New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JS: don't initialize sanitizer-guards in the standard library #8783
Conversation
f6d816a
to
d54b223
Compare
ql/abstract-class-import| * A sanitizer that blocks the `PrefixString` label when the start of the string is being tested as being of a particular prefix. | ||
| */ | ||
| abstract class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode, | ||
| TaintTracking::LabeledSanitizerGuardNode instanceof StringOps::StartsWith { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a need to extend both SanitizerGuardNode and LabeledSanitizerGuardNode?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, the tests still pass.
javascript/ql/lib/semmle/javascript/security/dataflow/StoredXssCustomizations.qll
Outdated
Show resolved
Hide resolved
Co-authored-by: Asger F <asgerf@github.com>
Co-authored-by: Asger F <asgerf@github.com>
|
@henrymercer how do feel if we merge this PR? I would like to use the merge commit on |
Sorry, I guess we were waiting for me to review again. Thanks for addressing my comments @erik-krogh, LGTM
I did an experiment to revert the cached stages pattern.
That gave a whole bunch of QL-for-QL warnings from
ql/abstract-class-import.These warnings are caused by us having sanitizer-guards that were defined in
Xss.qll.I moved things around, including refactoring the old🙀 ).
Xss.qllwhere I moved things out intoQuery.qll/Customizations.qllfiles so they match the other queries.(Turns out the
js/html-constructed-from-inputquery relied on the previous behaviorThe change in results for ATM is caused by: 76bf8de
The results generally look better (the majority is removal of FPs).
This PR only affects the
XSSqueries, but the changed ATM results are forTaintedPath.So the results seem to be a bug caused by importing too many classes.
So I think we can conclude that this PR is a bug-fix for ATM.
The evaluation looks good.🚀
We gained one new result. Which is caused by some barrier-guards no longer falsely limiting the flow.
Also a slight performance improvement
I also made some small drive-by fixes of
ql/abstract-class-importto remove some benign results.