Merge pull request #10390 from erik-krogh/unmentionedGuard

QL: add unmentioned guard class query

Author: erik-krogh

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssQuery.qll

@@ -75,7 +75,7 @@ class Configuration extends TaintTracking::Configuration {
   }
 
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
-    guard instanceof PrefixStringSanitizer or
+    guard instanceof PrefixStringSanitizerActivated or
     guard instanceof QuoteGuard or
     guard instanceof ContainsHtmlGuard
   }

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll

@@ -43,7 +43,8 @@ class Configration extends TaintTracking::Configuration {
   override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode guard) {
     guard instanceof PrefixStringSanitizer or
     guard instanceof QuoteGuard or
-    guard instanceof ContainsHtmlGuard
+    guard instanceof ContainsHtmlGuard or
+    guard instanceof TypeTestGuard
   }
 }
 

ql/ql/src/queries/bugs/MissingSanitizerGuardCase.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Unmentioned guard class
+ * @description A sanitizer guard should be included in the `isSanitizerGuard` predicate.
+ * @kind problem
+ * @problem.severity warning
+ * @id ql/unmentioned-guard
+ * @tags correctness
+ *       maintainability
+ * @precision medium
+ */
+
+import ql
+
+class SanGuard extends Class {
+  SanGuard() {
+    exists(Class sup |
+      sup = this.getASuperType().getResolvedType().(ClassType).getDeclaration() and
+      sup.getName() = ["SanitizerGuardNode", "SanitizerGuard", "BarrierGuardNode", "BarrierGuard"] and
+      sup.getLocation().getFile() != this.getLocation().getFile()
+    )
+  }
+}
+
+from SanGuard guard
+where
+  not exists(TypeExpr t | t.getResolvedType().(ClassType).getDeclaration() = guard) and
+  not guard.hasAnnotation("deprecated")
+select guard, "Guard class is not mentioned anywhere"