JS: Use sanitizerIn in ExtenralAPIUsedWithUntrustedData

asgerf · asgerf · commit e863e2376d22 · 2023-07-11T14:50:29.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataQuery.qll
@@ -46,15 +46,11 @@ class Configuration extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {
+  override predicate isSanitizerIn(DataFlow::Node node) {
     // Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own.
     // The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where
     // the whole location object escapes.
-    exists(DataFlow::PropRead read |
-      read = DOM::locationRef().getAPropertyRead() and
-      pred = read.getBase() and
-      succ = read
-    )
+    node = DOM::locationRef().getAPropertyRead()
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -46,15 +46,11 @@ class Configuration extends TaintTracking::Configuration {`
`46`	`46`	`)`
`47`	`47`	`}`
`48`	`48`
`49`		`- override predicate isSanitizerEdge(DataFlow::Node pred, DataFlow::Node succ) {`
	`49`	`+ override predicate isSanitizerIn(DataFlow::Node node) {`
`50`	`50`	`// Block flow from the location to its properties, as the relevant properties (hash and search) are taint sources of their own.`
`51`	`51`	// The location source is only used for propagating through API calls like `new URL(location)` and into external APIs where
`52`	`52`	`// the whole location object escapes.`
`53`		`- exists(DataFlow::PropRead read \|`
`54`		`- read = DOM::locationRef().getAPropertyRead() and`
`55`		`- pred = read.getBase() and`
`56`		`- succ = read`
`57`		`- )`
	`53`	`+ node = DOM::locationRef().getAPropertyRead()`
`58`	`54`	`}`
`59`	`55`	`}`
`60`	`56`