Merge pull request #805 from asger-semmle/callback-taint-source

Approved by xiemaisi
2026-05-02 12:15:17 +02:00 · 2019-01-28 08:45:37 +00:00
parent 8b029a2d9f ccbfaa7c9e
commit 962416ffc2
5 changed files with 181 additions and 28 deletions
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,4 +1,14 @@
 | advanced-callgraph.js:2:13:2:20 | source() | advanced-callgraph.js:6:22:6:22 | v |
+| callbacks.js:4:6:4:13 | source() | callbacks.js:34:27:34:27 | x |
+| callbacks.js:4:6:4:13 | source() | callbacks.js:35:27:35:27 | x |
+| callbacks.js:5:6:5:13 | source() | callbacks.js:34:27:34:27 | x |
+| callbacks.js:5:6:5:13 | source() | callbacks.js:35:27:35:27 | x |
+| callbacks.js:25:16:25:23 | source() | callbacks.js:47:26:47:26 | x |
+| callbacks.js:25:16:25:23 | source() | callbacks.js:48:26:48:26 | x |
+| callbacks.js:37:17:37:24 | source() | callbacks.js:37:37:37:37 | x |
+| callbacks.js:44:17:44:24 | source() | callbacks.js:41:10:41:10 | x |
+| callbacks.js:50:18:50:25 | source() | callbacks.js:30:29:30:29 | y |
+| callbacks.js:51:18:51:25 | source() | callbacks.js:30:29:30:29 | y |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:18:8:18:14 | c.taint |
 | constructor-calls.js:4:18:4:25 | source() | constructor-calls.js:22:8:22:19 | c_safe.taint |
 | constructor-calls.js:10:16:10:23 | source() | constructor-calls.js:26:8:26:14 | d.taint |
--- a/javascript/ql/test/library-tests/TaintTracking/callbacks.js
+++ b/javascript/ql/test/library-tests/TaintTracking/callbacks.js
@@ -0,0 +1,52 @@
+import * as dummy from 'dummy'; // treat as module
+
+function provideTaint(cb) {
+  cb(source());
+  cb(source());
+}
+
+function provideTaint2(cb) {
+  provideTaint(cb);
+  provideTaint(cb); // suppress precision gains from functions with unique call site
+}
+
+function forwardTaint(x, cb) {
+  cb(x);
+  cb(x);
+}
+
+function forwardTaint2(x, cb) {
+  forwardTaint(x, cb);
+  forwardTaint(x, cb);
+}
+
+function middleSource(cb) {
+  // The source occurs in-between the callback definition and the callback invocation.
+  forwardTaint(source(), cb);
+}
+
+function middleCallback(x) {
+  // The callback definition occurs in-between the source and the callback invocation.
+  forwardTaint(x, y => sink(y)); // NOT OK
+}
+
+function test() {
+  provideTaint2(x => sink(x)); // NOT OK
+  provideTaint2(x => sink(x)); // NOT OK
+
+  forwardTaint2(source(), x => sink(x)); // NOT OK
+  forwardTaint2("safe", x => sink(x)); // OK
+  
+  function helper1(x) {
+    sink(x); // NOT OK
+    return x;
+  }
+  forwardTaint2(source(), helper1);
+  sink(helper1("safe")); // OK
+
+  middleSource(x => sink(x)); // NOT OK
+  middleSource(x => sink(x)); // NOT OK
+
+  middleCallback(source());
+  middleCallback(source());
+}