JS: Migrate ClientSideUrlRedirect to flow state

Author: asgerf

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -8,12 +8,19 @@ import javascript
 private import semmle.javascript.security.TaintedUrlSuffixCustomizations
 
 module ClientSideUrlRedirect {
+  class FlowState = TaintedUrlSuffix::FlowState;
+
+  module FlowState = TaintedUrlSuffix::FlowState;
+
   /**
    * A data flow source for unvalidated URL redirect vulnerabilities.
    */
   abstract class Source extends DataFlow::Node {
-    /** Gets a flow label to associate with this source. */
-    DataFlow::FlowLabel getAFlowLabel() { result.isTaint() }
+    /** Gets a flow state to associate with this source. */
+    FlowState getAFlowState() { result.isTaint() }
+
+    /** DEPRECATED. Use `getAFlowState()` instead. */
+    deprecated DataFlow::FlowLabel getAFlowLabel() { result = this.getAFlowState().toFlowLabel() }
   }
 
   /**
@@ -50,10 +57,8 @@ module ClientSideUrlRedirect {
   private class ActiveThreatModelSourceAsSource extends Source instanceof ActiveThreatModelSource {
     ActiveThreatModelSourceAsSource() { not this.(ClientSideRemoteFlowSource).getKind().isPath() }
 
-    override DataFlow::FlowLabel getAFlowLabel() {
-      if this = TaintedUrlSuffix::source()
-      then result = TaintedUrlSuffix::label()
-      else result.isTaint()
+    override FlowState getAFlowState() {
+      if this = TaintedUrlSuffix::source() then result.isTaintedUrlSuffix() else result.isTaint()
     }
   }
 

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectQuery.qll

@@ -21,33 +21,32 @@ deprecated private class ConcreteDocumentUrl extends DocumentUrl {
  * A taint-tracking configuration for reasoning about unvalidated URL redirections.
  */
 module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
-  class FlowState = DataFlow::FlowLabel;
+  class FlowState = TaintedUrlSuffix::FlowState;
 
-  predicate isSource(DataFlow::Node source, DataFlow::FlowLabel state) {
-    source.(Source).getAFlowLabel() = state
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source.(Source).getAFlowState() = state
   }
 
-  predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel state) {
+  predicate isSink(DataFlow::Node sink, FlowState state) {
     sink instanceof Sink and state.isTaint()
   }
 
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Sanitizer or node = HostnameSanitizerGuard::getABarrierNode()
   }
 
-  predicate isBarrier(DataFlow::Node node, DataFlow::FlowLabel state) {
-    TaintedUrlSuffix::isBarrier(node, state)
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    TaintedUrlSuffix::isStateBarrier(node, state)
   }
 
   predicate isBarrierOut(DataFlow::Node node) { hostnameSanitizingPrefixEdge(node, _) }
 
-  predicate isBarrierOut(DataFlow::Node node, DataFlow::FlowLabel label) { isSink(node, label) }
+  predicate isBarrierOut(DataFlow::Node node, FlowState label) { isSink(node, label) }
 
   predicate isAdditionalFlowStep(
-    DataFlow::Node node1, DataFlow::FlowLabel state1, DataFlow::Node node2,
-    DataFlow::FlowLabel state2
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
   ) {
-    TaintedUrlSuffix::step(node1, node2, state1, state2)
+    TaintedUrlSuffix::isAdditionalFlowStep(node1, state1, node2, state2)
     or
     exists(HtmlSanitizerCall call |
       node1 = call.getInput() and
@@ -85,7 +84,8 @@ deprecated class Configuration extends TaintTracking::Configuration {
     DataFlow::Node node1, DataFlow::Node node2, DataFlow::FlowLabel state1,
     DataFlow::FlowLabel state2
   ) {
-    ClientSideUrlRedirectConfig::isAdditionalFlowStep(node1, state1, node2, state2)
+    ClientSideUrlRedirectConfig::isAdditionalFlowStep(node1, FlowState::fromFlowLabel(state1),
+      node2, FlowState::fromFlowLabel(state2))
     or
     // Preserve document.url label in step from `location` to `location.href` or `location.toString()`
     state1 instanceof DocumentUrl and