hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Recognise wrapped chains of replacements.

Browse Source
This commit is contained in:
Max Schaefer
2019-10-30 13:02:59 +00:00
parent 02d16b1dc9
commit 5349e0f881
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
View File

@@ -115,6 +115,13 @@ abstract class Replacement extends DataFlow::Node {
result.getOutput() = getASimplePredecessor*(getInput())
}
/**
* Gets the next replacement in this chain of replacements.
*/
Replacement getNextReplacement() {
this = result.getPreviousReplacement()
}
/**
* Gets an earlier replacement in this chain of replacements that
* performs an escaping.
@@ -231,8 +238,8 @@ class WrappedReplacement extends Replacement, DataFlow::CallNode {
WrappedReplacement() {
exists(DataFlow::FunctionNode wrapped | wrapped.getFunction() = getACallee() |
wrapped.getParameter(i).flowsTo(inner.getInput()) and
inner.getOutput().flowsTo(wrapped.getAReturn())
wrapped.getParameter(i).flowsTo(inner.getPreviousReplacement*().getInput()) and
inner.getNextReplacement*().getOutput().flowsTo(wrapped.getAReturn())
)
}