use the sanitizers from ReflectedXSS in unsafe-html-construction

erik-krogh · erik-krogh · commit db3bf0e48245 · 2024-03-20T10:11:07.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionCustomizations.qll
@@ -7,6 +7,7 @@
 private import ruby
 private import codeql.ruby.ApiGraphs
 private import codeql.ruby.frameworks.core.Gem::Gem as Gem
+private import codeql.ruby.security.XSS::ReflectedXss as ReflectedXss
 private import codeql.ruby.typetracking.TypeTracking
 
 /**
@@ -34,7 +35,11 @@ module UnsafeHtmlConstruction {
     abstract string getSinkType();
   }
 
-  private import codeql.ruby.security.XSS::ReflectedXss as ReflectedXss
+  /** A sanitizer for HTML constructed from library input vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  // inherit all the sanitizers from ReflectedXss
+  class ReflectedXssSanitizers extends Sanitizer instanceof ReflectedXss::Sanitizer { }
 
   /** Gets a node that eventually ends up in the XSS `sink`. */
   private DataFlow::Node getANodeThatEndsInXssSink(ReflectedXss::Sink sink) {
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
@@ -23,10 +23,7 @@ deprecated class Configuration extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-  override predicate isSanitizer(DataFlow::Node node) {
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 
   // override to require the path doesn't have unmatched return steps
   override DataFlow::FlowFeature getAFeature() {
@@ -39,10 +36,7 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-  predicate isBarrier(DataFlow::Node node) {
-    node instanceof StringConstCompareBarrier or
-    node instanceof StringConstArrayInclusionCallBarrier
-  }
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
