Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JS: don't initialize sanitizer-guards in the standard library #8783

Merged
merged 22 commits into from Apr 29, 2022

Conversation

Copy link
Contributor

@erik-krogh erik-krogh commented Apr 20, 2022

I did an experiment to revert the cached stages pattern.
That gave a whole bunch of QL-for-QL warnings from ql/abstract-class-import.

These warnings are caused by us having sanitizer-guards that were defined in Xss.qll.

I moved things around, including refactoring the old Xss.qll where I moved things out into Query.qll/Customizations.qll files so they match the other queries.
(Turns out the js/html-constructed-from-input query relied on the previous behavior 🙀).


The change in results for ATM is caused by: 76bf8de
The results generally look better (the majority is removal of FPs).
This PR only affects the XSS queries, but the changed ATM results are for TaintedPath.
So the results seem to be a bug caused by importing too many classes.
So I think we can conclude that this PR is a bug-fix for ATM.


The evaluation looks good.
We gained one new result. Which is caused by some barrier-guards no longer falsely limiting the flow.
Also a slight performance improvement 🚀


I also made some small drive-by fixes of ql/abstract-class-import to remove some benign results.

@erik-krogh erik-krogh added the Awaiting evaluation label Apr 20, 2022
@github-actions github-actions bot added the JS label Apr 20, 2022
@erik-krogh erik-krogh force-pushed the jsAbstractBi branch 2 times, most recently from f6d816a to d54b223 Compare Apr 20, 2022
@erik-krogh erik-krogh removed the Awaiting evaluation label Apr 20, 2022
@erik-krogh erik-krogh marked this pull request as ready for review Apr 20, 2022
@erik-krogh erik-krogh requested review from as code owners Apr 20, 2022
@erik-krogh erik-krogh requested a review from as a code owner Apr 20, 2022
@erik-krogh erik-krogh changed the title JS: fix ql/abstract-class-import JS: don't initialize sanitizer-guards in the standard library Apr 20, 2022
Copy link
Contributor

@asgerf asgerf left a comment

Awesome work! 💪

* A sanitizer that blocks the `PrefixString` label when the start of the string is being tested as being of a particular prefix.
*/
abstract class PrefixStringSanitizer extends TaintTracking::SanitizerGuardNode,
TaintTracking::LabeledSanitizerGuardNode instanceof StringOps::StartsWith {
Copy link
Contributor

@asgerf asgerf Apr 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a need to extend both SanitizerGuardNode and LabeledSanitizerGuardNode?

Copy link
Contributor Author

@erik-krogh erik-krogh Apr 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not 👍

Copy link
Contributor Author

@erik-krogh erik-krogh Apr 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, the tests still pass.

javascript/ql/lib/change-notes/2022-04-22-xss-library.md Outdated Show resolved Hide resolved
erik-krogh and others added 3 commits Apr 21, 2022
Co-authored-by: Asger F <asgerf@github.com>
Co-authored-by: Asger F <asgerf@github.com>
@erik-krogh erik-krogh requested a review from asgerf Apr 26, 2022
Copy link
Contributor

@henrymercer henrymercer left a comment

ML-powered queries 👍

@TomBolton
Copy link

@TomBolton TomBolton commented Apr 29, 2022

@henrymercer how do feel if we merge this PR? I would like to use the merge commit on main to start preparing a PR to update the QL SHAs in backend (including the worsening commits)

Copy link
Contributor

@asgerf asgerf left a comment

Sorry, I guess we were waiting for me to review again. Thanks for addressing my comments @erik-krogh, LGTM 👍

@erik-krogh erik-krogh merged commit b74d1fd into github:main Apr 29, 2022
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants