diff --git a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql index 5008bc94038..6a065c9735b 100644 --- a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql +++ b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql @@ -15,5 +15,6 @@ import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink where cfg.hasFlowPath(source, sink) -select sink.getNode(), source, sink, "Potential type confusion as $@ may be either an array or a string.", source.getNode(), +select sink.getNode(), source, sink, + "Potential type confusion as $@ may be either an array or a string.", source.getNode(), "this HTTP request parameter" diff --git a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll index c981b0cb0ee..fa67b9159e9 100644 --- a/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll +++ b/javascript/ql/src/semmle/javascript/dataflow/Configuration.qll @@ -1192,8 +1192,8 @@ private predicate loadStep( */ pragma[nomagic] private predicate reachableFromStoreBase( - string startProp, string endProp, DataFlow::Node base, DataFlow::Node nd, DataFlow::Configuration cfg, - PathSummary summary + string startProp, string endProp, DataFlow::Node base, DataFlow::Node nd, + DataFlow::Configuration cfg, PathSummary summary ) { exists(PathSummary s1, PathSummary s2, DataFlow::Node rhs | reachableFromSource(rhs, cfg, s1) @@ -1204,7 +1204,8 @@ private predicate reachableFromStoreBase( endProp = startProp and base = nd and summary = - MkPathSummary(false, s1.hasCall().booleanOr(s2.hasCall()), DataFlow::FlowLabel::data(), DataFlow::FlowLabel::data()) + MkPathSummary(false, s1.hasCall().booleanOr(s2.hasCall()), DataFlow::FlowLabel::data(), + DataFlow::FlowLabel::data()) ) or exists(PathSummary newSummary, PathSummary oldSummary | @@ -1221,8 +1222,8 @@ private predicate reachableFromStoreBase( */ pragma[noinline] private predicate reachableFromStoreBaseStep( - string startProp, string endProp, DataFlow::Node base, DataFlow::Node nd, DataFlow::Configuration cfg, - PathSummary oldSummary, PathSummary newSummary + string startProp, string endProp, DataFlow::Node base, DataFlow::Node nd, + DataFlow::Configuration cfg, PathSummary oldSummary, PathSummary newSummary ) { exists(DataFlow::Node mid | reachableFromStoreBase(startProp, endProp, base, mid, cfg, oldSummary) and @@ -1264,7 +1265,10 @@ private predicate storeToLoad( DataFlow::Node pred, DataFlow::Node succ, DataFlow::Configuration cfg, PathSummary oldSummary, PathSummary newSummary ) { - exists(string storeProp, string loadProp, DataFlow::Node storeBase, DataFlow::Node loadBase, PathSummary s1, PathSummary s2 | + exists( + string storeProp, string loadProp, DataFlow::Node storeBase, DataFlow::Node loadBase, + PathSummary s1, PathSummary s2 + | storeStep(pred, storeBase, storeProp, cfg, s1) and reachableFromStoreBase(storeProp, loadProp, storeBase, loadBase, cfg, s2) and oldSummary = s1.appendValuePreserving(s2) and diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingCustomizations.qll index 7fe1618f961..ab237733acc 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingCustomizations.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingCustomizations.qll @@ -100,7 +100,8 @@ module TypeConfusionThroughParameterTampering { private class ProtoStringComparison extends Sink { ProtoStringComparison() { exists(EqualityTest test | - test.hasOperands(this.asExpr(), any(Expr e | e.getStringValue() = ["__proto__", "constructor"])) and + test.hasOperands(this.asExpr(), + any(Expr e | e.getStringValue() = ["__proto__", "constructor"])) and test.isStrict() ) }