add taint-step for Array.reduce

2026-04-30 11:15:13 +02:00 · 2020-06-09 17:15:00 +02:00
parent be71ddf7bb
commit 90596167b1
1 changed files with 5 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/Arrays.qll
+++ b/javascript/ql/src/semmle/javascript/Arrays.qll
@@ -40,6 +40,11 @@ module ArrayTaintTracking {
      succ = call
    )
    or
+    // `arary.reduce` with tainted value in callback
+    call.(DataFlow::MethodCallNode).getMethodName() = "reduce" and
+    pred = call.getArgument(0).(DataFlow::FunctionNode).getAReturn() and // Require the argument to be a closure to avoid spurious call/return flow
+    succ = call
+    or
    // `array.push(e)`, `array.unshift(e)`: if `e` is tainted, then so is `array`.
    exists(string name |
      name = "push" or