JS: extract and expose StringConcatenationTaintStep in TaintTracking

2026-05-02 20:25:13 +02:00 · 2018-08-20 12:16:39 +02:00
parent 7607b6beff
commit 3636708d30
4 changed files with 26 additions and 31 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -309,13 +309,12 @@ module TaintTracking {
  }

  /**
-   * A taint propagating data flow edge arising from string append and other string
-   * operations defined in the standard library.
+   * A taint propagating data flow edge arising from string concatenations.
   *
-   * Note that since we cannot easily distinguish string append from addition, we consider
-   * any `+` operation to propagate taint.
+   * Note that since we cannot easily distinguish string append from addition,
+   * we consider any `+` operation to propagate taint.
   */
-  private class StringManipulationTaintStep extends AdditionalTaintStep, DataFlow::ValueNode {
+  class StringConcatenationTaintStep extends AdditionalTaintStep, DataFlow::ValueNode {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      succ = this and
      (
@@ -329,8 +328,19 @@ module TaintTracking {
        or
        // templating propagates taint
        astNode.(TemplateLiteral).getAnElement() = pred.asExpr()
-        or
-        // other string operations that propagate taint
+      )
+    }
+  }
+  
+  /**
+   * A taint propagating data flow edge arising from string manipulation 
+   * functions defined in the standard library.
+   */
+  private class StringManipulationTaintStep extends AdditionalTaintStep, DataFlow::ValueNode {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      succ = this and
+      (
+        // string operations that propagate taint
        exists (string name | name = astNode.(MethodCallExpr).getMethodName() |
          pred.asExpr() = astNode.(MethodCallExpr).getReceiver() and
          ( // sorted, interesting, properties of String.prototype
--- a/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/CleartextLogging.qll
@@ -52,30 +52,11 @@ module CleartextLogging {
    }

    override predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
-      // A taint propagating data flow edge arising from string operations
-      exists (AST::ValueNode astNode |
-        astNode = trg.(DataFlow::ValueNode).getAstNode() |
-        // addition propagates
-        astNode.(AddExpr).getAnOperand() = src.asExpr() or
-        astNode.(AssignAddExpr).getAChildExpr() = src.asExpr() or
-        exists (SsaExplicitDefinition ssa |
-          astNode = ssa.getVariable().getAUse() and
-          src.asExpr().(AssignAddExpr) = ssa.getDef()
-        )
-        or
-        // templating propagates
-        astNode.(TemplateLiteral).getAnElement() = src.asExpr()
-        or
-        // other string operations that propagate
-        exists (string name | name = astNode.(MethodCallExpr).getMethodName() |
-          src.asExpr() = astNode.(MethodCallExpr).getReceiver() and
-          (
-            // sorted, interesting, properties of Object.prototype
-            name = "toString" or
-            name = "valueOf"
-          )
-        )
-      )
+      any (TaintTracking::StringConcatenationTaintStep s).step(src, trg)
+      or
+      exists (string name | name = "toString" or name = "valueOf" |
+        src.(DataFlow::SourceNode).getAMethodCall(name) = trg
+      ) 
      or
      // A taint propagating data flow edge through objects: a tainted write taints the entire object.
      exists (DataFlow::PropWrite write |