JS: add enumeration taint flow to Remote Property Injection query

2026-04-20 06:24:03 +02:00 · 2025-08-27 10:23:03 +00:00
parent c39c04cb86
commit 32606584ea
3 changed files with 13 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RemotePropertyInjectionQuery.qll
@@ -10,6 +10,7 @@

 import javascript
 import RemotePropertyInjectionCustomizations::RemotePropertyInjection
+private import semmle.javascript.DynamicPropertyAccess

 /**
 * A taint-tracking configuration for reasoning about remote property injection.
@@ -24,6 +25,10 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
    node = StringConcatenation::getRoot(any(ConstantString str).flow())
  }

+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1 = node2.(EnumeratedPropName).getSourceObject()
+  }
+
  predicate observeDiffInformedIncrementalMode() { any() }
 }