JS: Add: taint step to handle propagation of data flow from the array to callback

2026-04-25 08:45:14 +02:00 · 2024-11-19 14:15:15 +01:00
parent f1e95a8a1d
commit 28ead4011a
3 changed files with 20 additions and 4 deletions
--- a/javascript/ql/lib/semmle/javascript/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/Arrays.qll
@@ -492,7 +492,20 @@ private module ArrayLibraries {
      exists(DataFlow::MethodCallNode call |
        call.getMethodName() = ["findLast", "find", "findLastIndex"] and
        prop = arrayLikeElement() and
-        obj = call.getReceiver() and
+        obj = call.getReceiver().getALocalSource() and
+        element = call.getCallback(0).getParameter(0)
+      )
+    }
+  }
+
+  /**
+   * This step models the propagation of data from the array to the callback function's parameter.
+   */
+  private class ArrayCallBackDataTaintStep extends TaintTracking::SharedTaintStep {
+    override predicate step(DataFlow::Node obj, DataFlow::Node element) {
+      exists(DataFlow::MethodCallNode call |
+        call.getMethodName() = ["findLast", "find", "findLastIndex"] and
+        obj = call.getReceiver().getALocalSource() and
        element = call.getCallback(0).getParameter(0)
      )
    }
--- a/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
+++ b/javascript/ql/test/library-tests/Arrays/TaintFlow.expected
@@ -35,5 +35,8 @@
 | arrays.js:120:19:120:26 | "source" | arrays.js:121:46:121:49 | item |
 | arrays.js:120:19:120:26 | "source" | arrays.js:122:10:122:16 | element |
 | arrays.js:126:19:126:26 | "source" | arrays.js:127:55:127:58 | item |
+| arrays.js:131:17:131:24 | source() | arrays.js:132:46:132:49 | item |
 | arrays.js:131:17:131:24 | source() | arrays.js:133:10:133:17 | element1 |
+| arrays.js:137:17:137:24 | source() | arrays.js:138:50:138:53 | item |
 | arrays.js:137:17:137:24 | source() | arrays.js:139:10:139:17 | element1 |
+| arrays.js:143:17:143:24 | source() | arrays.js:144:55:144:58 | item |
--- a/javascript/ql/test/library-tests/Arrays/arrays.js
+++ b/javascript/ql/test/library-tests/Arrays/arrays.js
@@ -129,19 +129,19 @@
  }
  {
    const arr = source();
-    const element1 = arr.find((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    const element1 = arr.find((item) => sink(item)); // NOT OK
    sink(element1); // NOT OK
  }

  {
    const arr = source();
-    const element1 = arr.findLast((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    const element1 = arr.findLast((item) => sink(item)); // NOT OK
    sink(element1); // NOT OK
  }
  
  {
    const arr = source();
-    const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK - only found with taint-tracking.
+    const element1 = arr.findLastIndex((item) => sink(item)); // NOT OK
    sink(element1); // OK
  }
 });