hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll

Browse Source 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
This commit is contained in:
Asger F
2022-05-27 15:55:25 +02:00
committed by GitHub
parent 5964be4463
commit 468a4df215
1 changed files with 2 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
javascript/ql/lib/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTamperingQuery.qll
View File

@@ -36,13 +36,11 @@ class Configuration extends DataFlow::Configuration {
private class TypeOfTestBarrier extends DataFlow::BarrierGuardNode, DataFlow::ValueNode {
override EqualityTest astNode;
private Expr operand;
TypeOfTestBarrier() { astNode.getAnOperand().(TypeofExpr).getOperand() = operand }
TypeOfTestBarrier() { TaintTracking::isTypeofGuard(astNode, _, _) }
override predicate blocks(boolean outcome, Expr e) {
e = operand and
if astNode.getAnOperand().getStringValue() = ["string", "object"]
if TaintTracking::isTypeofGuard(astNode, e, ["string", "object"])
then outcome = [true, false] // separation between string/array removes type confusion in both branches
else outcome = astNode.getPolarity() // block flow to branch where value is neither string nor array
}