Merge pull request #988 from asger-semmle/spread-taint-step

JS: add taint step through object/array spread operators
2026-04-25 08:45:14 +02:00 · 2019-02-28 09:58:23 +00:00
parent c945b7793c 29d2d620e4
commit 1b5887014b
3 changed files with 19 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -185,6 +185,12 @@ module TaintTracking {
        or
        // awaiting a tainted expression gives a tainted result
        e.(AwaitExpr).getOperand() = f
+        or
+        // spreading a tainted object into an object literal gives a tainted object
+        e.(ObjectExpr).getAProperty().(SpreadProperty).getInit().(SpreadElement).getOperand() = f
+        or
+        // spreading a tainted value into an array literal gives a tainted array
+        e.(ArrayExpr).getAnElement().(SpreadElement).getOperand() = f
      )
      or
      // reading from a tainted object yields a tainted result