JS: Call super in isBarrier() override

asgerf · asgerf · commit d31b59e61d65 · 2022-09-07T13:40:30.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll
@@ -26,7 +26,11 @@ class Configuration extends DataFlow::Configuration {
     sink.analyze().getAType() = TTObject()
   }
 
-  override predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+  override predicate isBarrier(DataFlow::Node node) {
+    super.isBarrier(node)
+    or
+    node instanceof Barrier
+  }
 
   override predicate isBarrierGuard(DataFlow::BarrierGuardNode guard) {
     guard instanceof TypeOfTestBarrier or
diff --git a/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected b/javascript/ql/test/query-tests/Security/CWE-843/TypeConfusionThroughParameterTampering.expected
@@ -16,10 +16,6 @@ nodes
 | tst.js:27:5:27:7 | foo |
 | tst.js:28:5:28:7 | foo |
 | tst.js:28:5:28:7 | foo |
-| tst.js:36:9:36:11 | foo |
-| tst.js:36:9:36:11 | foo |
-| tst.js:41:5:41:7 | foo |
-| tst.js:41:5:41:7 | foo |
 | tst.js:45:9:45:35 | foo |
 | tst.js:45:15:45:35 | ctx.req ... ery.foo |
 | tst.js:45:15:45:35 | ctx.req ... ery.foo |
@@ -38,19 +34,9 @@ nodes
 | tst.js:92:9:92:16 | data.foo |
 | tst.js:92:9:92:16 | data.foo |
 | tst.js:92:9:92:16 | data.foo |
-| tst.js:95:9:95:16 | data.foo |
-| tst.js:95:9:95:16 | data.foo |
-| tst.js:95:9:95:16 | data.foo |
 | tst.js:98:9:98:16 | data.foo |
 | tst.js:98:9:98:16 | data.foo |
 | tst.js:98:9:98:16 | data.foo |
-| tst.js:103:9:103:29 | data |
-| tst.js:103:16:103:29 | req.query.data |
-| tst.js:103:16:103:29 | req.query.data |
-| tst.js:105:9:105:12 | data |
-| tst.js:105:9:105:12 | data |
-| tst.js:107:9:107:12 | data |
-| tst.js:107:9:107:12 | data |
 edges
 | tst.js:5:9:5:27 | foo | tst.js:6:5:6:7 | foo |
 | tst.js:5:9:5:27 | foo | tst.js:6:5:6:7 | foo |
@@ -63,10 +49,6 @@ edges
 | tst.js:5:9:5:27 | foo | tst.js:27:5:27:7 | foo |
 | tst.js:5:9:5:27 | foo | tst.js:28:5:28:7 | foo |
 | tst.js:5:9:5:27 | foo | tst.js:28:5:28:7 | foo |
-| tst.js:5:9:5:27 | foo | tst.js:36:9:36:11 | foo |
-| tst.js:5:9:5:27 | foo | tst.js:36:9:36:11 | foo |
-| tst.js:5:9:5:27 | foo | tst.js:41:5:41:7 | foo |
-| tst.js:5:9:5:27 | foo | tst.js:41:5:41:7 | foo |
 | tst.js:5:15:5:27 | req.query.foo | tst.js:5:9:5:27 | foo |
 | tst.js:5:15:5:27 | req.query.foo | tst.js:5:9:5:27 | foo |
 | tst.js:14:16:14:18 | bar | tst.js:15:9:15:11 | bar |
@@ -84,29 +66,17 @@ edges
 | tst.js:80:23:80:23 | p | tst.js:82:9:82:9 | p |
 | tst.js:90:5:90:12 | data.foo | tst.js:90:5:90:12 | data.foo |
 | tst.js:92:9:92:16 | data.foo | tst.js:92:9:92:16 | data.foo |
-| tst.js:95:9:95:16 | data.foo | tst.js:95:9:95:16 | data.foo |
 | tst.js:98:9:98:16 | data.foo | tst.js:98:9:98:16 | data.foo |
-| tst.js:103:9:103:29 | data | tst.js:105:9:105:12 | data |
-| tst.js:103:9:103:29 | data | tst.js:105:9:105:12 | data |
-| tst.js:103:9:103:29 | data | tst.js:107:9:107:12 | data |
-| tst.js:103:9:103:29 | data | tst.js:107:9:107:12 | data |
-| tst.js:103:16:103:29 | req.query.data | tst.js:103:9:103:29 | data |
-| tst.js:103:16:103:29 | req.query.data | tst.js:103:9:103:29 | data |
 #select
 | tst.js:6:5:6:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:6:5:6:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
 | tst.js:8:5:8:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:8:5:8:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
 | tst.js:11:9:11:11 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:11:9:11:11 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
 | tst.js:15:9:15:11 | bar | tst.js:5:15:5:27 | req.query.foo | tst.js:15:9:15:11 | bar | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
 | tst.js:27:5:27:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:27:5:27:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
 | tst.js:28:5:28:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:28:5:28:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
-| tst.js:36:9:36:11 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:36:9:36:11 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
-| tst.js:41:5:41:7 | foo | tst.js:5:15:5:27 | req.query.foo | tst.js:41:5:41:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:5:15:5:27 | req.query.foo | this HTTP request parameter |
 | tst.js:46:5:46:7 | foo | tst.js:45:15:45:35 | ctx.req ... ery.foo | tst.js:46:5:46:7 | foo | Potential type confusion as $@ may be either an array or a string. | tst.js:45:15:45:35 | ctx.req ... ery.foo | this HTTP request parameter |
 | tst.js:81:9:81:9 | p | tst.js:77:25:77:38 | req.query.path | tst.js:81:9:81:9 | p | Potential type confusion as $@ may be either an array or a string. | tst.js:77:25:77:38 | req.query.path | this HTTP request parameter |
 | tst.js:82:9:82:9 | p | tst.js:77:25:77:38 | req.query.path | tst.js:82:9:82:9 | p | Potential type confusion as $@ may be either an array or a string. | tst.js:77:25:77:38 | req.query.path | this HTTP request parameter |
 | tst.js:90:5:90:12 | data.foo | tst.js:90:5:90:12 | data.foo | tst.js:90:5:90:12 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:90:5:90:12 | data.foo | this HTTP request parameter |
 | tst.js:92:9:92:16 | data.foo | tst.js:92:9:92:16 | data.foo | tst.js:92:9:92:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:92:9:92:16 | data.foo | this HTTP request parameter |
-| tst.js:95:9:95:16 | data.foo | tst.js:95:9:95:16 | data.foo | tst.js:95:9:95:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:95:9:95:16 | data.foo | this HTTP request parameter |
 | tst.js:98:9:98:16 | data.foo | tst.js:98:9:98:16 | data.foo | tst.js:98:9:98:16 | data.foo | Potential type confusion as $@ may be either an array or a string. | tst.js:98:9:98:16 | data.foo | this HTTP request parameter |
-| tst.js:105:9:105:12 | data | tst.js:103:16:103:29 | req.query.data | tst.js:105:9:105:12 | data | Potential type confusion as $@ may be either an array or a string. | tst.js:103:16:103:29 | req.query.data | this HTTP request parameter |
-| tst.js:107:9:107:12 | data | tst.js:103:16:103:29 | req.query.data | tst.js:107:9:107:12 | data | Potential type confusion as $@ may be either an array or a string. | tst.js:103:16:103:29 | req.query.data | this HTTP request parameter |
