JS: Make sanitizers no longer block taint inside an object #2919
Conversation
There was a problem hiding this comment.
It looks good to me.
It makes sense to have taint-tracking configurations primarily work with the taint label.
But I think we should get yet another pair of eyes on this (@esbena?).
Tests are failing.
javascript/ql/test/library-tests/TaintTracking/object-bypass-sanitizer.js
Outdated
Show resolved
Hide resolved
| @@ -633,7 +633,12 @@ private predicate exploratoryFlowStep( | |||
| */ | |||
| private predicate isSource(DataFlow::Node nd, DataFlow::Configuration cfg, FlowLabel lbl) { | |||
| (cfg.isSource(nd) or nd.(AdditionalSource).isSourceFor(cfg)) and | |||
| lbl = FlowLabel::data() | |||
| ( | |||
| if cfg instanceof TaintTracking::Configuration then | |||
There was a problem hiding this comment.
It is a shame that we have to introduce a dependency form Configuration.qll to TaintTracking.qll (I think this is the first, at least). We could avoid that by introducing cfg.getDefaultSourceLabel(), which in TaintTracking::configuration is implemented as result = FlowLabel::taint().
I will leave it to you to decide what to do here.
Ditto for isSink below.
There was a problem hiding this comment.
That's very true, but on the other hand, there's also a downside to extending our public API with stuff that users don't actually need.
asgerf
force-pushed
the
js/property-barriers
branch
from
dd0a51e to
6f85712
Compare
|
There was a test failure that revealed an interesting, but generally benign side effect of the change. The prototype pollution utility query had a barrier guard for The change thus fixed a spurious sanitizer which revealed that a test was passing for the wrong reason. I've updated the test accordingly. |
asgerf
added
the
Awaiting evaluation
|
This will need another evaluation. After rebasing some join orderings have changed and it's not performing as well anymore. |
asgerf
force-pushed
the
js/property-barriers
branch
from
3760edb to
4f42675
Compare
|
Evaluation still looks fine. |
asgerf
removed
the
Awaiting evaluation
|
Thanks for the review @erik-krogh! @esbena I believe I addressed your comment in in b6ca4fb but in any case, I've gone ahead and merged to unblock Erik's PR and since there are now a bunch of performance-related PRs floating around whose evaluations ought to be based on this one from now on. |
Taint can now be tracked across sanitizers that don't operate on the tainted value directly, but only on an object containing it. For example:
This was done through the following change to taint-tracking configurations:
taintlabel by default (previouslydata).taintlabel.The old behavior of completely blocking flow through a label can be achieved by overriding
isBarrierinstead, or using a labeled barrier to block thedatalabel.The flow label mapping
data->taintis still generated by all taint steps. This ensures backwards compatibility for queries that usedataas the source (although the change to sanitizers is still in effect).Note that we have some taint-tracking configurations that relies on
databeing the source, such as HardcodedDataInterpretedAsCode, where we are only interested in data that has gone through some transformation before reaching the sink. So there are use-cases for havingdatabeing the source, it's just no longer the default.Evaluation was pretty quiet.