mirror of
https://github.com/github/codeql.git
synced 2026-07-15 16:29:39 +02:00
JS: Do not use legacy taint steps in TaintedUrlSuffix
Tainted URL suffix steps are added as configuration-specific additional steps, which means implicit reads may occur before any of these steps. These steps accidentally included the legacy taint steps which include a step from 'arguments' to all positional parameters. Combined with the implicit read, arguments could escape their array index and flow to any parameter while in the tainted-url flow state.
This commit is contained in:
@@ -54,7 +54,7 @@ module TaintedUrlSuffix {
|
||||
// Inherit all ordinary taint steps except `x -> x.p` steps
|
||||
srclbl = label() and
|
||||
dstlbl = label() and
|
||||
TaintTracking::sharedTaintStep(src, dst) and
|
||||
TaintTracking::AdditionalTaintStep::step(src, dst) and
|
||||
not isSafeLocationProp(dst)
|
||||
or
|
||||
// Transition from URL suffix to full taint when extracting the query/fragment part.
|
||||
|
||||
Reference in New Issue
Block a user