JavaScript: Properly handle value-preserving paths.

When constructing a path through a property write/read pair, we want to make sure that we only use value-preserving steps to track the base object. However, the value flowing in from the right-hand side of the assignment may have a different flow label (such as `taint()`), so we cannot use the normal `append` predicate to construct the composite path.
2026-05-01 03:35:13 +02:00 · 2018-09-04 11:28:22 +01:00
parent 910d6de47d
commit 5727b2a5f4
3 changed files with 18 additions and 3 deletions
--- a/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.ql
+++ b/javascript/ql/test/library-tests/InterProceduralFlow/TaintTracking.ql
@@ -33,4 +33,4 @@ class TestTaintTrackingConfiguration extends TaintTracking::Configuration {

 from TestTaintTrackingConfiguration tttc, DataFlow::Node src, DataFlow::Node snk
 where tttc.hasFlow(src, snk)
-select src, snk
+select src, snk