hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 20:25:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: add 'this' as possible access path root

Browse Source
This commit is contained in:
Asger F
2019-01-10 12:50:18 +00:00
parent 4398670ecc
commit 0bb6692c19
4 changed files with 47 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -12,6 +12,8 @@
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
| promise.js:4:24:4:31 | source() | promise.js:4:8:4:32 | Promise ... urce()) |
| promise.js:5:25:5:32 | source() | promise.js:5:8:5:33 | bluebir ... urce()) |
| sanitizer-guards.js:2:11:2:18 | source() | sanitizer-guards.js:4:8:4:8 | x |
| sanitizer-guards.js:13:14:13:21 | source() | sanitizer-guards.js:15:10:15:15 | this.x |
| thisAssignments.js:4:17:4:24 | source() | thisAssignments.js:5:10:5:18 | obj.field |
| thisAssignments.js:7:19:7:26 | source() | thisAssignments.js:8:10:8:20 | this.field2 |
| tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |

12
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.ql
View File

@@ -8,6 +8,18 @@ class BasicConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node node) { node = getACall("source") }
override predicate isSink(DataFlow::Node node) { node = getACall("sink").getAnArgument() }
override predicate isSanitizerGuard(TaintTracking::SanitizerGuardNode node) {
node instanceof BasicSanitizerGuard
}
}
class BasicSanitizerGuard extends TaintTracking::SanitizerGuardNode, DataFlow::CallNode {
BasicSanitizerGuard() { this = getACall("isSafe") }
override predicate sanitizes(boolean outcome, Expr e) {
outcome = true and e = getArgument(0).asExpr()
}
}
from BasicConfig cfg, DataFlow::Node src, DataFlow::Node sink

21
javascript/ql/test/library-tests/TaintTracking/sanitizer-guards.js Normal file
View File

@@ -0,0 +1,21 @@
function test() {
let x = source();
sink(x); // NOT OK
if (isSafe(x)) {
sink(x); // OK
}
}
class C {
method() {
this.x = source();
sink(this.x); // NOT OK
if (isSafe(this.x)) {
sink(this.x); // OK
}
}
}