Merge pull request github#3619 from erik-krogh/CWE022-Correctness

Approved by asgerf

Author: semmle-qlci

change-notes/1.25/analysis-javascript.md

@@ -65,6 +65,7 @@
 | Prototype pollution in utility function (`js/prototype-pollution-utility`) | More results | This query now recognizes additional utility functions as vulnerable to prototype polution. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
+| Uncontrolled data used in path expression (`js/path-injection`) | Fewer results | This query no longer flags paths that have been checked to be part of a collection. |
 | Unknown directive (`js/unknown-directive`) | Fewer results | This query no longer flags directives generated by the Babel compiler. |
 | Unneeded defensive code (`js/unneeded-defensive-code`) | Fewer false-positive results | This query now recognizes checks meant to handle the `document.all` object. |
 | Unused property (`js/unused-property`) | Fewer results | This query no longer flags properties of objects that are operands of `yield` expressions. |

javascript/ql/src/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -369,6 +369,20 @@ module TaintedPath {
     }
   }
 
+  /**
+   * A check of the form `whitelist.includes(x)` or equivalent, which sanitizes `x` in its "then" branch.
+   */
+  class MembershipTestBarrierGuard extends BarrierGuardNode {
+    MembershipCandidate candidate;
+
+    MembershipTestBarrierGuard() { this = candidate.getTest() }
+
+    override predicate blocks(boolean outcome, Expr e) {
+      candidate = e.flow() and
+      candidate.getTestPolarity() = outcome
+    }
+  }
+
   /**
    * A check of form `x.startsWith(dir)` that sanitizes normalized absolute paths, since it is then
    * known to be in a subdirectory of `dir`.

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected

@@ -1,4 +0,0 @@
-| normalizedPaths.js:208:38:208:63 | // OK - ...  anyway | Spurious alert |
-| tainted-string-steps.js:25:43:25:74 | // NOT  ... flagged | Missing alert |
-| tainted-string-steps.js:26:49:26:74 | // OK - ... flagged | Spurious alert |
-| tainted-string-steps.js:28:39:28:70 | // NOT  ... flagged | Missing alert |

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.ql

@@ -1,32 +1,3 @@
 import javascript
 import semmle.javascript.security.dataflow.TaintedPath::TaintedPath
-
-class Assertion extends LineComment {
-  boolean shouldHaveAlert;
-
-  Assertion() {
-    if getText().matches("%NOT OK%")
-    then shouldHaveAlert = true
-    else (
-      getText().matches("%OK%") and shouldHaveAlert = false
-    )
-  }
-
-  predicate shouldHaveAlert() { shouldHaveAlert = true }
-
-  predicate hasAlert() {
-    exists(Configuration cfg, DataFlow::Node src, DataFlow::Node sink, Location loc |
-      cfg.hasFlow(src, sink) and
-      loc = sink.getAstNode().getLocation() and
-      loc.getFile() = getFile() and
-      loc.getEndLine() = getLocation().getEndLine()
-    )
-  }
-}
-
-from Assertion assertion, string message
-where
-  assertion.shouldHaveAlert() and not assertion.hasAlert() and message = "Missing alert"
-  or
-  not assertion.shouldHaveAlert() and assertion.hasAlert() and message = "Spurious alert"
-select assertion, message
+import testUtilities.ConsistencyChecking