JS: Do not use legacy taint steps in TaintedUrlSuffix

Tainted URL suffix steps are added as configuration-specific additional
steps, which means implicit reads may occur before any of these steps.

These steps accidentally included the legacy taint steps which include
a step from 'arguments' to all positional parameters. Combined with the
implicit read, arguments could escape their array index and flow to
any parameter while in the tainted-url flow state.
This commit is contained in:
Asger F
2024-08-29 13:36:44 +02:00
parent 65a36b0b3b
commit 4568967a76
4 changed files with 3 additions and 37 deletions

View File

@@ -54,7 +54,7 @@ module TaintedUrlSuffix {
// Inherit all ordinary taint steps except `x -> x.p` steps
srclbl = label() and
dstlbl = label() and
TaintTracking::sharedTaintStep(src, dst) and
TaintTracking::AdditionalTaintStep::step(src, dst) and
not isSafeLocationProp(dst)
or
// Transition from URL suffix to full taint when extracting the query/fragment part.