPath {
   ConcreteSplitPath() { this = this }
 }
 
 /** A taint tracking configuration for unsafe archive extraction. */
 module ZipSlipConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  class FlowState = TaintedPath::FlowState;
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel label) {
-    label = source.(Source).getAFlowLabel()
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    state = source.(Source).getAFlowState()
   }
 
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel label) {
-    label = sink.(Sink).getAFlowLabel()
-  }
+  predicate isSink(DataFlow::Node sink, FlowState state) { state = sink.(Sink).getAFlowState() }
 
   predicate isBarrier(DataFlow::Node node) {
     node instanceof TaintedPath::Sanitizer or
     node = DataFlow::MakeBarrierGuard<TaintedPath::BarrierGuard>::getABarrierNode()
   }
 
-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel label) {
-    node = DataFlow::MakeLabeledBarrierGuard<TaintedPath::BarrierGuard>::getABarrierNode(label)
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    node =
+      DataFlow::MakeStateBarrierGuard<FlowState, TaintedPath::BarrierGuard>::getABarrierNode(state)
   }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
-    DataFlow::FlowLabel state2
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
   ) {
-    TaintedPath::isAdditionalTaintedPathFlowStep(node1, node2, state1, state2)
+    TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
   }
 }
 
@@ -76,6 +74,7 @@ deprecated class Configuration extends DataFlow::Configuration {
     DataFlow::Node src, DataFlow::Node dst, DataFlow::FlowLabel srclabel,
     DataFlow::FlowLabel dstlabel
   ) {
-    ZipSlipConfig::isAdditionalFlowStep(src, srclabel, dst, dstlabel)
+    ZipSlipConfig::isAdditionalFlowStep(src, TaintedPath::Label::toFlowState(srclabel), dst,
+      TaintedPath::Label::toFlowState(dstlabel))
   }
 }
