JS: ErrorConstructorTaintStep

2026-05-03 12:45:27 +02:00 · 2020-03-27 15:32:52 +00:00
parent fa9b3dfff4
commit 462e31c2b4
1 changed files with 7 additions and 8 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
@@ -699,9 +699,13 @@ module TaintTracking {
  /**
   * A taint step through an exception constructor, such as `x` to `new Error(x)`.
   */
-  class ErrorConstructorTaintStep extends AdditionalTaintStep, DataFlow::InvokeNode {
-    ErrorConstructorTaintStep() {
-      exists(string name | this = DataFlow::globalVarRef(name).getAnInvocation() |
+  class ErrorConstructorTaintStep extends SharedTaintStep {
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      exists(DataFlow::NewNode invoke, string name |
+        invoke = DataFlow::globalVarRef(name).getAnInvocation() and
+        pred = invoke.getArgument(0) and
+        succ = invoke
+        |
        name = "Error" or
        name = "EvalError" or
        name = "RangeError" or
@@ -711,11 +715,6 @@ module TaintTracking {
        name = "URIError"
      )
    }
-
-    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      pred = getArgument(0) and
-      succ = this
-    }
  }

  private module RegExpCaptureSteps {