JS: Add taint step for shift()

2026-04-24 08:15:14 +02:00 · 2024-09-11 13:23:10 +02:00
parent 3ea1134cc1
commit 3b09bc548e
2 changed files with 12 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
+++ b/javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll
@@ -486,6 +486,11 @@ class Shift extends SummarizedCallable {
    preservesValue = true and
    input = "Argument[this].ArrayElement[0]" and
    output = "ReturnValue"
+    or
+    // ArrayElement[0] is not automatically converted to a taint step, so add it manually
+    preservesValue = false and
+    input = "Argument[this]" and
+    output = "ReturnValue"
  }
 }

--- a/javascript/ql/test/library-tests/TripleDot/arrays.js
+++ b/javascript/ql/test/library-tests/TripleDot/arrays.js
@@ -13,3 +13,10 @@ function shiftUnknown() {
    sink(array.shift()); // $ hasValueFlow=shift.unkn
    sink(array.shift()); // $ hasValueFlow=shift.unkn
 }
+
+function shiftTaint() {
+    const array = source('shift.directly-tainted');
+    sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
+    sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
+    sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
+}