JS: Add taint into dynamic argument array

2026-04-26 09:15:12 +02:00 · 2024-08-14 13:13:58 +02:00
parent 079a622cf9
commit 895cb872ad
2 changed files with 14 additions and 6 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll
@@ -1,5 +1,6 @@
 private import javascript
 private import semmle.javascript.dataflow.internal.DataFlowPrivate
+private import semmle.javascript.dataflow.internal.DataFlowNode
 private import semmle.javascript.dataflow.internal.Contents::Public
 private import semmle.javascript.dataflow.internal.sharedlib.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate
@@ -18,6 +19,13 @@ predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2)
  or
  FlowSummaryPrivate::Steps::summaryStoreStep(node1.(FlowSummaryNode).getSummaryNode(),
    ContentSet::arrayElement(), node2.(FlowSummaryNode).getSummaryNode())
+  or
+  // If the spread argument itself is tainted (not inside a content), store it into the dynamic argument array.
+  exists(InvokeExpr invoke, Content c |
+    node1 = TValueNode(invoke.getAnArgument().stripParens().(SpreadElement).getOperand()) and
+    node2 = TDynamicArgumentStoreNode(invoke, c) and
+    c.isUnknownArrayElement()
+  )
 }

 predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2, string model) {
--- a/javascript/ql/test/library-tests/TripleDot/tst.js
+++ b/javascript/ql/test/library-tests/TripleDot/tst.js
@@ -115,24 +115,24 @@ function t10() {

 function t11() {
    function target(x, y) {
-        sink(x); // $ MISSING: hasTaintFlow=t11.1
-        sink(y); // $ MISSING: hasTaintFlow=t11.1
+        sink(x); // $ hasTaintFlow=t11.1
+        sink(y); // $ hasTaintFlow=t11.1
    }
    target(...source('t11.1'));
 }

 function t12() {
    function target(x, y) {
-        sink(x);
-        sink(y); // $ MISSING: hasTaintFlow=t12.1
+        sink(x); // $ SPURIOUS: hasTaintFlow=t12.1
+        sink(y); // $ hasTaintFlow=t12.1
    }
    target("safe", ...source('t12.1'));
 }

 function t13() {
    function target(x, y, ...rest) {
-        sink(x);
-        sink(y); // $ MISSING: hasTaintFlow=t13.1
+        sink(x); // $ SPURIOUS: hasTaintFlow=t13.1
+        sink(y); // $ hasTaintFlow=t13.1
        sink(rest); // $ MISSING: hasTaintFlow=t13.1
        sink(rest[0]); // $ MISSING: hasTaintFlow=t13.1
    }