hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18790 from asgerf/js/no-implicit-array-taint

Browse Source 
JS: Do not taint whole array when storing into ArrayElement
This commit is contained in:
Asger F
2025-02-19 13:23:31 +01:00
committed by GitHub
parent e1c280500e 804a1a6cb0
commit 58c8b5fa2b
18 changed files with 254 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
javascript/ql/test/library-tests/TripleDot/arrays.js
View File

@@ -20,3 +20,27 @@ function shiftTaint() {
sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
sink(array.shift()); // $ hasTaintFlow=shift.directly-tainted
}
function implicitToString() {
const array = [source('implicitToString.1')];
array.push(source('implicitToString.2'))
sink(array + "foo"); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink("foo" + array); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink("" + array); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(array + 1); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(1 + array); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(unknown() + array); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(array + unknown()); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(`${array}`); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(`${array} foo`); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(String(array)); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(array.toString()); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(array.toString("utf8")); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(Array.prototype.toString.call(array)); // $ hasTaintFlow=implicitToString.1 hasTaintFlow=implicitToString.2
sink(Object.prototype.toString.call(array)); // OK - returns "[object Array]"
}

7
javascript/ql/test/library-tests/TripleDot/buffer.js Normal file
View File

@@ -0,0 +1,7 @@
import 'dummy';
function t1() {
const b1 = Buffer.from(source("t1.1"));
const b2 = Buffer.from(source("t1.2"));
sink(Buffer.concat([b1, b2]).toString("utf8")); // $ hasTaintFlow=t1.1 hasTaintFlow=t1.2
}