JavaScript: address comments

2026-05-01 11:45:14 +02:00 · 2018-09-06 14:55:42 +01:00
parent 269bbc9a1a
commit 3ca7d6b4bf
4 changed files with 66 additions and 3 deletions
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,3 +1,8 @@
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:17:14:17:14 | x |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:20:14:20:14 | y |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:30:14:30:20 | x.value |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:41:10:41:18 | id(taint) |
+| partialCalls.js:4:17:4:24 | source() | partialCalls.js:51:14:51:14 | x |
 | tst.js:2:13:2:20 | source() | tst.js:4:10:4:10 | x |
 | tst.js:2:13:2:20 | source() | tst.js:5:10:5:22 | "/" + x + "!" |
 | tst.js:2:13:2:20 | source() | tst.js:14:10:14:17 | x.sort() |
--- a/javascript/ql/test/library-tests/TaintTracking/partialCalls.js
+++ b/javascript/ql/test/library-tests/TaintTracking/partialCalls.js
@@ -0,0 +1,58 @@
+let R = require('ramda');
+
+function test() {
+    let taint = source();
+
+    function safe1(x, y) {
+        sink(x); // OK - x is not tainted
+    }
+    function safe2(x, y) {
+        sink(y); // OK - y is not tainted
+    }
+
+    safe1.bind(null, "hello", taint)();
+    safe2.bind(null, taint, "hello")();
+
+    function unsafe1(x, y) {
+        sink(x); // NOT OK - x is tainted
+    }
+    function unsafe2(x ,y) {
+        sink(y); // NOT OK - y is tainted
+    }
+
+    unsafe1.bind(null, taint, "hello")();
+    unsafe2.bind(null, "hello", taint)();
+
+    function safeprop(x) {
+        sink(x.value); // OK - property `value` is not tainted
+    }
+    function unsafeprop(x) {
+        sink(x.value); // NOT OK - property `value` is tainted
+    }
+
+    safeprop.bind(null, {value: "hello", somethingElse: taint})();
+    unsafeprop.bind(null, {value: taint, somethingElse: "hello"})();
+
+    function id(x) {
+        return x;
+    }
+
+    sink(id("hello")); // OK
+    sink(id(taint));   // NOT OK
+
+    let taintGetter = id.bind(null, taint);
+    sink(taintGetter);   // OK - this is a function object
+    sink(taintGetter()); // NOT OK - but not currently detected
+
+    function safearray(x) {
+        sink(x); // OK
+    }
+    function unsafearray(x) {
+        sink(x); // NOT OK
+    }
+
+    let xs = ["hello"];
+    let ys = [taint];
+    R.partial(safearray, xs)();
+    R.partial(unsafearray, ys)();
+}