JS: improve CoreKnowledge.qll

2026-05-19 05:37:10 +02:00 · 2020-06-25 11:54:50 +02:00
parent f2e43ad5da
commit 246f8755e4
1 changed files with 30 additions and 0 deletions
--- a/javascript/ql/src/experimental/adaptivethreatmodeling/CoreKnowledge.qll
+++ b/javascript/ql/src/experimental/adaptivethreatmodeling/CoreKnowledge.qll
@@ -106,4 +106,34 @@ predicate isUnlikelySink(DataFlow::Node n) {
  exists(PromiseDefinition p |
    n = [p.getResolveParameter(), p.getRejectParameter()].getACall().getAnArgument()
  )
+  or
+  n instanceof CryptographicKey or
+  exists(DataFlow::CallNode call | n = call.getAnArgument() |
+    exists(string name | name = call.getCalleeName() |
+      name.regexpMatch("(?i).*(escape|validate|sanitize|purify).*") or
+      name =
+        ["indexOf", "hasOwnProperty", "substring", "isDecimal", "decode", "encode", "keys",
+            "values", "forEach", "toString", "slice", "splice", "push", "isArray"]
+    )
+    or
+    exists(DataFlow::SourceNode builtin |
+      builtin = DataFlow::globalVarRef(["Object", "Array", "Number", "String", "Error", "Math"])
+    |
+      builtin.getAMemberCall(_) = call or builtin.getAnInvocation() = call
+    )
+    or
+    any(DataFlow::ArrayCreationNode a).getAMethodCall() = call
+    or
+    call instanceof StringOps::StartsWith
+    or
+    call instanceof StringOps::EndsWith
+    or
+    call instanceof StringOps::RegExpTest
+    or
+    call instanceof EventRegistration
+    or
+    call instanceof EventDispatch
+    or
+    call = any(MembershipCandidate c).getTest()
+  )
 }