hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Add: taint step to handle propagation of data flow from the array to callback

Browse Source
This commit is contained in:
Napalys
2024-11-19 14:15:15 +01:00
parent f1e95a8a1d
commit 28ead4011a
3 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
javascript/ql/lib/semmle/javascript/Arrays.qll
View File

@@ -492,7 +492,20 @@ private module ArrayLibraries {
exists(DataFlow::MethodCallNode call |
call.getMethodName() = ["findLast", "find", "findLastIndex"] and
prop = arrayLikeElement() and
obj = call.getReceiver() and
obj = call.getReceiver().getALocalSource() and
element = call.getCallback(0).getParameter(0)
)
}
}
/**
* This step models the propagation of data from the array to the callback function's parameter.
*/
private class ArrayCallBackDataTaintStep extends TaintTracking::SharedTaintStep {
override predicate step(DataFlow::Node obj, DataFlow::Node element) {
exists(DataFlow::MethodCallNode call |
call.getMethodName() = ["findLast", "find", "findLastIndex"] and
obj = call.getReceiver().getALocalSource() and
element = call.getCallback(0).getParameter(0)
)
}