JavaScript: add taint step through 'join'

2025-12-16 16:53:25 +01:00 · 2018-08-09 16:51:18 +01:00
parent c0fe0a1d24
commit 0c124d2f8c
1 changed files with 3 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -365,7 +365,9 @@ module TaintTracking {
            name = "trimRight" or
            // sorted, interesting, properties of Object.prototype
            name = "toString" or
-            name = "valueOf"
+            name = "valueOf" or
+            // sorted, interesting, properties of Array.prototype
+            name = "join"
          ) or
          exists (int i | pred.asExpr() = astNode.(MethodCallExpr).getArgument(i) |
            name = "concat" or