hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 20:03:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

wip: another nested if() test case

Browse Source
This commit is contained in:
Michael Hohn
2023-12-05 19:46:57 -08:00
committed by =Michael Hohn
parent 405b3a0661
commit 301d1ca2f5
2 changed files with 26 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
session/session1.ql
View File

@@ -44,17 +44,10 @@ predicate setValueTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
// 1. without sanitizer // 1. without sanitizer
gr.getASuccessor+() = postgr and gr.getASuccessor+() = postgr and
succ.asExpr() = postgr succ.asExpr() = postgr
//
// 2. with recursive predicate, no sanitizer
// recursiveSuccessor(gr, postgr) and
// succ.asExpr() = postgr
// 3. with recursive predicate, with sanitizer
// sanitizerCheckedSuccessor(gr, postgr) and
// succ.asExpr() = postgr
) )
} }
// Def-Use special handling: // Def-Use special handling. Not needed here, but a good example of recursive predicates.
// - Include sanitizer check when flagging successive object member calls in taint // - Include sanitizer check when flagging successive object member calls in taint
// step. // step.
// - Stop at // - Stop at
@@ -153,7 +146,6 @@ class CanWriteGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNod
// outcome is the result of the conditional (the true or false branch) // outcome is the result of the conditional (the true or false branch)
outcome = true and outcome = true and
e = this.getReceiver().asExpr() e = this.getReceiver().asExpr()
// or e.getASuccessor+() = this.getReceiver().asExpr()
} }
} }

26
source/sample-utility-0.js
View File

@@ -1,20 +1,20 @@
var SampleUtility = function(){}; var SampleUtility = function () { };
SampleUtility.prototype = Object.extendsObject(Processor, { SampleUtility.prototype = Object.extendsObject(Processor, {
setUserStatus: function() { setUserStatus: function () {
var value = this.getParameter('value'); var value = this.getParameter('value');
var ua = new GR('users'); var ua = new GR('users');
ua.query(); ua.query();
if(!ua.hasNext()){ if (!ua.hasNext()) {
ua.initialize(); ua.initialize();
ua.setValue('status',value); ua.setValue('status', value);
ua.insert(); ua.insert();
} }
else { else {
ua.next(); ua.next();
ua.setValue('status',value); // unsafe ua.setValue('status', value); // unsafe
ua.update(); ua.update();
// Nested if() test. // Nested if() test.
if (ua.safeToWrite()) { if (ua.safeToWrite()) {
@@ -23,7 +23,23 @@ SampleUtility.prototype = Object.extendsObject(Processor, {
} }
} }
if (ua !== null) {
1
} else {
if (ua.safeToWrite()) {
ua.setValue('status', value);
ua.update();
}
}
if (ua == magicval) {
1
} else {
if (ua.safeToWrite()) {
ua.setValue('status', value);
ua.update();
}
}
}, },
type: 'SampleUtility' type: 'SampleUtility'