ci: test custom query for util sanitizer

Author: damyanpetev

.github/codeql/custom-queries-javascript/ShellSanitizer.ql

@@ -0,0 +1,21 @@
+import javascript
+
+// https://codeql.github.com/docs/codeql-language-guides/analyzing-data-flow-in-javascript-and-typescript/#sanitizers
+// https://codeql.github.com/codeql-standard-libraries/actions/codeql/dataflow/DataFlow.qll/module.DataFlow$Configs$ConfigSig.html
+module UtilSanitizerConfig implements DataFlow::ConfigSig {
+	/** 
+	 * Treat calls to Util.sanitizeShellArg(...) as a barrier/sanitizer for dataflow
+	 */
+	predicate isBarrier(DataFlow::Node nd) {
+		nd.(DataFlow::CallNode).getCalleeName() = "Util.sanitizeShellArg"
+	}
+	/** Minimal stubs required by ConfigSig (false should be no extra action). */
+	predicate isSource(DataFlow::Node n) { false }
+	predicate isSink(DataFlow::Node n) { false }
+}
+
+module UtilSanitizerConfigFlow = TaintTracking::Global<UtilSanitizerConfig>;
+
+from DataFlow::Node source, DataFlow::Node sink
+where UtilSanitizerConfigFlow::flow(source, sink)
+select source, sink

.github/workflows/codeql-analysis.yml

@@ -49,6 +49,7 @@ jobs:
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
+        queries: ./.github/codeql/custom-queries-javascript/ShellSanitizer.ql
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)