hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

don't treated a property from a tainted object as tainted when there exists a dominating write

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-06-02 14:53:59 +02:00
parent 5e4acfbe19
commit 2b2d691e45
3 changed files with 3 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -260,7 +260,8 @@ module TaintTracking {
not any(PromiseAllCreation call).getArrayNode() = succ
or
// reading from a tainted object yields a tainted result
succ.(DataFlow::PropRead).getBase() = pred
succ.(DataFlow::PropRead).getBase() = pred and
not AccessPath::DominatingPaths::hasDominatingWrite(succ)
or
// iterating over a tainted iterator taints the loop variable
exists(ForOfStmt fos |

8
javascript/ql/test/query-tests/Security/CWE-078/UnsafeShellCommandConstruction.expected
View File

@@ -161,9 +161,6 @@ nodes
| lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:276:8:276:11 | opts |
| lib/lib.js:277:23:277:26 | opts |
@@ -373,12 +370,8 @@ edges
| lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:24 | obj |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:268:22:268:24 | obj | lib/lib.js:268:22:268:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:272:22:272:24 | obj | lib/lib.js:272:22:272:32 | obj.version |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:26 | opts |
| lib/lib.js:277:23:277:26 | opts | lib/lib.js:277:23:277:30 | opts.bla |
@@ -444,7 +437,6 @@ edges
| lib/lib.js:258:10:258:25 | "rm -rf " + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:258:22:258:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:258:10:258:25 | "rm -rf " + name | String concatenation | lib/lib.js:258:2:258:26 | cp.exec ... + name) | shell command |
| lib/lib.js:261:11:261:33 | "rm -rf ... + name | lib/lib.js:257:35:257:38 | name | lib/lib.js:261:30:261:33 | name | $@ based on libary input is later used in $@. | lib/lib.js:261:11:261:33 | "rm -rf ... + name | String concatenation | lib/lib.js:261:3:261:34 | cp.exec ... + name) | shell command |
| lib/lib.js:268:10:268:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:268:22:268:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:268:10:268:32 | "rm -rf ... version | String concatenation | lib/lib.js:268:2:268:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:272:10:272:32 | "rm -rf ... version | lib/lib.js:267:46:267:48 | obj | lib/lib.js:272:22:272:32 | obj.version | $@ based on libary input is later used in $@. | lib/lib.js:272:10:272:32 | "rm -rf ... version | String concatenation | lib/lib.js:272:2:272:33 | cp.exec ... ersion) | shell command |
| lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | lib/lib.js:276:8:276:11 | opts | lib/lib.js:277:23:277:30 | opts.bla | $@ based on libary input is later used in $@. | lib/lib.js:277:11:277:30 | "rm -rf " + opts.bla | String concatenation | lib/lib.js:277:3:277:31 | cp.exec ... ts.bla) | shell command |
| lib/lib.js:308:11:308:26 | "rm -rf " + name | lib/lib.js:307:39:307:42 | name | lib/lib.js:308:23:308:26 | name | $@ based on libary input is later used in $@. | lib/lib.js:308:11:308:26 | "rm -rf " + name | String concatenation | lib/lib.js:308:3:308:27 | cp.exec ... + name) | shell command |
| lib/lib.js:315:10:315:25 | "rm -rf " + name | lib/lib.js:314:40:314:43 | name | lib/lib.js:315:22:315:25 | name | $@ based on libary input is later used in $@. | lib/lib.js:315:10:315:25 | "rm -rf " + name | String concatenation | lib/lib.js:315:2:315:26 | cp.exec ... + name) | shell command |

2
javascript/ql/test/query-tests/Security/CWE-078/lib/lib.js
View File

@@ -269,7 +269,7 @@ module.exports.sanitizerProperty = function (obj) {
obj.version = "";
cp.exec("rm -rf " + obj.version); // OK - but FP
cp.exec("rm -rf " + obj.version); // OK
}
module.exports.Foo = class Foo {