hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: step through Error constructor and accept the potential FP

Browse Source
This commit is contained in:
Asger F
2019-05-02 14:46:38 +01:00
parent b0090c2fe6
commit 1f897b4b63
2 changed files with 34 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -579,6 +579,30 @@ module TaintTracking {
}
}
/**
* A taint step through an exception constructor, such as `x` to `new Error(x)`.
*/
class ErrorConstructorTaintStep extends AdditionalTaintStep, DataFlow::InvokeNode {
ErrorConstructorTaintStep() {
exists(string name |
this = DataFlow::globalVarRef(name).getAnInvocation()
|
name = "Error" or
name = "EvalError" or
name = "RangeError" or
name = "ReferenceError" or
name = "SyntaxError" or
name = "TypeError" or
name = "URIError"
)
}
override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
pred = getArgument(0) and
succ = this
}
}
/**
* A conditional checking a tainted string against a regular expression, which is
* considered to be a sanitizer for all configurations.

10
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -22,6 +22,16 @@
| constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:30:8:30:19 | d_safe.taint |
| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:17:8:17:14 | c.param |
| constructor-calls.js:14:15:14:22 | source() | constructor-calls.js:25:8:25:14 | d.param |
| exceptions.js:3:15:3:22 | source() | exceptions.js:5:10:5:10 | e |
| exceptions.js:21:17:21:24 | source() | exceptions.js:23:10:23:10 | e |
| exceptions.js:21:17:21:24 | source() | exceptions.js:24:10:24:21 | e.toString() |
| exceptions.js:21:17:21:24 | source() | exceptions.js:25:10:25:18 | e.message |
| exceptions.js:21:17:21:24 | source() | exceptions.js:26:10:26:19 | e.fileName |
| exceptions.js:66:6:66:13 | source() | exceptions.js:11:10:11:10 | e |
| exceptions.js:66:6:66:13 | source() | exceptions.js:32:10:32:10 | e |
| exceptions.js:66:6:66:13 | source() | exceptions.js:33:10:33:21 | e.toString() |
| exceptions.js:66:6:66:13 | source() | exceptions.js:34:10:34:18 | e.message |
| exceptions.js:66:6:66:13 | source() | exceptions.js:35:10:35:19 | e.fileName |
| indexOf.js:4:11:4:18 | source() | indexOf.js:9:10:9:10 | x |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |