What's the best way to check a node exists in a flow path?

[lllssskkk]

This is a really general, language agnostic question.

For example, i have a javascript file like the following. However, only one source is sanitized. I want to find the flow that passes through the sanitizer.

source1 = window.location
source2 = window.location
sanitized = sanitizer(source2)
sink1 = eval(source1)
sink2 = eval(sanitized)

I'm aware that this problem could be solved by tainted tracking. Adding a barrier that
removes the taint if the flow passes through a MethodInvokeNode with the name sanitizer.

I want to solve the problem the other way around. There is a flow from source to sink. I want to check if any intermediate node in between call the sanitizer function.

from
  xxx::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
  DataFlow::MidPathNode node
where
  exists(DataFlow::MidPathNode mid |
    mid.getConfiguration() = cfg and
    somePredicate(mid.getNode()) and 
    cfg.hasFlowPath(source, sink)
  )
select sink, source, sink,
  "Found A Path"

The above snippet prints out both flows. I suppose the issue is that i didn't put constraint in which the mid node has to be in the flow.

Any suggestions would be helpful. I appreciate it.

[aibaars]

Perhaps you could use flow states. It should be possible to change state to "sanitized" whenever flow passes through a "sanitizer" function. If you then check at the sink that the state is "sanitized" then you know there was flow from source to sink that passed through a sanitizer.

[lllssskkk]

Thanks for the quick answer. I'm aware of the new API. I also use them for other queries. Indeed, the solution you proposed is the other way around. Instead of removing taint, you propose to add taint.

In hindsight, i think i propose the wrong question. It is really should be "What's the best way to check if exists an node of a flow path that satisfies a specific predicate?"

The node could be the source, the sink or any of the intermediate nodes.

This is the reason i want to use the MidPathNode class. It seems to it's the class allows me to peek into those nodes. I just don't know how utilize the class's provided utility.

[aibaars]

The MidPathNode is deprecated, most of its use cases are now covered by using flow states. It's no longer used by any of the queries provided by CodeQL because it switched to using the shared dataflow interface across all languages; the MidPathNode was part of Javascript's custom dataflow implementation. I guess you could check out an old version of github/codeql to see for examples of how this class was used in the past. I would not recommend using the class because it will disappear in the future.

codeql/javascript/ql/lib/semmle/javascript/dataflow/Configuration.qll

Lines 1778 to 1785 in e05c030

	/**
	* A path node corresponding to an intermediate node on a path from a source to a sink.
	*
	* A mid node is a triple `(nd, cfg, summary)` where `nd` is a data-flow node and `cfg`
	* is a configuration such that `nd` is on a path from a source to a sink under `cfg`
	* summarized by `summary`.
	*/
	deprecated class MidPathNode extends PathNode, MkMidNode {

[lllssskkk]

I figure it out. I got the idea from

codeql/javascript/ql/lib/semmle/javascript/explore/BackwardDataFlow.qll

Line 33 in e05c030

override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {

Now, it only prints out flows that have a node that satisfies a predicate.

class Configuration extends TaintTracking::Configuration {

... 


override predicate hasFlowPath(DataFlow::SourcePathNode source, DataFlow::SinkPathNode sink) {
      exists(DataFlow::MidPathNode first |
        source.getConfiguration() = this and
        somePredicate(first.getNode) and
        source.getASuccessor() = first and
        not exists(DataFlow::MidPathNode mid | mid.getASuccessor() = first) and
        first.getASuccessor*() = sink
      )
    }
}