hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: more taint steps through array manipulation

Browse Source
This commit is contained in:
Asger F
2019-07-09 15:57:28 +01:00
parent d3a880ee4d
commit 83908464e0
3 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll
View File

@@ -290,6 +290,23 @@ module TaintTracking {
succ.(DataFlow::SourceNode).getAMethodCall(name) = call
)
or
// `array.push(...e)`, `array.unshift(...e)`: if `e` is tainted, then so is `array`.
exists(string name |
name = "push" or
name = "unshift"
|
pred = call.asExpr().(InvokeExpr).getAnArgument().(SpreadElement).getOperand().flow() and
succ.(DataFlow::SourceNode).getAMethodCall(name) = call
)
or
// `array.splice(i, del, e)`: if `e` is tainted, then so is `array`.
exists(string name |
name = "splice"
|
pred = call.getArgument(2) and
succ.(DataFlow::SourceNode).getAMethodCall(name) = call
)
or
// `e = array.pop()`, `e = array.shift()`, or similar: if `array` is tainted, then so is `e`.
exists(string name |
name = "pop" or

3
javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
View File

@@ -9,6 +9,9 @@ typeInferenceMismatch
| addexpr.js:11:15:11:22 | source() | addexpr.js:21:8:21:12 | value |
| advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
| array-callback.js:2:23:2:30 | source() | array-callback.js:4:10:4:10 | x |
| array-mutation.js:19:18:19:25 | source() | array-mutation.js:20:8:20:8 | e |
| array-mutation.js:23:13:23:20 | source() | array-mutation.js:24:8:24:8 | f |
| array-mutation.js:27:16:27:23 | source() | array-mutation.js:28:8:28:8 | g |
| booleanOps.js:2:11:2:18 | source() | booleanOps.js:4:8:4:8 | x |
| booleanOps.js:2:11:2:18 | source() | booleanOps.js:13:10:13:10 | x |
| booleanOps.js:2:11:2:18 | source() | booleanOps.js:19:10:19:10 | x |

29
javascript/ql/test/library-tests/TaintTracking/array-mutation.js Normal file
View File

@@ -0,0 +1,29 @@
function test(x, y) {
let a = [];
a.splice(source(), x);
sink(a); // OK
let b = [];
b.splice(x, source());
sink(b); // OK
let c = [];
c.splice(source(), x, y);
sink(c); // OK
let d = [];
d.splice(x, source(), y);
sink(d); // OK
let e = [];
e.splice(x, y, source());
sink(e); // NOT OK
let f = [];
f.push(...source());
sink(f); // NOT OK
let g = [];
g.unshift(...source());
sink(g); // NOT OK
}