JS: Add getDefaultSourceLabel()

asgerf · asgerf · commit b6ca4fbee332 · 2020-03-18T23:52:25.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll
@@ -98,6 +98,17 @@ abstract class Configuration extends string {
    */
   predicate isSource(DataFlow::Node source) { none() }
 
+  /**
+   * Gets the flow label to associate with sources added by the 1-argument `isSource` predicate.
+   *
+   * For taint-tracking configurations, this defaults to `taint` and for other data-flow configurations
+   * it defaults to `data`.
+   *
+   * Overriding this predicate is rarely needed, and overriding the 2-argument `isSource` predicate
+   * should be preferred when possible.
+   */
+  FlowLabel getDefaultSourceLabel() { result = FlowLabel::data() }
+
   /**
    * Holds if `source` is a source of flow labeled with `lbl` that is relevant
    * for this configuration.
@@ -668,11 +679,7 @@ private predicate exploratoryFlowStep(
  */
 private predicate isSource(DataFlow::Node nd, DataFlow::Configuration cfg, FlowLabel lbl) {
   (cfg.isSource(nd) or nd.(AdditionalSource).isSourceFor(cfg)) and
-  (
-    if cfg instanceof TaintTracking::Configuration
-    then lbl = FlowLabel::taint()
-    else lbl = FlowLabel::data()
-  )
+  lbl = cfg.getDefaultSourceLabel()
   or
   nd.(AdditionalSource).isSourceFor(cfg, lbl)
   or
@@ -684,11 +691,7 @@ private predicate isSource(DataFlow::Node nd, DataFlow::Configuration cfg, FlowL
  */
 private predicate isSink(DataFlow::Node nd, DataFlow::Configuration cfg, FlowLabel lbl) {
   (cfg.isSink(nd) or nd.(AdditionalSink).isSinkFor(cfg)) and
-  (
-    if cfg instanceof TaintTracking::Configuration
-    then lbl = FlowLabel::taint()
-    else lbl = FlowLabel::data()
-  )
+  lbl = any(StandardFlowLabel f)
   or
   nd.(AdditionalSink).isSinkFor(cfg, lbl)
   or
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -146,6 +146,8 @@ module TaintTracking {
     ) {
       isAdditionalFlowStep(pred, succ) and valuePreserving = false
     }
+
+    override DataFlow::FlowLabel getDefaultSourceLabel() { result.isTaint() }
   }
 
   /**
@@ -201,10 +203,6 @@ module TaintTracking {
    * A sanitizer guard node that only blocks specific flow labels.
    */
   abstract class LabeledSanitizerGuardNode extends SanitizerGuardNode, DataFlow::BarrierGuardNode {
-    final override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {
-      sanitizes(outcome, e, label)
-    }
-
     override predicate sanitizes(boolean outcome, Expr e) { none() }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,8 @@ module TaintTracking {`
`146`	`146`	`) {`
`147`	`147`	`isAdditionalFlowStep(pred, succ) and valuePreserving = false`
`148`	`148`	`}`
	`149`	`+`
	`150`	`+ override DataFlow::FlowLabel getDefaultSourceLabel() { result.isTaint() }`
`149`	`151`	`}`
`150`	`152`
`151`	`153`	`/**`
`@@ -201,10 +203,6 @@ module TaintTracking {`
`201`	`203`	`* A sanitizer guard node that only blocks specific flow labels.`
`202`	`204`	`*/`
`203`	`205`	`abstract class LabeledSanitizerGuardNode extends SanitizerGuardNode, DataFlow::BarrierGuardNode {`
`204`		`- final override predicate blocks(boolean outcome, Expr e, DataFlow::FlowLabel label) {`
`205`		`- sanitizes(outcome, e, label)`
`206`		`- }`
`207`		`-`
`208`	`206`	`override predicate sanitizes(boolean outcome, Expr e) { none() }`
`209`	`207`	`}`
`210`	`208`