mirror of
https://github.com/github/codeql.git
synced 2026-04-24 08:15:14 +02:00
JS: Add taint step for shift()
This commit is contained in:
@@ -486,6 +486,11 @@ class Shift extends SummarizedCallable {
|
||||
preservesValue = true and
|
||||
input = "Argument[this].ArrayElement[0]" and
|
||||
output = "ReturnValue"
|
||||
or
|
||||
// ArrayElement[0] is not automatically converted to a taint step, so add it manually
|
||||
preservesValue = false and
|
||||
input = "Argument[this]" and
|
||||
output = "ReturnValue"
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -13,3 +13,10 @@ function shiftUnknown() {
|
||||
sink(array.shift()); // $ hasValueFlow=shift.unkn
|
||||
sink(array.shift()); // $ hasValueFlow=shift.unkn
|
||||
}
|
||||
|
||||
function shiftTaint() {
|
||||
const array = source('shift.directly-tainted');
|
||||
sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
|
||||
sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
|
||||
sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user