add node-serialize as a js/code-injection sink

2026-04-27 17:55:19 +02:00 · 2020-09-23 13:49:43 +02:00
parent 984194d308
commit 050ed97d9c
1 changed files with 2 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll
@@ -86,6 +86,8 @@ module CodeInjection {
      |
        this = c.getArgument(index)
      )
+      or
+      this = DataFlow::moduleMember("node-serialize", "unserialize").getACall().getArgument(0)
    }
  }